Keeper

• Date completed: 2023-08-16
• Difficulty: Easy
• OS: Linux

User flag

Initial nmap:

$ nmap -sC -sV 10.10.11.227
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-16 14:24 CDT
Nmap scan report for 10.10.11.227
Host is up (0.12s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3539d439404b1f6186dd7c37bb4b989e (ECDSA)
|_  256 1ae972be8bb105d5effedd80d8efc066 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.13 seconds

┌──(user㉿disp1835)-[~]
└─$ nmap -sC -sV tickets.keeper.htb
Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-16 14:33 CDT
Nmap scan report for tickets.keeper.htb (10.10.11.227)
Host is up (0.13s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3539d439404b1f6186dd7c37bb4b989e (ECDSA)
|_  256 1ae972be8bb105d5effedd80d8efc066 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Login
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.58 seconds

RT version 4.4.4 is running at http://tickets.keeper.htb/rt, and uses the default credentials root:password.

Looking at the users in this application, there is a comment for one of them with the password. We can ssh in using that user and password.

Root flag

There is some information in /var/mail/lnorgaard which indicates that the zip file in the home directory is not left behind by someone else on the box.

Copy the zip file with scp.

Can extract the master password with https://github.com/vdohney/keepass-password-dumper

Password candidates (character positions):
Unknown characters are displayed as "●"
1.:     ●
2.:     ,, l, `, -, ', ], A, I, :, =, _, c, M, 
3.:     d, 
4.:     g, 
5.:     r, 
6.:     ●
7.:     d, 
8.:      , 
9.:     m, 
10.:    e, 
11.:    d, 
12.:     , 
13.:    f, 
14.:    l, 
15.:    ●
16.:    d, 
17.:    e, 
Combined: ●{,, l, `, -, ', ], A, I, :, =, _, c, M}dgr●d med fl●de

Googling for the password fragment we have reveals a dish called "rødgrød med fløde". We can then open the keepass db

One of the comments for the db has a putty user key file, we can copy that and convert it to openssh with:

puttygen mykey.ppk -O private-openssh -o .ssh/id_rsa

Then ssh in with:

ssh root@keeper.htb -i .ssh/id_rsa