OSCP PREP BOX 5: HtB Keeper

Alright, to kick off the box Keeper, we’re going to start with our default nmap scan to get a lay of the land. Off the bat, we’re going to notice port 22 (SSH) and port 80 (HTTP) open.

When we try navigating to the webserver on port 80, we notice that it just bears a link to take you to another page to create an IT ticket. I went ahead and clicked on it which takes you to tickets.keeper.htb. I added both of these to the hosts file using: sudo sh -c ‘echo “<ip> keeper.htb” >> /etc/hosts’

When we get on the landing page of tickets.keeper.htb, we’ll notice a pretty plain login form which (on the top right) indicates that it’s a web app called “Request Tracker.”

I took to Google and looked up default credentials for Request Tracker and found it to be “root:password.” Back on the web page, I gave that a shot and we got access!

I then navigated around and noticed in the admin tab on the top I could poke around in the users section. This led me to a user lnorngaard whose password was held in the comments section on the page.

I took the username and password over to try and SSH to the server using lnorngaard and her password which worked!

From here we start off in lnorngaard’s home directory and we can cat our user.txt flag and we also have an interesting .zip file.

I just ran “unzip RT3000.zip” which has two files inside of it: KeePassDumpFull.dmp and passcodes.kbdx.

I downloaded both of these to my kali machine. KeePass is a password manager and dump file is a memory dump from KeePass and the .kbdx file is a file that stores user data like usernames, passwords, etc.

Of note, if you’ve never downloaded from SSH before, it’s so easy. Just open up a new tab and run:

scp lnorgaard@<ip>:/path/to/file.txt /path/to/local/directory/

I then went to Google and started to see if there was anything I could do with the dump file or a way to crack the kbdx file to get passwords. This ended up panning out!

I ended up using this KeePass vulnerability:

https://github.com/vdohney/keepass-password-dumper

For this exploit to work, you need .NET installed and it must be version 7.0.

You can verify your .net version with “dotnet –list-sdks”.

If you need help with the install, this article made it really easy (for step 2 just change 6.0 to 7.0): https://www.geeksforgeeks.org/how-to-install-net-on-linux/

Once we get .NET installed, we can git clone the repository for the keepass vulnerability, then cd to its directory, and run “dotnet run /path/to/dump.dmp

You can see in the pic, the password is a little wonky, but I just plugged that into Google and learned it’s some pastry.. lol rødgrød med fløde

Now we just need a way to log into KeePass since the github exploit gives us the master password for KeePass.

So, let’s download KeePass and keep moving on.

Sudo apt-get install keepassxc

Then we can run keepass with “keepassxc,” click open database, use the kbdx file, and then enter the database password we found! I found that I had to copy and paste because of the unique slashed o character.

And we’re in!

So if we navigate down to Network, we’ll see only two users, lnorgaard and root. For the root user we see a PuTTY User Key File with a public and private SSH key.

We can try the password that’s listed there, but it won’t work, so we have to go with the ssh key. Also, because it’s a PuTTY key, we have to use putty or at least use putty to make a .ppk file to let us then convert the ppk to a pem file. If that’s totally new to you, that’s fine (it was for me too). I posted some links down below that I used to work my way through it. It’s totally doable if you just take the time to learn about what an SSH key for putty looks like.

So let’s make sure we get putty installed (for this we need to use version .76).

Here’s how we can get this done:

                mkdir putty_source_code

                cd putty_source_code

wget https://the.earth.li/~sgtatham/putty/0.76/putty-0.76.tar.gz

tar -xvf putty-0.76.tar.gz

cd putty-0.76

./configure

make

sudo cp puttygen /usr/bin/

cd ../..

rm -rf putty_source_code

 

And we’re installed!

Now let’s generate a public/private ssh key. I found a pretty easy explanation here:

https://www.ssh.com/academy/ssh/putty/linux/puttygen


So we can use vim to create a .ppk file, then convert the .ppk file to a .pem file (I was getting a bunch of error messages using the .ppk file. I learned about that here:

https://askubuntu.com/questions/1440627/getting-this-error-puttygen-error-loading-name-ppk-putty-key-format-too-new

Now that we have puttygen installed and the correct version, we can use puttygen to create a .pem ssh key for the root user!

puttygen passkey.ppk -O private-openssh -o key.pem

We can now take our key.pem file and use msfconsole’s public key ssh login module to get a root shell (read the documentation for entering the private_key file in msf (see above pic)).

And that’s all she wrote. All-in-all, a fun box with some fun ssh problems in it.

Previous
Previous

OSCP PREP BOX 6: HtB BoardLight

Next
Next

OSCP PREP BOX 4: HtB Soccer