Keeper Write-up
When your Danish dessert compromise the entire system
INTRODUCTION
Keeper is an easy machine on the HackTheBox website. To gain initial access, we need to exploit a vulnerability on the Request Tracker web service. Once we find an SSH user credential, we can access the server and important files that contain the root password. This last step may seem challenging initially, but it will be easier if you are from Europe.
ENUMERATION
First, check the server’s open ports. You can do this by using the Nmap program.
#nmap command
nmap -sVC -v -Pn -oN keeper-nmap keeper.htb
#nmap response
Host is up (0.21s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 35:39:d4:39:40:4b:1f:61:86:dd:7c:37:bb:4b:98:9e (ECDSA)
|_ 256 1a:e9:72:be:8b:b1:05:d5:ef:fe:dd:80:d8:ef:c0:66 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Let’s investigate the port 80.
This page shows us what to do next. We click on the link to go to the request tracker login page. We quickly find out from Google that the login page has default login details: root : password.
On the admin page, we found a message regarding someone else’s keepass. Further investigation revealed our second finding — the user’s login information: lnorgaard : Welcome2023!
INITIAL ACCESS
We found out that only ports 22 and 80 are open after our investigation. Then we can check the user credentials for the SSH service, which gives us access on the server side without any need for reverse shells or exploits. This situation indicates an information disclosure vulnerability. Additionally, we can obtain the user flag.
PRIVILEGE ESCALATION
In the lnorgaard home directory we have two important files — KeePassDumpFull.dmp and passcodes.kdbx. We must retrieve and then install the keepass2 program onto our machines.
We have two files and the keepass2 binary, but we don’t know what to do with them. We did some research online and came across a CVE — CVE-2023–32784, which allows the dumping of the master password from the KeepPassDumpFull file. However, when we attempted to hack the password, the result was incomplete: **dgr*d med fl*de
.
NOTE: I spent a long time searching Google and the hackthebox forum until one comment brought me hope again. The main password we need is “rødgrød med fløde” a Danish recipe.
The character ‘ø’ made it impossible to correctly dump the password before, but now we can access the passcodes.kdbx on keepass2 binary just by using this password.
Opening the file, we discovered the information from the PuTTY PPK file for the root user.
We can use PuTTY to enter the system or change the PPK to private-openssh key. Then, we can obtain root access through ssh. First, use the puttygen binary to convert the file.
Now we can obtain our root flag in the root directory.
CONCLUSION
This machine seemed relatively easy initially, but it became more challenging in the final step when the incomplete dump revealed a Danish phrase. This experience provides valuable lessons in misconfiguration, default credentials, and information disclosure. I hope you find this walkthrough enjoyable. If you do, please consider hitting the clapping button and following to stay updated on future posts.
Thank you for reading, and I’ll see you soon.