This is a short guide for Keeper machine.
Get the IP address of the machine and perform the nmap scan.
Looking at website on port 80.
Mapping IP address to host in /etc/hosts
Now visiting tickets.keeper.htb we see login page of Best Practical Request Tracker.
Trying default credential of root:password, we get logged in as root.
Looking around the application we can see two users root and lnorgaard. On user lnorgaard profile we can see its password on comment.
Using this password to login through ssh.
User flag is present in the home directory
There is also a zip file. Extracting the content of zip file we get a .dmp file and .kdbx file of keep pass.
After some googling, found a KeePass 2.X Master Password Dumper (CVE-2023–32784) exploit
GitHub - vdohney/keepass-password-dumper: Original PoC for CVE-2023-32784
Original PoC for CVE-2023-32784. Contribute to vdohney/keepass-password-dumper development by creating an account on…
Downloading the KeePassDumpFull.dmp & passcodes.kdbx file into the local machine and running the above exploit on KeePassDumpFull.dmp file.
We can see that the first character is unkown, the second character has multiple options and after that the characters are “dgrød med fløde”. So we need first two character to obtain the password.
Taking a quick look on the word “dgrød med fløde”, we can see the brave search result showing “rødgrød med fløde”.
Trying the password “rødgrød med fløde” to unlock KeePass Database. We get successfully login.
Looking on the network tab we can see a root user login credentials for keeper.htb along with a note which includes PuTTY-User-Key-File.
As PuTTY default format is .ppk, lets copy the contents on the note and copy it to a new file with .ppk file extension.
Now using puttygen to create a .pem key file using the .ppk file.
Set the correct permission for .pem file
Finally using the key.pem file to login as root through ssh.
Root flag is located in the root home directory
Thank you for reading.