Open in app

Sign in

Write

Sign in

HackTheBox : Keeper

#$ubh@nk@r
4 min readAug 16, 2023

--

Intro : Keeper is Completely new Machine in HackTheBox. It is a very easy Machine where you get a Login Page validation with Default Cred and dumping kdbx file password to generate root id_rsa with putty. So let’s jump into the Hack.

Nmap Scan :

As usual I start with a Basic Nmap Scan. I found 2 Ports are open : 22(ssh) and 80(http).

I add the Domain Name in my Host File and Access the Web-Page.

Web Enumeration :

After that I visit the Web-Page and I found Login Page.

But I don’t know the Username and Password. I try for SQLI but no Success. After that I found ‘Request Tracker’ Text in that Page. I search it in Google for Default Creds for Request Tracker and I found Something.

Tip : root:passsword

I use the above Combination and logged in as Root. Yaaa!!

This is the Main Page.

Here after some Enumeration I go to this Location.

Here I found that ‘lnorgaard’ User says in his Comment that Password is set to : <password>

User as Lnorgaard :

Then I use that Password and Logged in as that User using SSH.

And I get the User Flag.

Privilege Escalation :

So it is time for now some PrivEsc. I found there is zip File. I unzip it and save it in a Folder.

Here are 2 Files : KeePassDumpFull.dmp and passcodes.kdbx

The kdbx File needs Password to open. So we have to think about other File. After sometime I found a Python Script to retrieve the master password of a keepass database. You can find it HERE.

I download that script in Victim’s Machine And ran it.

It gives us some Possible Password but not Understandable. :)

So I search that term in Google. I found it is a Dessert Name : rødgrød med fløde.

So maybe it is the Password of that keepass File.

So I download keepassx First.

And opened it using that Password.

Here in All Entries I found a Note Contains putty ppk File. I copy it in a text File in my VM.

The I Download putty to generate id_rsa with that txt File using Specific Format.

Then I run the Following Command.

Tip : puttygen <file_name> -O private-openssh -o id_rsa

And I get a Private Key. We can use it for Root Access using SSH.

And at last I get the Root Access of the Machine.

THANKS FOR RAEDING!

If you like it don’t forget to Follow me for more Articles.

Happy Hacking~

--

--

#$ubh@nk@r
#$ubh@nk@r

Written by #$ubh@nk@r

829 Followers
53 Following

CyberSecurity Learner, CTF Player, Noob Bug Hunter https://starlox0.github.io/

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams