hello hackers am back again, lets have a simple walkthroug with an easy box from SEASONAL 2 of hacking with HACK THE BOX, i was scared writting the writteups with these machine to avoid get suspendend from hacking. As usually with hacking or pentesting methodology is what will save you. lets begin hackers **STEP 1: SCANNING**  as you can see above we have got two open port open but filtered mhmmmmmmmm. **STEP 2: ENUMERATION** Lets start enumerating one port after another Port 22 is ssh, in order to access it we need credentials and we dont have here so we need to find another way in the target machine. Port 80 is running http but seems is filtered, I was first scared since because if is the port is in filtered state we need to find a way to bypass it inorder to reach to the server, if we try to browser to the ip under port 80 it can be accessed men that was real cool for sure. **STEP 3: EXPLOITATION 3**  It seems that we got here a domain and a subdomain lets add it to our /etc/hosts  And when we try to click the redirection link it takes us to a login page  The login page looks cool but i didn't want to go direct and try some other methodology of bypassing the login page, i knew that with this login page i dont need to brute force just some simple trick, normally HTB is trick so i started looking what is suspicious here with the login page. You can google what is RT, and since we have a login page you can also try this one "RT defaults creds"  username:root password:password and try to input the creds  Just found myself in, reall cool and hapy  If we check the Admin section there you can find something useful and cool, its the domain and username  And finally we got something usefully its a username and upon looking around found this  **STEP 4: FOOTHOLDING** since we got the ssh creds we can try to gain remote access via ssh to the target machine. email:lnorgaard@keeper.htb password:Welcome2023!  **STEP 5: PRIVILEGE ESCALATION** Lets have some fun time with root,it was really cool and simple  remember we saw a .zip file lets transfer to our local machine and have some deep diving with it.  Oky here we see two files, but the first dump file is the one contains the passcode for our way toward the database, so we need to dump theDumpFull.dmp file and see if we can get a passcode for the kdbx db. After some search found the PoC and made a fork to myself so as i can easy get to it. https://github.com/alien-keric/keepass-dump-masterkey.git With the python script we can try to dump the keepass master-key like this  command: python poc.py KeePassDumpFile.dmp Seems as some characters are missing here , i tried to google and see if i can get them.  **passcode**: Rødgrød med Fløde (rødgrød med fløde) NB: if you try the name as it is you actuall get an error so u need to change the uppercase letter into small letters and then submit it.  Opening the passcode.kdbx in windows is very simple but in linux you can just try to download a keepass2 so as to be able to open this file. After submitting our passcode we get some files.  And if we click the first file you you will get this output  Now the waiting is over, we see above under the notes section we have .perm file lets find a way we can convert to a .ppk file format You can check here https://repost.aws/knowledge-center/ec2-ppk-pem-conversion NB: the main idea toward privilege escalation is ppk2pem. first of all u have to install putty tools **command**:sudo apt-get install putty-tools And after that you can use the following command to convert the file **command**: puttygen rsa.ppk -O private-openssh -o output.perm  And from there you can go and grab the flag of the root access  The machine was cool and really simple