I’ve pwned Keeper challenge. I will share how I solved the challenge.
To sum up, before writing about the solution, I felt the user flag was easy to find but the privilege escalation was a bit tricky.
OK, let’s start it.
Enumerate
First of all, I found ports 80 and 22 are open, So I checked the web page.
Then we can see the login page. But it’s not redirected unless we add it to /etc/hosts file.
echo "10.10.11.227 tickets.keeper.htb" | sudo tee -a /etc/hosts
After redirecting to the login page, we can see the service called bestpractical.
However, I couldn’t find any credentials even though enumerate directories.
Since there’s no clue, I googled it and found the default login credential for bestpractical.
ID: root
PW: password
When I tried with the default credential, I could log in as root.
I took around the web page and found user information.
The username is lnorgaard and the initial password is set to Welcome2023!
I think we can use this credential later.
And I found other interesting information from the history tab.
There’s a conversation between root and lnorgaard.
They are saying there’s a dump file. And it is deleted for security reasons.
So, the next goal is to find out the dump file and see the contents of it. Maybe it has some clues that can be used later.
OK, I think we collected enough information from the web page.
User flag
I ssh to lnogaard using the credential found before.
The user flag can be found in the home directory.
CVE-2023-32784
And there is a zip file in the directory.
When I unzip it, the dump file and the KeePass database file are extracted.
To open the kdbx file, I installed keepaas2 on my machine.
sudo apt install keepass2
When I try to open it, the master key is required.
But we don’t know the master key yet.
My first thought was to use john the ripper. However, it didn’t go well.
My next move was to search for exploits extracting a master key.
Then, I found an interesting GitHub page.
https://github.com/vdohney/keepass-password-dumper
KeePass password dumper extracts a master key from a dump file.
According to the instructions, we need to install dotnet to execute it. Beware that we need a dotnet version higher than 6.
After installing the dotnet, we can execute the POC.
Then the master password is extracted like the image below.
M}dgr0d med fl0de
Root flag
OK! So let’s input it in the kdbx file again! (By the way, you can use kpcli to open the KeePass file)
Failed! I double-checked that I input the correct password. But it keeps failing.
I don’t know why it failed, So I searched for it on Google again.
Then I noticed the correct word is “rødgrød med fløde”
I was able to log in with this password and I found a ticket that has ssh key information in /passcode/Network directory.
Be careful that the Pass is not the password we are looking for. It is a password for the ticket.
The content of the notes looks like a ssh key.
I copied the content to my machine with the command below.
get 0 Notes
And then save the value as ssh.
echo "PuTTY-User-Key-File-3: ssh-rsa
Encryption: none
Comment: rsa-key-20230519
Public-Lines: 6
AAAAB3NzaC1yc2EAAAADAQABAAABAQCnVqse/hMswGBRQsPsC/EwyxJvc8Wpul/D
8riCZV30ZbfEF09z0PNUn4DisesKB4x1KtqH0l8vPtRRiEzsBbn+mCpBLHBQ+81T
EHTc3ChyRYxk899PKSSqKDxUTZeFJ4FBAXqIxoJdpLHIMvh7ZyJNAy34lfcFC+LM
Cj/c6tQa2IaFfqcVJ+2bnR6UrUVRB4thmJca29JAq2p9BkdDGsiH8F8eanIBA1Tu
FVbUt2CenSUPDUAw7wIL56qC28w6q/qhm2LGOxXup6+LOjxGNNtA2zJ38P1FTfZQ
LxFVTWUKT8u8junnLk0kfnM4+bJ8g7MXLqbrtsgr5ywF6Ccxs0Et
Private-Lines: 14
AAABAQCB0dgBvETt8/UFNdG/X2hnXTPZKSzQxxkicDw6VR+1ye/t/dOS2yjbnr6j
oDni1wZdo7hTpJ5ZjdmzwxVCChNIc45cb3hXK3IYHe07psTuGgyYCSZWSGn8ZCih
kmyZTZOV9eq1D6P1uB6AXSKuwc03h97zOoyf6p+xgcYXwkp44/otK4ScF2hEputY
f7n24kvL0WlBQThsiLkKcz3/Cz7BdCkn+Lvf8iyA6VF0p14cFTM9Lsd7t/plLJzT
VkCew1DZuYnYOGQxHYW6WQ4V6rCwpsMSMLD450XJ4zfGLN8aw5KO1/TccbTgWivz
UXjcCAviPpmSXB19UG8JlTpgORyhAAAAgQD2kfhSA+/ASrc04ZIVagCge1Qq8iWs
OxG8eoCMW8DhhbvL6YKAfEvj3xeahXexlVwUOcDXO7Ti0QSV2sUw7E71cvl/ExGz
in6qyp3R4yAaV7PiMtLTgBkqs4AA3rcJZpJb01AZB8TBK91QIZGOswi3/uYrIZ1r
SsGN1FbK/meH9QAAAIEArbz8aWansqPtE+6Ye8Nq3G2R1PYhp5yXpxiE89L87NIV
09ygQ7Aec+C24TOykiwyPaOBlmMe+Nyaxss/gc7o9TnHNPFJ5iRyiXagT4E2WEEa
xHhv1PDdSrE8tB9V8ox1kxBrxAvYIZgceHRFrwPrF823PeNWLC2BNwEId0G76VkA
AACAVWJoksugJOovtA27Bamd7NRPvIa4dsMaQeXckVh19/TF8oZMDuJoiGyq6faD
AF9Z7Oehlo1Qt7oqGr8cVLbOT8aLqqbcax9nSKE67n7I5zrfoGynLzYkd3cETnGy
NNkjMjrocfmxfkvuJ7smEFMg7ZywW7CBWKGozgz67tKz9Is=
Private-MAC: b0a0fd2edf4f0e557200121aa673732c9e76750739db05adc3ab65ec34c55cb0" > ssh
Next, we can generate an id_rsa using puttygen.
puttygen ssh_key_file -O private-openssh -o id_rsa
Now, we can use it for ssh login!
Then there is the root.txt file!
Even though the difficulty of this machine is easy, I felt it was tricky. Especially, I wouldn’t say I like the rødgrød med fløde part.
I spent a lot of time trying to figure out the login problem after extracting the master key, and when I found out that the extracted master key was incorrect, it was just so frustrating.
Anyway, it is the end of the write-up, and thanks for reading.