Keeper

Personal Rating: Easy

Enumeration

sudo map -v -sV <IP>

Nmap scan report for 10.10.11.227
Host is up (0.13s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

This refers to http://tickets.keeper.htb/rt/ so I added the subdomain to my hosts file

It shows a login page with the info »|« RT 4.4.4+dfsg-2ubuntu1 from BestPractical

Default Creds & Pillaging

The default credentials root:password worked to log in

At the homepage there was one ticket about a Windows keepass issue and a username:

There are also mail addresses:

  • root@localhost

  • rt@keeper.htb

  • webmaster@keeper.htb

  • rt-comment@keeper.htb

  • rt@keeper.htb

There are mails that potentially indicate an insecure handling of sensitive data/files:

Lise,
 “Attached to this ticket is a crash dump of the keepass program”
 
 I have saved the file to my home directory and removed the attachment for security reasons.

Once my investigation of the crash dump is complete, I will let you know.

Real Name: Enoch Root
Email Address: root@localhost
Name: root

Found this at http://tickets.keeper.htb/rt/Admin/Tools/Shredder

Shredder needs a directory to write dumps to.
Please ensure that the directory /var/lib/request-tracker4/data/RT-Shredder
exists and that it is writable by your web server.
http://tickets.keeper.htb/rt/Admin/Tools/Configuration.html

I continued pillaging the ticket system to find some credentials:

KeePass Database Exploit

Logging in with these credentials via ssh worked. Investigating the KeePass version, I found CVE-2023-32784 to be likely exploitable. Using a PoC I got this result: dgrd med flde

It seems like something is off with the result.

I tried a different PoC, thinking that the first one was not working: https://github.com/vdohney/keepass-password-dumper

The result was ødgrød med fløde which shows what the issue with the first PoC was. The result as password did not work however.

Searching for that on google yields "Rødgrød med Fløde" as a well known tourist location, which then worked as the password if used from a file.

Persistence

Finally, I converted and used the ssh key for persistence:

puttygen root.ppk -O private-openssh -o id_rsa
ssh -i id_rsa root@10.10.11.227

root@keeper:~# cat root.txt
PreviousJerryNextKnife

Last updated