Keeper
Gaining Access
Nmap scan:
We can start proxying traffic through Burpsuite.
Web Enumeration -> SSH Creds
Visiting the website itself shows a domain we need to add:
After adding to the /etc/hosts
file, it brings us to a login page:
The website was running Best Practical Request Tracker (RT) 4.4.4, which is quite outdated. A bit of research reveals that root:password
is the default password, which works here:
There is 1 ticket present, and it's an issue regarding Keepass (with the box name being an obvious hint).
The attachment has been removed. There's also mention of another user named lnorgaard
. When we use the Admin panel to view all Users, there's a password located within the user's comments:
Using these creds, we can ssh
in as the user:
Privilege Escalation
Keepass Dump -> CVE-2023-32784
Within the user's directory, there's one zip
file present:
Within it is the .dmp
file for the Keepass client mentioned in the ticket earlier. I searched for Keepass exploits for 2023, and found this one:
This exploits allows us to get passwords from Keepass dump files, and there is one PoC for it:
We can clone the repository and clean it up a bit. Afterwards, use scp
to transfer the file out:
Then, in order to run the binary, I had to change the dependencies from net7.0
to net6.0
within the .csproj
file:
Afterwards, we can use dotnet run
to execute the program:
This would produce a string at the end with some non-printable characters. Googling part of the string reveals a certain Danish dessert (based on the username of the user):
Using the name of the dessert, we can access the passwords within the .kdbx
file:
Keepass PPX Key -> Root SSH Key
There are quite a few entries within this Keepass instance:
Within the keeper.htb
entry, there's a key of some sorts, as well as a fake password for root
:
This is a Putty User Key File, which can be converted back to an ssh
key.
After running chmod 600
on it, we can use this private key to ssh
in as root
:
dotnet run
saves loads of time transferring files to a Windows machine. Rooted!
Last updated