Introduction #
Keeper is an easy Linux box on HackTheBox based on finding default credentials to gain initial access to admin area and using user credentials found there to move forward.
Recon #
nmap #
As always, the first thing to do is to run a nmap scan.
nmap -sV -sC -Pn -p- --min-rate=1000 {BOX_IP}
Two interesting open ports were found, 22 and 80. While ssh might be useful later, first focus on the website.
Site Exploration #
We are redirected to the login screen.
With no credentials we can try some common combinations but easy Google search for default credentials of the Request Tracker gives us the answer.
After login we can start to look for new hints. In the Admin section we can list users, and are lucky to find one with password listed right there.
SSH #
Now when we have valid credentials we can take a look at the port 22 and try to get in.
We are in, let’s grab the user flag and look what else is there.
Not much this user can do, but there is interesting zip file.
Looks promising, download the files to our machine and explore further.
KeePass #
After googling for a bit I found what to do with the files.
There is documented vulnerability CVE-2023–32784 and an existing functional exploit available HERE.
There was some issue with .NET version, just switch to 6.0 to run smoothly.
The first character is unknown, the second character has multiple options and after that the characters are “dgrød med fløde”. So we need first two characters to obtain the password.
Taking a quick look on the word “dgrød med fløde”, we can see search result showing “rødgrød med fløde”.
We can use it to get into the passcodes.kdbx file we downloaded earlier.
It worked!
Once we are inside we can take a look at root user. In the notes there is a PuTTY-User-Key-File.
Root #
That can be used to generate private SSH key. Let’s save it to .ppk file and generate the key using puttygen.
With the id_rsa we get we can log in as a root user and get the flag.
