banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。

hackthebox Target Keeper Process Record

image

  • Target IP: 10.10.11.227
  • Local IP: 10.10.14.68

0x01 Information Gathering#

nmap port scanning

image

Port 80 and Port 22 are open.

Accessing the page on Port 80:

image

Setting up hosts file to resolve the domain

image

Accessing http://tickets.keeper.htb/, we can see the following page

image

0x02 Vulnerability Exploitation#

Based on some hints on the page, search for "Best Practical Solutions, LLC username password" and find the official documentation.

image

The default password is root/password as shown in the above image, let's try logging in.

image

Multiple login attempts are required to successfully log in.

There are two users.

image

The password for lnorgaard is New user. Initial password set to Welcome2023!

image

Let's log in to this account and see.

image

Found an issue with keepass.

image

image

It tells us that there is a problem with the keepass client.

Download the attachment.

image

After trying for a while, I couldn't download it. Let's try logging in to ssh using lnorgaard/Welcome2023!.

image

Successful login.

Obtained user.txt.

image

0x03 Privilege Escalation#

From the above image, we can see that there are three files in addition to user.txt: KeePassDumpFull.dmp RT30000.zip passcodes.kdbx.

Log in to sftp and download these three files.

Contents of RT30000.zip

image

Open with an application, requires account password login.

image

In cases like this where a dmp file is provided, passwords can usually be extracted from the dmp file. Let's try using mimikatz to dump the password, but it failed.

image

After searching, I found that there is a vulnerability in keepass for retrieving the master password, with the vulnerability ID CVE-2023-32784.

Let's search for a poc on GitHub.

Retrieve the master password of a keepass database <= 2.53.1

The output is as follows:

image

Possible password: ●Mdgr●d med fl●de

Let's try a Google search.

image

rødgrød med fløde

Let's try this password to open the kbdx file.

image

Found the password and key for root.

image

Save the above key file as txt, and then convert it to an ssh certificate using puttygen.

Puttygen tool needs putty to be installed.

Install putty on Mac:

brew install putty

Then execute the following command to generate the keeper.pem file:

puttygen 123.txt -O private-openssh -o keeper.pem

Give permission to connect:

chmod 600 keeper.per
ssh [email protected] -i keeper.pem

image

Successfully connected with root privileges, obtain root.txt.

image

0x04 Conclusion#

  • Unexpected to obtain user.txt through ssh login.
  • Learned about the keepass vulnerability for retrieving the master key.
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.