HackMD
hello hackers am back again, lets have a simple walkthroug with an easy box from SEASONAL 2 of hacking with HACK THE BOX, i was scared writting the writteups with these machine to avoid get suspendend from hacking.
As usually with hacking or pentesting methodology is what will save you.
lets begin hackers
STEP 1: SCANNING
as you can see above we have got two open port open but filtered mhmmmmmmmm.
STEP 2: ENUMERATION
Lets start enumerating one port after another
Port 22 is ssh, in order to access it we need credentials and we dont have here so we need to find another way in the target machine.
Port 80 is running http but seems is filtered, I was first scared since because if is the port is in filtered state we need to find a way to bypass it inorder to reach to the server, if we try to browser to the ip under port 80 it can be accessed men that was real cool for sure.
STEP 3: EXPLOITATION 3
It seems that we got here a domain and a subdomain lets add it to our /etc/hosts
And when we try to click the redirection link it takes us to a login page
The login page looks cool but i didn't want to go direct and try some other methodology of bypassing the login page, i knew that with this login page i dont need to brute force just some simple trick, normally HTB is trick so i started looking what is suspicious here with the login page.
You can google what is RT, and since we have a login page you can also try this one "RT defaults creds"
username:root
password:password
and try to input the creds
Just found myself in, reall cool and hapy
If we check the Admin section there you can find something useful and cool, its the domain and username
And finally we got something usefully
its a username and upon looking around found this
STEP 4: FOOTHOLDING
since we got the ssh creds we can try to gain remote access via ssh to the target machine.
email:lnorgaard@keeper.htb
password:Welcome2023!
STEP 5: PRIVILEGE ESCALATION
Lets have some fun time with root,it was really cool and simple
remember we saw a .zip file lets transfer to our local machine and have some deep diving with it.
Oky here we see two files, but the first dump file is the one contains the passcode for our way toward the database, so we need to dump theDumpFull.dmp file and see if we can get a passcode for the kdbx db.
After some search found the PoC and made a fork to myself so as i can easy get to it.
https://github.com/alien-keric/keepass-dump-masterkey.git
With the python script we can try to dump the keepass master-key like this
command: python poc.py KeePassDumpFile.dmp
Seems as some characters are missing here , i tried to google and see if i can get them.
passcode: Rødgrød med Fløde (rødgrød med fløde)
NB: if you try the name as it is you actuall get an error so u need to change the uppercase letter into small letters and then submit it.
Opening the passcode.kdbx in windows is very simple but in linux you can just try to download a keepass2 so as to be able to open this file.
After submitting our passcode we get some files.
And if we click the first file you you will get this output
Now the waiting is over, we see above under the notes section we have .perm file lets find a way we can convert to a .ppk file format
You can check here
https://repost.aws/knowledge-center/ec2-ppk-pem-conversion
NB: the main idea toward privilege escalation is ppk2pem.
first of all u have to install putty tools
command:sudo apt-get install putty-tools
And after that you can use the following command to convert the file
command: puttygen rsa.ppk -O private-openssh -o output.perm
And from there you can go and grab the flag of the root access
The machine was cool and really simple
