Keeper

Easy linux machine that involve ticketing system, default credential, memory dump, desserts and owning a root account!

Credentials

Username	Password	Description
root	password	default RT credentials for web
lnorgaard	Welcome2023!	User description in RT
keepass	rødgrød med fløde	dumped from memory

Enumeration

Nmap

# Nmap 7.94 scan initiated Tue Sep 26 15:50:48 2023 as: nmap -p22,80 -A -oA nmap/fullscan 10.10.11.227
Nmap scan report for 10.10.11.227
Host is up (0.038s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 35:39:d4:39:40:4b:1f:61:86:dd:7c:37:bb:4b:98:9e (ECDSA)
|_  256 1a:e9:72:be:8b:b1:05:d5:ef:fe:dd:80:d8:ef:c0:66 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.32 (96%), Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 - 5.4 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
HOP RTT      ADDRESS
1   36.88 ms 10.10.14.1
2   36.98 ms 10.10.11.227

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Sep 26 15:50:59 2023 -- 1 IP address (1 host up) scanned in 11.50 seconds

WebServer

According to this forum thread Forum default password is password and login is root as mentioned in first answer.

Login page of RT

Successful login with default credentials

After searching through portal, one user lnorgaard have plaintext password in description field. Welcome2023!

data of lnorgaard user

This set of credentials allowed for login in SSH

Login through SSH

Privilege Escalation

User have RT30000.zip file, after unzipping it inside there are memory dump and keepas database.

There was one vulnerability that allow dumping master password from memory, researcher that discovered this vuln shared a PoC:

GitHub - vdohney/keepass-password-dumper: Original PoC for CVE-2023-32784GitHub

Partialy recovered master password

After googling whats was dumped correctly it is some kind of dessert

So password is rødgrød med fløde. Inside keepass there is some kind of ssh key in putty format.

This can be converted to PEM key with one command as shown here:

How to Convert PPK to PEM file using Command – TecAdminTecAdmin

puttygen key -O private-openssh -o root.key

This allowed for login to root account with converted key.

Rooted box