Keeper (machine)
by k0d14k
Keeper is a machine provided by HackTheBox. After you log into the platform you need to instantiate the machine and then add the provided IP in your /etc/hosts/ file as follows:
Now you can navigate to the first one and you'll be redirected to the second one.
The application shows us this login page and, after some Google research, I notice that is the login of RT Best Practical.
The exposed version is outdated and the default credentials are publicly available.
Once We have logged in We have a lot of functionalities, so I start to inspect every one to discover something new.
Starting from the Admin menu We can quickly identify the Users submenu where We can find every signed user.
Let's see if there is some interesting information in the lnorgaard user.
The screenshot above shows that this user has a Unix Login and a comment reveals the user's password. So now We have a set of Unix credentials, let's try to open a shell using ssh.
VERY NICE! We have successfully established a ssh connection and got the first flag. But We want to escalate until root so let's keep going.
With the flag, We got a file RT30000.zip, using the scp command We can easily download this file.
This file contains other two files KeePassDumpFull.dmp and passcodes.kdbx. The first one is a Keepass memory dump and may contain the master password while the second one is a Keepass database that, if We can unlock it, may contain the root password or some other details to go forward.
First of all, this kind of memory dump is vulnerable to a CVE, specifically to CVE-2023-32784. After some Google research, I've got a PoC written in Python.
Here you can find the PoC repository.
I run the PoC and then show you the result below:
The result seems to don't provide any useful information but if We google the resulting password We get a page of a Danish dessert. If you remember (otherwise return above to the user's information) our user is Danish.
So, let's try to unlock the Keepass password database with some combinations of different char case of the dessert's name, follows a word list that I've create from the original name:
And as expected the password is rødgrød med fløde.
If We try to establish the ssh session for the root user using the password it won't work. But in the note, We can clearly see a PuTTY-User-Key-File-3 content.
Putty is a software used in Windows to implement the ssh protocol (Yes Windows doesn't support it natively). Sometimes Putty generates a ppk file that contains a kind of rsa key exactly as the pem file in Linux.
Fortunately, openssl provides a way to convert ppk files into pem files. Let's save the code in a file ppk_file.ppk and run the following command:
openssl pkcs8 -inform DER -in ppk_file.ppk -outform PEM -out pem_file.pem
With the pem_file.pem We can establish our ssh shell for root as follows:
