User.txt
First we are going to configure the /etc/hosts file
![](https://lautarovculic.com/wp-content/uploads/2024/02/keeper2.png)
According to nmap, we have port 22 and 80 open.
![](https://lautarovculic.com/wp-content/uploads/2024/02/keeper3.png)
We see that keeper.htb redirects us to another page with a subdomain, we will also add it to /etc/hosts to be able to reach it.
![](https://lautarovculic.com/wp-content/uploads/2024/02/keeper4.png)
![](https://lautarovculic.com/wp-content/uploads/2024/02/keeper5.png)
I tried enumerating with dirb, but to no avail. I looked through the source code, nothing either. So we may have to use bruteforce, but first, we will look for default credentials.
![](https://lautarovculic.com/wp-content/uploads/2024/02/keeper6-1024x366.png)
It seems that there are default credentials.
![](https://lautarovculic.com/wp-content/uploads/2024/02/keeper7.png)
We try with the user root and pass password
![](https://lautarovculic.com/wp-content/uploads/2024/02/keeper8-1024x399.png)
We are in!
Now we will take a look
There seems to be another user, let’s see what information he has.
![](https://lautarovculic.com/wp-content/uploads/2024/02/keeper9-1024x391.png)
We have a password, will it be to connect to SSH? 🤔
![](https://lautarovculic.com/wp-content/uploads/2024/02/keeper10-1024x512.png)
Try to connect with ssh with user lnorgaard and password Welcome2023!
We are already inside the machine.
![](https://lautarovculic.com/wp-content/uploads/2024/02/keeper11.png)
We have the user.txt!
![](https://lautarovculic.com/wp-content/uploads/2024/02/keeper12.png)
Root.txt
In the above command we see that there are two interesting Keepass files, let’s download them to our machine to work with them.
We set up a python web server on the victim machine and with wget we download them to our machine.
![](https://lautarovculic.com/wp-content/uploads/2024/02/keeper13-1024x511.png)
There is a CVE (CVE-2023-32784) that we will use to decrypt the .dmp file.
![](https://lautarovculic.com/wp-content/uploads/2024/02/keeper14.png)
We have the following: {UNKNOWN}dgr<{d, e}> med flde
We clean the output and try to google it
![](https://lautarovculic.com/wp-content/uploads/2024/02/keeper15.png)
We will use rødgrød med fløde to see if we can enter the Keepass file.
![](https://lautarovculic.com/wp-content/uploads/2024/02/keeper16-1024x547.png)
![](https://lautarovculic.com/wp-content/uploads/2024/02/keeper17.png)
Inside we find a PuTTY connection.
![](https://lautarovculic.com/wp-content/uploads/2024/02/keeper18-1024x716.png)
Copy everything and create a .txt file.
![](https://lautarovculic.com/wp-content/uploads/2024/02/keeper19.png)
Now with puttygen keeper.txt -O private-openssh -o id_rsa we will create the file to connect via SSH
Once inside, we will come across the root.txt
![](https://lautarovculic.com/wp-content/uploads/2024/02/keeper20.png)
I hope you found it useful (:
Leave a Reply