Skip to main content

HTB - Keeper

· 8 min read
Strider

Intro

Hi, after some time, I write again a small WriteUp. Today it's about the CTF "Keeper". This CTF-Challenge can be found at the platform HackTheBox. You have to find 2 flags in this challenge. Here to simply create an account, and off you go 😄

Discovery

First of all I fire up nmap and run a port scan. And as you can see here nmap discovers 2 opened ports.

Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-03 14:27 CEST
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 14:28
Completed NSE at 14:28, 0.00s elapsed
Initiating NSE at 14:28
Completed NSE at 14:28, 0.00s elapsed
Initiating NSE at 14:28
Completed NSE at 14:28, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 14:28
Completed Parallel DNS resolution of 1 host. at 14:28, 0.05s elapsed
Initiating SYN Stealth Scan at 14:28
Scanning 10.129.97.208 [65535 ports]
Discovered open port 80/tcp on 10.129.97.208
Discovered open port 22/tcp on 10.129.97.208
Completed SYN Stealth Scan at 14:28, 28.57s elapsed (65535 total ports)
Initiating Service scan at 14:28
Scanning 2 services on 10.129.97.208
Completed Service scan at 14:28, 6.09s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 10.129.97.208
Initiating Traceroute at 14:28
Completed Traceroute at 14:28, 0.04s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 14:28
Completed Parallel DNS resolution of 2 hosts. at 14:28, 0.04s elapsed
NSE: Script scanning 10.129.97.208.
Initiating NSE at 14:28
Completed NSE at 14:28, 1.64s elapsed
Initiating NSE at 14:28
Completed NSE at 14:28, 0.17s elapsed
Initiating NSE at 14:28
Completed NSE at 14:28, 0.01s elapsed
Nmap scan report for 10.129.97.208
Host is up (0.037s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 35:39:d4:39:40:4b:1f:61:86:dd:7c:37:bb:4b:98:9e (ECDSA)
|_ 256 1a:e9:72:be:8b:b1:05:d5:ef:fe:dd:80:d8:ef:c0:66 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: nginx/1.18.0 (Ubuntu)
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5.0
OS details: Linux 5.0
Uptime guess: 10.608 days (since Fri Sep 22 23:53:03 2023)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 21/tcp)
HOP RTT ADDRESS
1 40.59 ms 10.10.14.1
2 41.28 ms 10.129.97.208

NSE: Script Post-scanning.
Initiating NSE at 14:28
Completed NSE at 14:28, 0.00s elapsed
Initiating NSE at 14:28
Completed NSE at 14:28, 0.00s elapsed
Initiating NSE at 14:28
Completed NSE at 14:28, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.62 seconds
Raw packets sent: 66234 (2.915MB) | Rcvd: 65633 (2.626MB)

The first port is 22 which is ssh. The second port is port 80 which is an http service which runs with nginx. I opened the browser and just visited the url http://10.129.97.208/ to look whats running on http. In the meantime I run a nikto scan to find some interesting points which I can use later.

The first thing what I get on http, is an hint if I want to raise an support ticket I have to visit http://tickets.keeper.htb/rt/.

dia1.png

That gives me the domain and the subdomain for that host.Therefore I can add entries to /etc/hosts. Then I've to rerun nikto, with these two domains.

10.129.97.208   keeper.htb tickets.keeper.htb

Another thing what I could do is to enumerate some other subdomain running on keeper.htb with wfuzz.

dia2.png

Nikto is done and shows me this findings

- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 10.129.97.208
+ Target Hostname: keeper.htb
+ Target Port: 80
+ Start Time: 2023-10-03 14:37:04 (GMT2)
---------------------------------------------------------------------------
+ Server: nginx/1.18.0 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ nginx/1.18.0 appears to be outdated (current is at least 1.20.1).
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 7962 requests: 0 error(s) and 4 item(s) reported on remote host
+ End Time: 2023-10-03 14:42:56 (GMT2) (352 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

I've tested all things which nikto has shown me, I think it's time to visit the ticket system.

dia3.png

Well, there is an ticket system from "Best Practial". Looks like an older version of the ticket system, may find out some hints which vulnerabilities it has, may an CVE. After some time on searching I throught what if I can login with default credentials? I googled for these credentials and yeah, the default credentials are root:password. I've tried the credentials on the login form and I logged in successfully.

dia4.png

Now I can look around on that system, and may I get more information. I browsed the tickets and found a ticket which is about some issues with keepass. Well, I think I get over the time a keypass file which I have to crack. But mor interesting is are the user lnorgaard (Lise Nørgaard) which created the ticket.

dia5.png

Initial access

Ok, in a second tab I opened the users page to get some more interesting information about lnorgaard. The interesting message what I found as user comment was:

New user. Initial password set to Welcome2023!

dia6.png

The first thing what I've tried is to login into ssh with these credentials.

First flag

dia7.png

Well, it worked, and I'm connected via ssh to that machine. First of all I list the contents of that user directory, and the I grab te flag.

dia8.png

user.txt:ad2ad6a42116d8a226fabf95fdb26229

But there is more, a zip file called RT3000.zip which is huge. I decided to download that file locally and I got a full dump and a .kdbx file.

dia9.png

The first what I try is to run keepass2john and crack the extracted hash to get the master password of that passcodes.kdbx file.

keepass2john passcodes.kdbx > hashes
ohn hashes --wordlist /usr/share/wordlists/rockyou.txt

Now I've to wait...

dia10.png Well, tahts not worked, may I have to analyze the memory dump file. I tried with windbg to find the password in the memory dump, but after some research, I stucked. I searched for attacks for KeePass and got an CVE CVE-2023-32784.

I used this PoC to extract the master password from the memory dump, the reminder here is that the first character can not be found in the dump.

dia11.png

Ok there is the password, when I llok to the text it sounds for me that these circles maybe are o's? I tried the first one with deepl, what language it is.

dia12.png

I looked up the danish alphabet to get all special letters which I can try out to replace these dots with. My tatic is now to use deepl to find out what mades most sense. An then I have to find the first letter to get the password I hope.

All special letters are here:

Æ,Ø,Å,æ,ø,å

Ok, the only letter which makes sense is this one ø. Deepl translated it to "beer porridge with cream" which must be retranslated to danish which hopefully reveals the password.

dia13.png

And, it dit not, I got the error that this password was incorrect. Well I have to findout which porridge are existing. By googling porrigde with cream, I got Berry porrigde with cream or in danish Rødgrød Med Fløde which I try now on KeePass.

Get the root flag

And yes, the lowercase verion of it worked for me. There 2 credentials stored in that KeePass file.

dia14.png

the entry keeper.htb (Tick root) sounds interesting. If I look over that entry I found an SSH Key for root.

dia15.png

I installed putty to use that keyfile to connect as root via ssh to this machine.

dia16.png

Ok, I'm now root, and I can readout the root flag.

dia17.png

OK, with putty you can't copy-paste? Well I set the SUID bit on bash and logged again as lnorgaard and executed "bash -p" to get a root shell where I can copy the flag.

root.txt:01e77a7919fd0c18fabed641cbfff769

This challenge was fun but the memory dump part was very hard for me to realize that there is an PoC for it.

I hope you enjoyed it and see you next time 😄