Keeper – Hack The Box – @lautarovculic

User.txt

First we are going to configure the /etc/hosts file

According to nmap, we have port 22 and 80 open.

We see that keeper.htb redirects us to another page with a subdomain, we will also add it to /etc/hosts to be able to reach it.

I tried enumerating with dirb, but to no avail. I looked through the source code, nothing either. So we may have to use bruteforce, but first, we will look for default credentials.

It seems that there are default credentials.

We try with the user root and pass password

We are in!

Now we will take a look

There seems to be another user, let’s see what information he has.

We have a password, will it be to connect to SSH? 🤔

Try to connect with ssh with user lnorgaard and password Welcome2023!

We are already inside the machine.

We have the user.txt!

Root.txt

In the above command we see that there are two interesting Keepass files, let’s download them to our machine to work with them.

We set up a python web server on the victim machine and with wget we download them to our machine.

There is a CVE (CVE-2023-32784) that we will use to decrypt the .dmp file.

https://github.com/z-jxy/keepass_dump/

We have the following: {UNKNOWN}dgr<{d, e}> med flde

We clean the output and try to google it

We will use rødgrød med fløde to see if we can enter the Keepass file.

Inside we find a PuTTY connection.

Copy everything and create a .txt file.

Now with puttygen keeper.txt -O private-openssh -o id_rsa we will create the file to connect via SSH

Once inside, we will come across the root.txt

I hope you found it useful (:

Leave a Reply

Your email address will not be published. Required fields are marked *