Target IP: 10.10.11.227
Local IP: 10.10.14.68
0x01 Information Gathering#
nmap port scanning
Port 80 and port 22 are open.
Accessing port 80 shows the following page:
Set up hosts file to resolve domain name.
Accessing http://tickets.keeper.htb/ shows the following page:
0x02 Exploitation#
Based on some hints on the page, search for "Best Practical Solutions, LLC username password" and find the official website's documentation.
The default password is root/password. Try logging in.
Multiple login attempts are required to successfully log in.
There are two users.
lnorgaard's password is New user. Initial password set to Welcome2023!
Log in with this account.
Discover a keepass issue.
It tells us that the keepass client has a problem.
Download the attachment.
Unable to download after trying for a while. Try logging in to ssh using lnorgaard/Welcome2023!.
Successfully logged in.
Obtain user.txt.
0x03 Privilege Escalation#
From the image above, there are three files in addition to user.txt: KeePassDumpFull.dmp, RT30000.zip, passcodes.kdbx.
Log in to sftp and download these three files.
Contents of RT30000.zip:
Open with an application, requires account password to log in.
In cases where a dmp file is provided, passwords can usually be extracted from the dmp file. Try using mimikatz to dump passwords, but fail.
Try searching and find that there is a vulnerability in keepass for retrieving the master password, with the vulnerability ID CVE-2023-32784.
Search for a poc on GitHub.
The output is as follows:
Possible password: ●Mdgr●d med fl●de
Try searching on Google.
rødgrød med fløde
Try using this password to open the kbdx file.
Find root's password and key.
Save the key file as txt, then convert it to an ssh certificate using puttygen.
Install putty on Mac.
brew install putty
Then execute the following command to generate the keeper.pem file:
puttygen 123.txt -O private-openssh -o keeper.pem
Give permission to connect.
chmod 600 keeper.per
ssh [email protected] -i keeper.pem
Successfully connect with root privileges and obtain root.txt.
0x04 Conclusion#
- SSH login to obtain user.txt was unexpected.
- Learn about the keepass vulnerability to obtain the master key.