thi0x

thi0x

A. Fernando Mehrez Garcia
Master in Cyber Security, System Engineer,
Pentester & Backend Programmer

Keeper - Hack The Box

Keeper is a machine of HTB. The machine has a Website with nginx WAF, for this reason has access limited, later u can join to the system with default credentials, later get the password of an user lisa for the connection ssh, later download the .dmp file and recovery old session, next using the old session with private-openssh ssh service join like root.

1st HTB VPN connection

The initials goals of the HTB in this Starting Point are connect with the machine. We only need download vpn and connect with OVPN

image-20200519201954045

2nd Step to Solving

Create the folder for the machine Keeper

image-20200519201954045

3rd Step to Solving

Scanning all open ports and get two services open in the target machine 22/TCP and 80/TCP, a service ssh and service http

image-20200519201954045

4th Step to Solving

nmap consult for get the version of the service and more information using the command -sV

image-20200519201954045

5th Step to Solving

We join to the website in the target machine

image-20200519201954045

6th Step to Solving

We added the dns of the target machine

image-20200519201954045

7th Step to Solving

We joined to the real website of the target machine

image-20200519201954045

8th Step to Solving

We used the tool nuclei for did pentesting in websites and another services

image-20200519201954045

9th Step to Solving

We tried to connect with the service ssh using anonymous credentials

image-20200519201954045

10th Step to Solving

We founded information about the target machine, it is the name of the service server called “Request Tracker – Best Practical”

image-20200519201954045

11th Step to Solving

We search in the website exploit-db about request tracker

image-20200519201954045

12th Step to Solving

We founded a sql-injection method

image-20200519201954045

13th Step to Solving

We search if exist default credentials in google

image-20200519201954045

14th Step to Solving

We founded default credentials root and password

image-20200519201954045

15th Step to Solving

We joined to the system website of the target machine

image-20200519201954045

16th Step to Solving

We searched another credentials for the service ssh and founded the password 2023! for the user lnorgaard

image-20200519201954045

image-20200519201954045

image-20200519201954045

17th Step to Solving

We joined to the service ssh image-20200519201954045

image-20200519201954045

18th The First flag

We founded the first flag image-20200519201954045

19th The First flag

We founded a .dmp file with the database information

image-20200519201954045

image-20200519201954045

image-20200519201954045

20th Step to Solving

We used a program in py trying to open the dmp file image-20200519201954045

21th Step to Solving

image-20200519201954045

image-20200519201954045

image-20200519201954045

image-20200519201954045

22th Step to Solving

We founded a Putty-user-key session ssh-rsa

image-20200519201954045

23th Step to Solving

We search how to change ssh-rsa to ssh session

image-20200519201954045

24th Step to Solving

Finally we joined to the root user in the target machine keeper image-20200519201954045

Second Flag

Finally we putted the second flag in HTB

image-20200519201954045