Hello everyone! Welcome to pentestguy. In this post we will see keeper hackthebox walkthrough. Keeper is easy linux machine ctf available on hackthebox. You can find out Keeper machine on hack the box platform using this link.
For Keeper machine hackthebox walkthrough we are going to do the enumeration part like post scanning and checking for the services running on the respective port numbers and finding default credentials. Getting into the system, achieving the user and pivoting to the root of the machine.
Nmap Scan
nmap -sV -sC 10.10.X.X -oN nmap.output
Nmap scan report for 10.10.11.227 Host is up (0.33s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http nginx 1.18.0 (Ubuntu) | http-methods: |_ Supported Methods: GET HEAD |_http-server-header: nginx/1.18.0 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 1123/tcp filtered murray Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We found two most common port open, after checking the port number 80, it is redirecting to subdomain tickets.keeper.htb.
Add the host for this name in the hosts file and tried to browse it and we found there is web application with specific version RT 4.4.4.
We tried the common thing at very first search for the vulnerabilities present for the particular version but unfortunately unable to find anything. We search for the default password for the web application running.
With default password root:password able to login into it.
After some research. found another user in the user list – Admin->Users and in that found that user password in the comments section.
User flag
Tried ssh with the credentials lnorgaard:Welcome2023! and got user
ssh [email protected]
Root flag
For privilege escalation after tried basic enumeration as well as some scripts like linpeas, We noticed that there is zip file named as RT30000.zip present in the user folder. Copied it to local machine and unzip it.
Got KeePassDumpFull.dmp and passcodes.kdbx files after some research we found a CVE related to Keepass2.X master password dumper. You can use this repo to exploit it – https://github.com/vdohney/keepass-password-dumper
But before that make sure to install keepass2 and dotnet7 for that follow the command given below.
sudo apt install keepass2 dotnet-sdk-7.0
Copy the KeePassDumpFull.dmp and passcodes.kdbx files into clone repo and run the command given below.
dotnet run KeePassDumpFull.dmp
At the end of the result we found something interesting.
Tried it as password but didn’t work then search it on google and got slightly different result.
We tried that and that was our password, how we tried it? first open keepass2 and open pdbx file into it and that will ask the password provide the password we got from google search.
In the ticket entry we found root entry and there key is present in the .ppk format.
Save it as keeper.ppk convert it into .pem format using the following command.
puttygen keeper.ppk -O private-openssh -o id_rsa
Change permission of newly created id_rsa file and do ssh as root user.
chmod 600 id_rsa ssh [email protected] -i id_rsa
If you found this post helpful then please share it with your co-workers and friends. Please provide your valuable comment and let us know if there is any suggestion. Now you can also collab with us please check our collaboration page, thank you!
