HackTheBox: Keeper
01/13/2024
Im doing this one as soon as it releases, so it will be seasonal. Hopefully Ill be able to finish it today.
This will be fun; this is the first box Ive ever attempted that was BRAND NEW, with no writeups or answers out there at all. Let's see how it goes.
Enumeration
Only two ports open: 1) SSH on 22 2) HTTP on 80
The HTTP service is using nginx. It appears from script scan that the system is Ubuntu
Visiting the web page in the browser, we are prompted to manually redirect to "tickets.keeper.htb". So we'll go ahead and add "keeper.htb" and "tickets.keeper.htb" to /etc/hosts.
It appears to be a login page for a request ticket system. The software appears to be "Best Practical", version 4.4.4+dfsg.
All we have is a login page, and there does not appear to be an account creation option.
Let's do a quick search for vulnerabilities on google. Ill run gobuster in the background. Note on this: I had to use --exclude-length 0 to get this to run properly, as non-existent searches would still yield a 302 status with length 0. Rather than filter out 302s I decided to just filter out 0 length entries. This is already catching a few strange entries.
No obvious vulnerabilities showed up on google, and nothing on serachsploit.
/rtop directory
Navigating http://tickets.keeper.htb/rtop as spotted by gobuster, we get an error message
An internal RT error has occurred. Your administrator can find more details in RT's log files.
What is RT? What does this mean? It has something to do with the ticket support system "Best Practical"; just by coincidence a message about RT popped up on their home page as I glanced at it. Oh okay: its just "Request Tracker."
Getting in to the RT app
Wow... the default creds let me sign in, =="root:password"==. That's hilarious.
I actually tried that once and it failed, guess I typed "password" wrong... glad I tried it again.
There's not a ton to sift through on this page. It's basically a control panel for viewing and creating tickets.
There's one open ticket, titled "Issue with Keepass Client on Windows" from webmaster@keeper.htb. This also gives us the name of the webmaster: ==# User: lnorgaard (Lise Nørgaard)==.
The site may be vulnerable to IDORs for enumerating users via the 'id' param: http://tickets.keeper.htb/rt/User/Summary.html?id=14 But I may not need to do that anyway. As root, I may be able to just view all users.
ANY NAMES THAT I FIND ARE BEING RECORDED IN THE /keeper DIR IN KALI
In the ticket we have the following:
Lise,
Attached to this ticket is a crash dump of the keepass program. Do I need to update the version of the program first...?
Thanks!
However, I don't actually see the attached crash dump. We do have the following at the bottom of the ticket page:
I have saved the file to my home directory and removed the attachment for security reasons.
Once my investigation of the crash dump is complete, I will let you know.
Hmm. Are we able to view her home directory through the web page?
Well actually, lets first just try to SSH in as lise/inorgaard and guess at some potential passwords... no luck there.
Before trying to access her home directory through the web app, let me just take a quick look at what tools we are able to use on the site. There's an 'admin' tab
If I try to search 'assets' for anything belonging to Inorgaard, I get an interesting message:
# Possible cross-site request forgery
RT has detected a possible **cross-site request forgery** for this request, because the Referrer header supplied by your browser (tickets.keeper.htb:80) is not allowed by RT's configured hostname (keeper.htb:80). A malicious attacker may be trying to **modify or access a search** on your behalf. If you did not initiate this request, then you should alert your security team.
If you really intended to visit http://keeper.htb/rt/Asset/Search/index.html and modify or access a search, then **[click here to resume your request](http://keeper.htb/rt/Asset/Search/index.html?CSRF_Token=2244c57a9d8eddd3d96b96162bc4ec97)**.
I dont think this would be very useful though since we already have privileged user creds.
Lets explore the 'admin' tab. Apparently here we can view all user's passwords... Inorgaard's is set to "Welcome2023". Try SSH in as her again? No luck.
Okay, so it looks like the 'admin'-->'tools'-->'system configuration' page is a goldmine. It has info about where the machine itself is installed, it looks like.
Skimming through this we also have some info about the database:
Database port 3306
Database name rtdb
Database admin 'postgres'
Database type 'mysql'
database user 'rtuser'
SSH'ing in successfully as Lise Norgaard
Wow, I'm retarded. I thought the one user's name was "Lisa Inorgaard", but its actually just "Lisa Norgaard", and her username is "lnorgaard" with an 'L'. This whole time I thought it was 'Inorgaard' with an i. Fuck.
Anyway, once I realized that, I successfully SSH'd in using =="lnorgaard:Welcome2023!"==, which are the same creds as on the site.
Damn, that was easy.
The SSH login prompt caught my eye:
You have mail.
Last login: Sat Aug 12 22:08:27 2023 from 10.10.14.164
lnorgaard@keeper:~$
I have mail. Im not making the same mistake I made last time of misreading the file as en empty directory. Let me check it out. Okay, it looks like the mail is just a copy of the support ticket from the site. Which reminds me, I should be able to view that crash log now.
First though, it looks like I might be inside a container, or maybe there's weird permissions set. 'w' doesnt show anyone online despite being SSH'd in, and ps aux only has a few lines and no init.
Anyway, back to the KeePass stuff. We have a zip file of the dump in her directory:
lnorgaard@keeper:~$ ls
RT30000.zip user.txt
I exfiltrated it using a python simple http server:
lnorgaard@keeper:~$ python3 -m http.server 1234
Then I unzipped the file on my machine revealing the following contents:
KeePassDumpFull.dmp passcodes.kdbx
Okay. Let's see what we can do with these.
Investigating the dump file and keepass DB
I tried fruitlessly to figure this out myself for about an hour. Essentially, given that this is a CTF, it looks like what I have to do is scan the mini dump (basically a program memory dump proceding a crash) for the master key to unlock the keepass database.
I just found this post online, which seems to have been made at the same time as this box: https://www.bleepingcomputer.com/news/security/keepass-exploit-helps-retrieve-cleartext-master-password-fix-coming-soon/
This tool worked (required fuckery with .NET install though); it found a potential password, though it had "holes" in it in the sense that it wasnt able to ascertain every character.
It was able to resolve the password to:
Combined: ●{,, l, `, -, ', ], A, I, :, =, _, c, M}dgr●d med fl●de
I thought it had just given me junk, but i copy+pasted "dgrd med flde" into google and got a result for "rødgrød med fløde", a Danish recipe.
I copy and pasted this (WITH the special characters) into the password field of kpcli (a keepass db client), and it fucking worked!!!
$ kpcli --kdb=passcodes.kdbx
Provide the master password: (Rødgrød med fløde)
KeePass CLI (kpcli) v3.8.1 is ready for operation.
Type 'help' for a description of available commands.
Type 'help <command>' for details on individual commands.
kpcli:/> ls
=== Groups ===
passcodes/
Beautiful...
Now I was able to skim through and find the 'keeper' network passwords:
kpcli:/passcodes/Network> ls
=== Entries ===
0. keeper.htb (Ticketing Server)
1. Ticketing System
kpcli:/passcodes/Network> show 0
Title: keeper.htb (Ticketing Server)
Uname: root
Pass: F4><3K0nd!
URL:
Notes: PuTTY-User-Key-File-3: ssh-rsa
Encryption: none
Comment: rsa-key-20230519
Public-Lines: 6
AAAAB3NzaC1yc2EAAAADAQABAAABAQCnVqse/hMswGBRQsPsC/EwyxJvc8Wpul/D
8riCZV30ZbfEF09z0PNUn4DisesKB4x1KtqH0l8vPtRRiEzsBbn+mCpBLHBQ+81T
EHTc3ChyRYxk899PKSSqKDxUTZeFJ4FBAXqIxoJdpLHIMvh7ZyJNAy34lfcFC+LM
Cj/c6tQa2IaFfqcVJ+2bnR6UrUVRB4thmJca29JAq2p9BkdDGsiH8F8eanIBA1Tu
FVbUt2CenSUPDUAw7wIL56qC28w6q/qhm2LGOxXup6+LOjxGNNtA2zJ38P1FTfZQ
LxFVTWUKT8u8junnLk0kfnM4+bJ8g7MXLqbrtsgr5ywF6Ccxs0Et
Private-Lines: 14
AAABAQCB0dgBvETt8/UFNdG/X2hnXTPZKSzQxxkicDw6VR+1ye/t/dOS2yjbnr6j
oDni1wZdo7hTpJ5ZjdmzwxVCChNIc45cb3hXK3IYHe07psTuGgyYCSZWSGn8ZCih
kmyZTZOV9eq1D6P1uB6AXSKuwc03h97zOoyf6p+xgcYXwkp44/otK4ScF2hEputY
f7n24kvL0WlBQThsiLkKcz3/Cz7BdCkn+Lvf8iyA6VF0p14cFTM9Lsd7t/plLJzT
VkCew1DZuYnYOGQxHYW6WQ4V6rCwpsMSMLD450XJ4zfGLN8aw5KO1/TccbTgWivz
UXjcCAviPpmSXB19UG8JlTpgORyhAAAAgQD2kfhSA+/ASrc04ZIVagCge1Qq8iWs
OxG8eoCMW8DhhbvL6YKAfEvj3xeahXexlVwUOcDXO7Ti0QSV2sUw7E71cvl/ExGz
in6qyp3R4yAaV7PiMtLTgBkqs4AA3rcJZpJb01AZB8TBK91QIZGOswi3/uYrIZ1r
SsGN1FbK/meH9QAAAIEArbz8aWansqPtE+6Ye8Nq3G2R1PYhp5yXpxiE89L87NIV
09ygQ7Aec+C24TOykiwyPaOBlmMe+Nyaxss/gc7o9TnHNPFJ5iRyiXagT4E2WEEa
xHhv1PDdSrE8tB9V8ox1kxBrxAvYIZgceHRFrwPrF823PeNWLC2BNwEId0G76VkA
AACAVWJoksugJOovtA27Bamd7NRPvIa4dsMaQeXckVh19/TF8oZMDuJoiGyq6faD
AF9Z7Oehlo1Qt7oqGr8cVLbOT8aLqqbcax9nSKE67n7I5zrfoGynLzYkd3cETnGy
NNkjMjrocfmxfkvuJ7smEFMg7ZywW7CBWKGozgz67tKz9Is=
Private-MAC: b0a0fd2edf4f0e557200121aa673732c9e76750739db05adc3ab65ec34c55cb0
So it looks like we have an RSA key for root, in PuTTY format.
We can convert the key to OpenSSH format using the command
$ puttygen putty_key -O private-openssh -o id_rsa
And then ssh into the server using that key:
$ ssh -i ./id_rsa root@10.10.11.227
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-78-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
You have new mail.
Last login: Sun Aug 13 02:21:28 2023 from 10.10.14.231
root@keeper:~#