HTB Keeper Writeup is a comprehensive guide to solve an easy machine named Keeper, that uses default password, open transmission of password and exploitation of KeePass Vulnerability (CVE-2023-32784).
Initial Step
Before we start with solving the lab let us first add the IP address in the hosts list of your system. To do so use
sudo nano /etc/hosts
Once you have added the host now you can refer to the machine using the name given. For the given scenario it would be keeper.htb.
Service Discovery
sudo nmap -sC -sV keeper.htbOR
If you have not added the host you can use the following command as well.
sudo nmap -sC -sV <machine_ip>
This would inform us that the services on port 22 and port 80 are running. If we find just these two ports open we would do a more comprehensive service discovery. To do so you can use:
sudo nmap -sC -sV -p- <machine_ip>The above open ports gives us an indication that the server allows SSH connections and also has a website to access. So lets lookup the website.
This just redirects us to another website with URL: tickets.keeper.htb/rt
But before we visit the website we will need to add the URL: tickets.keeper.htb to the hosts as we added keeper.htb and it would be having the same IP as well.
Now that we have added the URL to the hosts we can redirect to it.
After redirection we get a login page with some technical description like: 4.4.4+dfsg-2ubuntu1.
Enumeration
Now that we know the possible technology used on the login page we will proceed to find some default credentials for it. We will do a simple google search for it: 4.4.4+dfsg-2ubuntu1 default credentials upon doing so we find a forum page of Best Practical which is mentioned on the bottom right on the login page. The link is: https://forum.bestpractical.com/t/forgot-admin-password-of-rt/33451, upon scrolling you will find that the default credentials are:
Username → root
Password → password
Let us use these credentials to login. Voila! The credentials worked and we are in as root. Let us explore the page.
While going through the menu options you can see the admin option let's explore that.
Now lets see the users and what can we find out through it.
You immediately see one more user named: lnorgaard. Let us see what information we can gather as an admin about the user.
Now you can see most of the details and guess what you can see the password of the user in plain text. Note it down.
Username → lnorgaard
Password → Wel*******3!
Foothold
Now as we have login credentials for a user, we will use SSH connection to have access to the data held by the user.
ssh lnorgaard@<machine_ip>After this command you will be asked for password. Use the one you obtained in the enumeration step.
As we are logged in as the user we should find out the files that the user has access to.
ls -la
I feel the I feel the I feel the user.txt and RT30000.zip files look interesting let us have a look in it.
cat user.txtAs soon as you do so you will have the flag for the user.
Privilege Escalation
We should not create extra files on the user end to avoid suspicion of the compromise it is suggested that we copy the file to our local system. So, we will exit the SSH session and use 'scp' to do so securely.
scp lnorgaard@<machine_ip>:./RT30000.zip ./After executing this you will be asked to key in the users password, once the password entered is correct the download will start.
As you can see it is in zip format lets unzip it.
mkdir keeper_solve
unzip RT30000.zip -d keeper_solve
As you can see it is a KeePassDump file. Let us have a quick google search to find if there is any CVE for the same. The google search: KeePass Dump CVE. After scrolling a bit you will find a github repo with the POC in python3. The link to the repo is: https://github.com/dawnl3ss/CVE-2023-32784
Lets use the POC.
git clone https://github.com/dawnl3ss/CVE-2023-32784To run the POC navigate to the folder where the program is present.
python3 poc.py -d <path_to_the_dmp_file>
One thing common in all of the possible password is med fl●de. To know more about it let us have a quick search. The first link takes us to a Danish Red Berry Pudding with Cream recipe, the page also tells us that the dish is called Rødgrød med Fløde. We will use the lower-case version of the same as password to the KDBX file.
KDBX Password → rødgrød med fløde
To open the KDBX file you will need to have KeePassXC. Lets install this.
sudo apt install keepassxc -yOnce this is installed lets open the passcodes.kdbx
keepassxc passcodes.kdbx
Now in the password field enter the password previously obtained. After you have access to the KDBX file you see that in Network there is a SSH key which you can use to extract the ssh private key of the root user the steps to do so are as follows. First copy that the notes of the root user.
Save it as a .txt file on the local system.
puttygen --version
If you have an older version than 0.76 you will need to update it. Steps to update are given here. But the link for the download is wrong, feel free to use this Download PuTTY: release 0.76 (greenend.org.uk). If you satisfy the version criterion. Do the following.
puttygen root_ssh.txt -O private-openssh -o keeper_ssh_rsa.pemYou will have the private key ready with you now you just have to SSH in the server.
ssh -i keeper_ssh_rsa.pem root@keeper.htb
After doing ls we see that root.txt is the file with the flag so we will view it.
cat root.txt
Congratulations, you have successfully pwned the machine!
Comments