🔎🦶Enumeration/Foothold

Before I begin each machine I kick off a full port scan with RustScan and pipe the open ports found into NMAP.

Copy

Reviewing the initial results I navigate to Port 80 which shows a sub-domain tickets.keeper.htb. I add it to my host file mouse /etc/hosts and navigate to the link.

Shows tickets.keeper.htb sub-domain.

Shows tickets.keeper.htb sub-domain.

Upon reaching the website I see a login page for Request Tracker which clicking the footer takes me to the vendors website.

RT Tracker login page.

RT Tracker login page.

Eventually I find a default username/password which gives me access to the system (ew).

Post for RT Tracker showing default credentials.

Post for RT Tracker showing default credentials.

The first thing I find upon logging in is a ticket regarding Keepass and a crash dump file.

Location of ticket.

Location of ticket.

Ticket showing use of KeePass and a dump file.

Ticket showing use of KeePass and a dump file.

Next in the users area I find the default password for users in the comment section (eww).

Default user password found within extra info of user?

Default user password found within extra info of user?

I log into the box and review the home directory. Seeing the KeepPassDumpFull.dmp file and passcodes.kdbx file I spawn a http.server and pull the files to my local machine:

Copy

I then Googled around and found the following GitHub – CMEPW/keepass-dump-masterkey. I pulled the file to my machine and ran it against the dump.

Copy

Next I downloaded KeePass and loaded it to my local machine. Using trial and error I was able to use the password to access the KeePass database (ewww).

Yes Google I did mean that word, definitely.

Yes Google I did mean that word, definitely.

This person must really like that pudding for it to be the password...

This person must really like that pudding for it to be the password...

Once I got onto the database I noticed in the description an SSH-RSA key for putty. Having some familiarity with the tool I opened up puttygen (part of the putty suite of tools) and loaded in the key saved from the description and exported it as an OpenSSH key. I then copied the key to my Linux VM and logged into the box.

Entering the pudding into KeePass.

Entering the pudding into KeePass.

Noticing the putty RSA key.

/etc/password file found via LFI.

Exporting the key for use on my Kali VM.

Exporting the key for use on my Kali VM.

Copy

Rooted.

Copy

Eww..

Published On: August 13th, 2023 / Categories: HTB, Technology / Tags: , , , , /

Leave A Comment