Post

HTB Linux Easy: Keeper

Keeper is an Easy rated Linux machine on HTB.

Posted
By Gregory Allegoet
1 min read
HTB Linux Easy: Keeper

Nmap scan

Pasted image 20240715100207.png

Initial Foothold

Enumerate HTTP (Port 80)

Visit the website to find a URL: Pasted image 20240715100213.png

Add tickets.keeper.htb and keeper.htb to /etc/hosts: Pasted image 20240715100220.png

Test for default credentials, found: root:password. Pasted image 20240715100154.png

Found Admin users (Lise Norgaard), could be interesting in the future? Pasted image 20240715100146.png

An open ticket points to issues with KeePass which can be used in the future. Pasted image 20240715100127.png

Clicking on the lnorgaard user in the admin page reveals a password: Pasted image 20240715100132.png

Use credentials to log into the box: lnorgaard:Welcome2023!. Pasted image 20240715100137.png

Privilege Escalation

Retrieve the files found in the home folder of lnorgaard: Pasted image 20240715100107.png Pasted image 20240715100102.png

We can use a Python script against the KeePass file to possibly retrieve passwords. Pasted image 20240715100057.png

Some OSINT later: Pasted image 20240715100051.png Pasted image 20240715100045.png

Found the name of a danish dessert rødgrød med fløde, this is the master password of the KeePass file.

Open the KeePass file: root:F4><3K0nd! Pasted image 20240715100039.png

Root password doesn’t work. However we have a putty user key file in the notes. Use this to establish a root shell. Pasted image 20240715100035.png

Set the IP address and port of the machine in PuTTY. Pasted image 20240715100031.png

Assign ppk file, SSH, auth, browse and select the putty.ppk file. Pasted image 20240715100026.png

Log in as the root user. Pasted image 20240715100020.png

User.txt

Pasted image 20240715100015.png

Root.txt

Pasted image 20240715100009.png

Pwned!!!

Pasted image 20240715100003.png

Sources:

CTF, HTB
Linux Easy
This post is licensed under CC BY 4.0 by the author.