Keeper Writeup

Initial Recon

Starting off with an initial nmap scan of our target host: nmap -sV -sC 10.10.11.227 -oA keeper:

We see that there’s 3 open ports:

• 22 - SSH
• 80 - HTTP
• 8000 - HTTP

I wasn’t able to connect to port 8000 and kept receiving an Unable to connect error:

But connecting to port 80, we find that there’s a hyperlink that’s pointing to a virtual host (vHost) at the tickets.keeper.htb/rt/ domain:

Let’s add this vHost to our /etc/hosts file so that way we can connect to it. Add the following entry into the /etc/hosts file:

10.10.11.227	keeper.htb tickets.keeper.htb

Attempting to connect to the base domain of keeper.htb leads us to the same page:

But connecting instead to tickets.keeper.htb leads a login page for a service known as Requests Tracker:

We also get a version number which is 4.4.4! The link to the Requests Tracker software could be found here and if you read the configuration settings, within step 7, it states the default credentials to be: root:password!

Initial Access

We can login with these default credentials. Looking at the users on the ticket tracker, we see there’s only 2 users:

1. root
2. lnorgaard

If we click the lnorgaard user, we’ll find that there’s a comment that has the default credentials for this user:

Let’s use the lnorgaard:Welcome2023! credentials to login via SSH to the target machine:

Privilege Escalation

Going to the /home/lnorgaard directory & listing all files, we’ll find 2 interesting files:

• passcodes.kdbx
• KeePassDumpFull.dmp

These files appear to be KeePass-related files which is a password manager. One of them appears to be a process dump:

while the passcodes.kdbx is a KeePass password database file:

These two files lead me to believe that the privilege escalation component of this box may be related to CVE-2023-32784 which is a vulnerability in which the master password can be recovered from a KeePass password dump!

One thing to note is that the vulnerability details state that the first character of the master password isn’t recoverable, so we’ll likely have to guess this one.

Searching CVE-2023-32784 exploit Github reveals various results, I chose to use this Python one. We can run it via: python3 keepass_dump.py -f KeePassDumpFull.dmp:

The extracted master password appears to be: dgrd med flde, though recall that the first character of the master password isn’t recoverable. Looking this up as it appears to be a phrase, I came across several articles relating to a Danish pudding:

Knowing this, and that the user we gained initial access with was lnorgaard, and that their Language was set to Danish on the Request Tracker system:

I took an educated guess that it’s likely that the master password for the KeePass database was indeed the Danish dessert `rødgrød med fløde

Let’s import the passcodes.kdbx file into KeePass and use the discovered master password!

Note: You can install KeePass here!

After inputting the master password, you’ll see 2 inputs within the Network passwords:

1. A password for the ticketing system for the lnorgaard user
2. A Putty SSH key for the root user:
   • 

This SSH key is in Putty format, but we can copy it & paste it into a file & convert it into OpenSSH format in order to use it to login as the root user: First copy the entire key to a file:

Then we can use puttygen in order to convert the SSH key into OpenSSH format NOTE: You may need to install putty-tools in order to convert it!

First, we can convert it & output a private SSH key by running: puttygen <Putty SSH key> -O private-openssh -o rootprivkey.txt

Then we can login to the target by specifying the rootprivkey.txt file with the -i option:

And we’ve successfully rooted the box!