HTB: Keeper
Keeper is an easy HTB machine which mimicks a helpdesk. I get inital access with default credentials. With that I find a comment which reveals a password that I use to login to SSH. I then use an exploit on the KeePass dump file, which gives the root putty SSH key.
Initial enumeration
I start with an nmap scan sudo nmap -sVC -v 10.10.11.227 -oN nmap/all
It shows port 22,80 and 8000 open.
|
Port 8000
SimpleHTTPServer seems to be on port 8000, and files shown on the page.
Users flag
Here it shows the users flag!
I download the other files to my linux machine, the passcodes.kdbx and KeePassDempFull.dmp files stand out (the RT30000.zip file also contain these files)
I tried to use keepass2john
to bruteforce it, but no results.
I didn’t have keepass yet, so i downloaded it https://keepassxc.org/
For now I wanted to continue exploring the other ports.
Port 80
Web page shows the following
I add tickets.keerper.htb
to my /etc/hosts
file.
It displays the following page:
After trying some default usernames and passwords, it lets me in with root:password
.
At the users page, it shows two users.
Initial password
In lnorgaard’s user page, there is a comments
where it shows an initial password.
Shell as lnorgaard
I try to connect via ssh
and it works!
ls -la
shows that lnorgaards home directory is the same as the python http server on port 8000.
Shell as root
After looking online what i could do with a KeePassDumpFull.dmp file, i stumbled upon the following github script;
https://github.com/CMEPW/keepass-dump-masterkey
|
After googling, it showed this danish dish.
With that in hand, I managed to unlock the database file!
I downloaded putty for linux sudo apt install putty
Copied the notes to a file named putty_key
Then I use puttygen with -O private-openssh
to specify the output type.
|
using ssh with the new_ssh_key
to connect as root
|
And I succesfully found the root flag!
|