Keeper

Easy linux machine that involve ticketing system, default credential, memory dump, desserts and owning a root account!

Credentials

Username

Password

Description

Enumeration

Nmap

# Nmap 7.94 scan initiated Tue Sep 26 15:50:48 2023 as: nmap -p22,80 -A -oA nmap/fullscan 10.10.11.227
Nmap scan report for 10.10.11.227
Host is up (0.038s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 35:39:d4:39:40:4b:1f:61:86:dd:7c:37:bb:4b:98:9e (ECDSA)
|_  256 1a:e9:72:be:8b:b1:05:d5:ef:fe:dd:80:d8:ef:c0:66 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.32 (96%), Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 - 5.4 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
HOP RTT      ADDRESS
1   36.88 ms 10.10.14.1
2   36.98 ms 10.10.11.227

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Sep 26 15:50:59 2023 -- 1 IP address (1 host up) scanned in 11.50 seconds

WebServer

According to this forum thread Forum default password is password and login is root as mentioned in first answer.

After searching through portal, one user lnorgaard have plaintext password in description field. Welcome2023!

This set of credentials allowed for login in SSH

Privilege Escalation

User have RT30000.zip file, after unzipping it inside there are memory dump and keepas database.

There was one vulnerability that allow dumping master password from memory, researcher that discovered this vuln shared a PoC:

After googling whats was dumped correctly it is some kind of dessert

So password is rødgrød med fløde. Inside keepass there is some kind of ssh key in putty format.

This can be converted to PEM key with one command as shown here:

puttygen key -O private-openssh -o root.key

This allowed for login to root account with converted key.

PreviousCozyHosting NextSau

Last updated 1 year ago