Hack The Box: Keeper
Enumeration
As always, start off with an NMAP Scan
![](https://ratil.life/content/images/2023/10/image-7.png)
Just 80 and 22 open today. We will start by enumerating the web app.
![](https://ratil.life/content/images/2023/10/image-8.png)
To make some of this work easier, I am going to add keeper.htb
and tickets.keeper.htb
to my hosts file. Navigating to the linked site reveals a logon page for what looks like some fort of ticketing system.
![](https://ratil.life/content/images/2023/10/image-9.png)
User
Request Tracker seems to have several vulnerabilities but all seem to require authentication. A quick Google search reveals the default credentials to be root:password
and in this case, the default credentials work!
![](https://ratil.life/content/images/2023/10/image-10.png)
With successful authentication to the application, many of the disclosed vulnerabilities come into play. Reviewing the vulnerabilities, only a few apply to our version of the app (4.4.4) and the ones that do are no immediately useful. Further investigation of the app reveals a ticket that indicates there may be some juicy information on Lise Norgaard's computer.
![](https://ratil.life/content/images/2023/10/image-11.png)
Reviewing users, we see a note that Lise Norgaard has had their initial password set to Welcome2023!
. Trying this password to SSH to the machine as lnorgaard
is successful and we have our initial user access.
![](https://ratil.life/content/images/2023/10/image-12.png)
Root
Looking in lnorsgaard
's home directory, there are two interesting files that we already expected based on the ticket we saw; KeePassDumpFull.dmp
and passcodes.kdbx
. The KDBX file is a KeePass vault and presumably, we should be able to recover the key to that file from the DMP file.
![](https://ratil.life/content/images/2023/10/image-13.png)
strings
is not installed on the system but a sed
command helped me to view strings in the DMP file. After initially searching for "key" in the file, I found a section with "rsa-key" and was able to extract that.
![](https://ratil.life/content/images/2023/10/image-14.png)
Public Key
AAAAB3NzaC1yc2EAAAADAQABAAABAQCnVqse/hMswGBRQsPsC/EwyxJvc8Wpul/D 8riCZV30ZbfEF09z0PNUn4DisesKB4x1KtqH0l8vPtRRiEzsBbn+mCpBLHBQ+81T EHTc3ChyRYxk899PKSSqKDxUTZeFJ4FBAXqIxoJdpLHIMvh7ZyJNAy34lfcFC+LM Cj/c6tQa2IaFfqcVJ+2bnR6UrUVRB4thmJca29JAq2p9BkdDGsiH8F8eanIBA1Tu FVbUt2CenSUPDUAw7wIL56qC28w6q/qhm2LGOxXup6+LOjxGNNtA2zJ38P1FTfZQ LxFVTWUKT8u8junnLk0kfnM4+bJ8g7MXLqbrtsgr5ywF6Ccxs0Et
Private Key
AAABAQCB0dgBvETt8/UFNdG/X2hnXTPZKSzQxxkicDw6VR+1ye/t/dOS2yjbnr6j oDni1wZdo7hTpJ5ZjdmzwxVCChNIc45cb3hXK3IYHe07psTuGgyYCSZWSGn8ZCih kmyZTZOV9eq1D6P1uB6AXSKuwc03h97zOoyf6p+xgcYXwkp44/otK4ScF2hEputY f7n24kvL0WlBQThsiLkKcz3/Cz7BdCkn+Lvf8iyA6VF0p14cFTM9Lsd7t/plLJzT VkCew1DZuYnYOGQxHYW6WQ4V6rCwpsMSMLD450XJ4zfGLN8aw5KO1/TccbTgWivz UXjcCAviPpmSXB19UG8JlTpgORyhAAAAgQD2kfhSA+/ASrc04ZIVagCge1Qq8iWs OxG8eoCMW8DhhbvL6YKAfEvj3xeahXexlVwUOcDXO7Ti0QSV2sUw7E71cvl/ExGz in6qyp3R4yAaV7PiMtLTgBkqs4AA3rcJZpJb01AZB8TBK91QIZGOswi3/uYrIZ1r SsGN1FbK/meH9QAAAIEArbz8aWansqPtE+6Ye8Nq3G2R1PYhp5yXpxiE89L87NIV 09ygQ7Aec+C24TOykiwyPaOBlmMe+Nyaxss/gc7o9TnHNPFJ5iRyiXagT4E2WEEa xHhv1PDdSrE8tB9V8ox1kxBrxAvYIZgceHRFrwPrF823PeNWLC2BNwEId0G76VkA AACAVWJoksugJOovtA27Bamd7NRPvIa4dsMaQeXckVh19/TF8oZMDuJoiGyq6faD AF9Z7Oehlo1Qt7oqGr8cVLbOT8aLqqbcax9nSKE67n7I5zrfoGynLzYkd3cETnGy NNkjMjrocfmxfkvuJ7smEFMg7ZywW7CBWKGozgz67tKz9Is=
Of course, then I realized I should have just copied those files locally for easier parsing.
However, I did realize after these keys did not work for anything and after a TON of Googling, that this was not the intended path. Turns out that there is a CVE for dumping the master database password out of a KeePass 2.x memory dump and numerous exploits to take advantage of this.
Using the tool linked above, I was able to recover something.
![](https://ratil.life/content/images/2023/10/image-15.png)
The password as printed did not open the KeePass vault. While this is not something that I am familiar with, Googling showed me what is likely going on here.
![](https://ratil.life/content/images/2023/10/image-16.png)
Copying the true message with appropriate characters did successfully open the KeePass vault and we see that there is a root PuTTY key. To convert the key to something I could use from Kali, I followed this StackOverflow question.
And with that, I have gained root on this box.
![](https://ratil.life/content/images/2023/10/image-17.png)