banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。
HomeArchives图文

hackthebox Target Keeper Process Record

#htb389
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The target machine's IP is 10.10.11.227 and the local machine's IP is 10.10.14.68. The nmap port scan shows that ports 80 and 22 are open. Accessing port 80 reveals a webpage. By searching for "Best Practical Solutions, LLC username password," the default login credentials for the webpage are found. After multiple attempts, two users are discovered. One of the users has a password of "New user. Initial password set to Welcome2023!" Logging in with this account reveals a keepass issue. An attachment is downloaded, but cannot be opened. The SSH login is successful using the username "lnorgaard" and password "Welcome2023!". The user.txt file is obtained. Three additional files are found, including a kdbx file. A vulnerability in keepass (CVE-2023-32784) is exploited to retrieve the main password. The root password and key are found. The key file is converted to an SSH certificate using puttygen. SSH login as root is successful, and the root.txt file is obtained. The unexpected discovery is the user.txt file through SSH login. The keepass vulnerability is learned for obtaining the main key.

image

  • Target IP: 10.10.11.227
  • Local IP: 10.10.14.68

0x01 Information Gathering#

nmap port scanning

image

Port 80 and Port 22 are open.

Accessing the page on Port 80:

image

Setting up hosts file to resolve the domain

image

Accessing http://tickets.keeper.htb/, we can see the following page

image

0x02 Vulnerability Exploitation#

Based on some hints on the page, search for "Best Practical Solutions, LLC username password" and find the official documentation.

image

The default password is root/password as shown in the above image, let's try logging in.

image

Multiple login attempts are required to successfully log in.

There are two users.

image

The password for lnorgaard is New user. Initial password set to Welcome2023!

image

Let's log in to this account and see.

image

Found an issue with keepass.

image

image

It tells us that there is a problem with the keepass client.

Download the attachment.

image

After trying for a while, I couldn't download it. Let's try logging in to ssh using lnorgaard/Welcome2023!.

image

Successful login.

Obtained user.txt.

image

0x03 Privilege Escalation#

From the above image, we can see that there are three files in addition to user.txt: KeePassDumpFull.dmp RT30000.zip passcodes.kdbx.

Log in to sftp and download these three files.

Contents of RT30000.zip

image

Open with an application, requires account password login.

image

In cases like this where a dmp file is provided, passwords can usually be extracted from the dmp file. Let's try using mimikatz to dump the password, but it failed.

image

After searching, I found that there is a vulnerability in keepass for retrieving the master password, with the vulnerability ID CVE-2023-32784.

Let's search for a poc on GitHub.

Github Repo not found

The embedded github repo could not be found…

The output is as follows:

image

Possible password: ●Mdgr●d med fl●de

Let's try a Google search.

image

rødgrød med fløde

Let's try this password to open the kbdx file.

image

Found the password and key for root.

image

Save the above key file as txt, and then convert it to an ssh certificate using puttygen.

Puttygen tool needs putty to be installed.

Install putty on Mac:

brew install putty

Then execute the following command to generate the keeper.pem file:

puttygen 123.txt -O private-openssh -o keeper.pem

Give permission to connect:

chmod 600 keeper.per
ssh [email protected] -i keeper.pem

image

Successfully connected with root privileges, obtain root.txt.

image

0x04 Conclusion#

  • Unexpected to obtain user.txt through ssh login.
  • Learned about the keepass vulnerability for retrieving the master key.
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.