In this post, I would like to share a walkthrough of the Keeper Machine from Hack the Box
This room will be considered an Easy machine on Hack the Box
What will you gain from the Keeper machine?
For the user flag, you will need to utilize default credentials to gain access to the RT instance, I aim to retrieve the credentials associated with a user’s profile. This user is currently addressing a KeePass problem using a memory dump.
As for the root flag, you need to exploit CVE-2022-32784 to extract the master password from the dump, subsequently granting access to a root SSH key in Putty format. Converting this key to OpenSSH format will then facilitate obtaining root privileges.
For those who want to learn or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link https://affiliate.hackthebox.com/gnfp67dzy7p0 to support me
Academy link can be found https://affiliate.hackthebox.com/wanmohdariffwanmohdrosdi6259Information Gathering on Keeper Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
┌─[darknite@parrot]─[~/Documents/htb/keeper]
└──╼ $ nmap -sC -sV 10.10.11.227 -oA intial
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-17 00:01 EDT
Nmap scan report for 10.10.11.227
Host is up (0.026s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3539d439404b1f6186dd7c37bb4b989e (ECDSA)
|_ 256 1ae972be8bb105d5effedd80d8efc066 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
4444/tcp filtered krb524
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.39 seconds
┌─[darknite@parrot]─[~/Documents/htb/keeper]
└──╼ $
Let’s access the website interface
However, the website shows some messages asking to visit a domain name tickets.keeper.htb/rt
The website interface shows a login page but sadly, we don’t have any credential to be use here.
We have successfully accessed the dashboard
After doing some research on the website interface, we managed to notice there are two users here.
Wow! There’s a password for the user-written on the comment about the user itself
At last, we have successfully accessed the machine via
We can read the user flag by typing the “cat user.txt” command
Escalate to Root Privileges Access
Let’s download the zip file into our attacker’s machine so that we can analyze further on the file itself.
We have only found two files inside the zip file
Therefore, let’s download keepass-dump-masterkey.git into our attacker’s machine
There’s a lot of passwords and we are required to do some research on the possible password
As a result, we should run the kpsh with the passcode file
By default, we should be able to unlock the passcode file with the password that we found earlier.
At last, we have successfully retrieved the SSH private key that we can use to access the machine via SSH service.
We should be converting the ppk file into a valid SSH id_rsa key
However, it doesn’t work as i expected it would
Let’s use the KeePass Software and re-enter the credentials that we found earlier.
Let’s copy-paste the Private SSH key into our attacker’s machine
Finally, it works like a charm
We should be able to access the machine via SSH service
We can read the root flag by typing the “cat root.txt” command
Extra Information
No responses yet