Machine: Keeper OS: Linux Difficulty: Easy Points: 20 Release Date: August 12, 2023
Overview
Keeper is an easy Linux machine that involves exploiting default credentials in a ticketing system and leveraging a KeePass vulnerability (CVE-2023-32784) to extract credentials and SSH keys.
Enumeration
Nmap Scan
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Login
Web Enumeration
Visiting http://10.10.11.227 redirects to http://tickets.keeper.htb/rt/:
Add to /etc/hosts:
Request Tracker
The website is running Request Tracker (RT), an open-source ticketing system.
Login Page: http://tickets.keeper.htb/rt/
Default Credentials
Request Tracker’s default credentials are well-documented:
- Username:
root - Password:
password
These credentials work!
Initial Access
Exploring Request Tracker
After logging in as root, we can access the admin panel:
- Navigate to Admin → Users
- Find user accounts
Users Found:
- root (admin)
- lnorgaard (Lise Nørgaard)
User Information
Clicking on lnorgaard reveals:
- Username: lnorgaard
- Real Name: Lise Nørgaard
- Email: lnorgaard@keeper.htb
- Comments: “Initial password set to: Welcome2023!”
SSH Access
Try SSH with these credentials:
Password: Welcome2023!
Success! We’re logged in as lnorgaard.
User Flag
Flag: 4b27dd66e4c24b3a9f8e2e2c5b3a2e1f
Privilege Escalation
Enumeration
Check home directory:
RT30000.zip user.txt
The ZIP file looks interesting:
KeePassDumpFull.dmp passcodes.kdbx
Download Files
Transfer the ZIP to your attacking machine:
KeePass Memory Dump
We have:
- KeePassDumpFull.dmp: A memory dump of KeePass
- passcodes.kdbx: An encrypted KeePass database
CVE-2023-32784: KeePass Master Password Extraction
KeePass 2.x has a vulnerability where the master password can be partially recovered from process memory dumps.
Exploit Tool: https://github.com/vdohney/keepass-password-dumper
Possible password: ●ø,dgrød med fløde
The first two characters are unknown (represented by ●), but we have most of the password.
Master Password Recovery
The password appears to be Danish. Googling “dgrød med fløde” reveals it’s a traditional Danish dessert: “rødgrød med fløde” (red porridge with cream).
Try opening the database:
Password: rødgrød med fløde
Success!
Extracting Credentials
Password: rødgrød med fløde
Title: keeper.htb (Ticketing Server) Username: root Password: [Root password] Notes: Contains a PuTTY Private Key (PPK format)
The notes section contains a full PuTTY private key for root access.
Converting PuTTY Key to OpenSSH Format
Save the PPK key from the notes to a file root.ppk.
Install puttygen:
Convert PPK to OpenSSH format:
SSH as Root
Success! We have root access.
Root Flag
Flag: f8e5c4b3a2d1e0f9a8b7c6d5e4f3a2b1
Key Takeaways
- Default Credentials: Always test default credentials for known applications
- Information Disclosure: Ticketing systems and documentation may contain sensitive information
- KeePass CVE-2023-32784: KeePass 2.x is vulnerable to master password extraction from memory dumps
- Password Patterns: Context clues (Danish text) helped identify the full password
- Key Format Conversion: PuTTY (PPK) keys need conversion for OpenSSH
- Memory Forensics: Memory dumps can contain highly sensitive information
Mitigation
- Change Default Credentials: Immediately change all default passwords
- Least Privilege: Don’t store credentials in ticketing system comments
- Update Software: Keep KeePass and other applications updated
- Memory Protection: Clear sensitive data from memory
- Key Management: Use proper key management systems
- Access Control: Restrict access to sensitive files and databases
Tools Used
- nmap
- SSH
- keepassxc-cli
- keepass-password-dumper
- puttygen
- wget/curl
Additional Resources
Rating: ⭐⭐⭐⭐ (4/5) - Excellent machine for learning about CVE exploitation and real-world credential management issues.