Home keeper
Post
Cancel

keeper

Posted Feb 6, 2024
By KS
4 min read

Machine Information

Host discovery

  • target IP: 10.10.11.227

Information Gathering

Nmap Time

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

Nmap scan report for 10.10.11.227
Host is up (0.026s latency).
Not shown: 65376 closed tcp ports (reset), 157 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 35:39:d4:39:40:4b:1f:61:86:dd:7c:37:bb:4b:98:9e (ECDSA)
|_  256 1a:e9:72:be:8b:b1:05:d5:ef:fe:dd:80:d8:ef:c0:66 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=2/6%OT=22%CT=1%CU=39879%PV=Y%DS=2%DC=T%G=Y%TM=65C24
OS:84F%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10E%TI=Z%CI=Z%II=I%TS=A)O
OS:PS(O1=M552ST11NW7%O2=M552ST11NW7%O3=M552NNT11NW7%O4=M552ST11NW7%O5=M552S
OS:T11NW7%O6=M552ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)E
OS:CN(R=Y%DF=Y%T=40%W=FAF0%O=M552NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F
OS:=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5
OS:(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z
OS:%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=
OS:N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%
OS:CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Exploiting Port 80

I started out looking for useful information in the website.

Looks like there’s a website instead of IP address. I then add the url in /etc/hosts

1
2
3
4
5
6
7
8

cat /etc/hosts                                          
127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters

10.10.11.227    tickets.keeper.htb

After adding into it, go to the link and search for information.

It seems like a login page. Aside from that, there are some version information. I then try to look for the version to check if there’s any vulnerability as well as any method to login.

I managed to get a default credentials. Lets just try to login and see if its working or no.

Now that I logged in, I tried to search for useful information which I could abuse.

After searching around, I found a user and somehow it has a password with it as well. I then tried to login into ssh with the credentials.

1
2
3
4
5
6
7
8
9
10
11
12

ssh lnorgaard@10.10.11.227
lnorgaard@10.10.11.227's password: 
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-78-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
You have mail.
Last login: Tue Aug  8 11:31:22 2023 from 10.10.14.23
lnorgaard@keeper:~$ whoami
lnorgaard
lnorgaard@keeper:~$ cat user.txt

Now that I have a shell, time to privilege escalation

Privilege Escalation

I started out with the most simple one such as searching for home directories and check sudo privileges.

1
2
3
4

lnorgaard@keeper:/tmp$ unzip RT30000.zip 
Archive:  RT30000.zip
  inflating: KeePassDumpFull.dmp     
 extracting: passcodes.kdbx

I found a suspicious zip file in home directory so I copy it into temp directory and extract it. It seems to be a database file and a dmp which I have no idea. I then try to take out to my host machine first and go through it. I tried to analyze the KeePassDumpFull.dmp with this github and here’s the result.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

Password candidates (character positions):
Unknown characters are displayed as "●"
1.:     ●
2.:     ø, Ï, ,, l, `, -, ', ], §, A, I, :, =, _, c, M, 
3.:     d, 
4.:     g, 
5.:     r, 
6.:     ø, 
7.:     d, 
8.:      , 
9.:     m, 
10.:    e, 
11.:    d, 
12.:     , 
13.:    f, 
14.:    l, 
15.:    ø, 
16.:    d, 
17.:    e, 
Combined: ●{ø, Ï, ,, l, `, -, ', ], §, A, I, :, =, _, c, M}dgrød med fløde

There’s this suspicious word M}dgrød med fløde which I googled and found out that it is a dessert. Based on the dessert, I get rødgrød med fløde. After that, I have no idea what to do so i decided to look into the next one which is the kdbx file.

It seems like I need a credentials just to access it. I then tried the random strings dessert that I found.

It works! I managed to access it and got some credentials. There is also some description which looks something weird.

I then look into it and the notes looks like some ppk files which is for putty. I then try to convert it into id_rsa

1
2
3
4
5
6
7
8
9
10
11
12
13
14

puttygen test.ppk -O private-openssh -o id_rsa
ssh root@10.10.11.227 -i id_rsa 
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-78-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

You have new mail.
Last login: Tue Aug  8 19:00:06 2023 from 10.10.14.41
root@keeper:~# cat /root/root.txt 
5609059590018f99a6bb0d5d9f7ac1bf

Things I learned from the machine

  • KEEPASS CVE BUT STILL MINDBLOWN
HTB
boot2root
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents

Pinkys Palace V2

Zico2