🔎🦶Enumeration/Foothold
Before I begin each machine I kick off a full port scan with RustScan
and pipe the open ports found into NMAP
.
Reviewing the initial results I navigate to Port 80
which shows a sub-domain tickets.keeper.htb
. I add it to my host file mouse /etc/hosts
and navigate to the link.
Upon reaching the website I see a login page for Request Tracker which clicking the footer takes me to the vendors website.
Eventually I find a default username/password which gives me access to the system (ew).
The first thing I find upon logging in is a ticket regarding Keepass and a crash dump file.
Next in the users area I find the default password for users in the comment section (eww).
I log into the box and review the home directory. Seeing the KeepPassDumpFull.dmp
file and passcodes.kdbx
file I spawn a http.server
and pull the files to my local machine:
I then Googled around and found the following GitHub – CMEPW/keepass-dump-masterkey. I pulled the file to my machine and ran it against the dump.
Next I downloaded KeePass and loaded it to my local machine. Using trial and error I was able to use the password to access the KeePass database (ewww).
Once I got onto the database I noticed in the description an SSH-RSA
key for putty
. Having some familiarity with the tool I opened up puttygen
(part of the putty suite of tools) and loaded in the key saved from the description and exported it as an OpenSSH key. I then copied the key to my Linux VM and logged into the box.
Rooted.
Eww..