search

Keeper

Personal Rating: Easy

hashtag
Enumeration

sudo map -v -sV <IP>

Nmap scan report for 10.10.11.227
Host is up (0.13s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

This refers to http://tickets.keeper.htb/rt/arrow-up-right so I added the subdomain to my hosts file

It shows a login page with the info »|« RT 4.4.4+dfsg-2ubuntu1 from BestPractical

hashtag
Default Creds & Pillaging

The default credentials root:password worked to log in

At the homepage there was one ticket about a Windows keepass issue and a username:

There are also mail addresses:

  • root@localhost

  • rt@keeper.htb

  • webmaster@keeper.htb

  • rt-comment@keeper.htb

  • rt@keeper.htb

There are mails that potentially indicate an insecure handling of sensitive data/files:

Found this at http://tickets.keeper.htb/rt/Admin/Tools/Shredderarrow-up-right

http://tickets.keeper.htb/rt/Admin/Tools/Configuration.htmlarrow-up-right

I continued pillaging the ticket system to find some credentials:

hashtag
KeePass Database Exploit

Logging in with these credentials via ssh worked. Investigating the KeePass version, I found CVE-2023-32784 to be likely exploitable. Using a PoC I got this result: dgrd med flde

It seems like something is off with the result.

I tried a different PoC, thinking that the first one was not working: https://github.com/vdohney/keepass-password-dumper

The result was ødgrød med fløde which shows what the issue with the first PoC was. The result as password did not work however.

Searching for that on google yields "Rødgrød med Fløde" as a well known tourist location, which then worked as the password if used from a file.

hashtag
Persistence

Finally, I converted and used the ssh key for persistence:

PreviousJerryNextKnife

Last updated