banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。
HomeArchives图文

Hackthebox target keeper process record

#htb277
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The given text describes the process of information gathering, vulnerability exploitation, privilege escalation, and conclusion of a target machine. It involves scanning open ports, accessing web pages, searching for passwords, downloading files, exploiting a vulnerability in Keepass, and using SSH to gain root access. The text concludes by mentioning the unexpected discovery of the user.txt file and the learning experience of exploiting the Keepass vulnerability to obtain the master key.

Target IP: 10.10.11.227
Local IP: 10.10.14.68

0x01 Information Gathering#

nmap port scanning

Port 80 and port 22 are open.

Accessing port 80 shows the following page:

Set up hosts file to resolve domain name.

Accessing http://tickets.keeper.htb/ shows the following page:

0x02 Exploitation#

Based on some hints on the page, search for "Best Practical Solutions, LLC username password" and find the official website's documentation.

The default password is root/password. Try logging in.

Multiple login attempts are required to successfully log in.

There are two users.

lnorgaard's password is New user. Initial password set to Welcome2023!

Log in with this account.

Discover a keepass issue.

It tells us that the keepass client has a problem.

Download the attachment.

Unable to download after trying for a while. Try logging in to ssh using lnorgaard/Welcome2023!.

Successfully logged in.

Obtain user.txt.

0x03 Privilege Escalation#

From the image above, there are three files in addition to user.txt: KeePassDumpFull.dmp, RT30000.zip, passcodes.kdbx.

Log in to sftp and download these three files.

Contents of RT30000.zip:

Open with an application, requires account password to log in.

In cases where a dmp file is provided, passwords can usually be extracted from the dmp file. Try using mimikatz to dump passwords, but fail.

Try searching and find that there is a vulnerability in keepass for retrieving the master password, with the vulnerability ID CVE-2023-32784.

Search for a poc on GitHub.

The output is as follows:

Possible password: ●Mdgr●d med fl●de

Try searching on Google.

rødgrød med fløde

Try using this password to open the kbdx file.

Find root's password and key.

Save the key file as txt, then convert it to an ssh certificate using puttygen.

Install putty on Mac.

brew install putty

Then execute the following command to generate the keeper.pem file:

puttygen 123.txt -O private-openssh -o keeper.pem

Give permission to connect.

chmod 600 keeper.per
ssh [email protected] -i keeper.pem

Successfully connect with root privileges and obtain root.txt.

0x04 Conclusion#

  • SSH login to obtain user.txt was unexpected.
  • Learn about the keepass vulnerability to obtain the master key.
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.