{"id":240,"date":"2025-09-06T19:05:00","date_gmt":"2025-09-06T19:05:00","guid":{"rendered":"https:\/\/thecyberstaff.com\/?p=240"},"modified":"2025-12-28T18:51:50","modified_gmt":"2025-12-28T18:51:50","slug":"keeper-hackthebox-lab","status":"publish","type":"post","link":"https:\/\/thecyberstaff.com\/?p=240","title":{"rendered":"Keeper- Hackthebox lab"},"content":{"rendered":"\n

To begin my enumeration, I performed a port scan of both TCP and UDP ports using Nmap. This initial step allowed me to establish a clear picture of the services that were exposed and set the foundation for the rest of the assessment.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Checking the web service on port 80, I came across a DNS hostname. Since it wasn\u2019t resolving externally, I added it manually to my \/etc\/hosts file, ensuring that all future requests would resolve properly for further testing.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

While exploring the target, I identified an RT application. A quick online search revealed its default credentials, which allowed me to gain initial access. Once inside the application, I discovered another user account and, by reviewing its properties, uncovered a stored password. Testing this credential confirmed that it provided valid SSH access to the system.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Within the ticketing application, I came across a ticket where a user had mentioned uploading a crash dump from their KeePass application. Although the file itself wasn\u2019t stored directly in the ticketing system, I located it in the user\u2019s home directory on the target machine. I then transferred the dump file to my local machine for closer examination.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

During my research, I came across a public exploit for CVE-2023-32784, which targets KeePass to recover the master key. Using this exploit, I was able to successfully dump the master key from the KeePass vault.<\/p>\n\n\n\n

https:\/\/github.com\/CMEPW\/keepass-dump-masterkey<\/a><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I had to search the stings online to get the correct text.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

With the recovered master key in hand, I installed a KeePass client on my Kali machine and used it to unlock the vault. Once inside, I uncovered sensitive information, including a private key and a password associated with the Keeper host.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I used puttygen to generate a private key file and use it to access the server as root.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Completing the Keeper lab demonstrated how an attacker can chain multiple findings into a full system compromise. Default credentials, sensitive data in user directories, and vulnerable applications all played a role.<\/p>\n","protected":false},"excerpt":{"rendered":"

To begin my enumeration, I performed a port scan of both TCP and UDP ports using Nmap. This initial step allowed me to establish a clear picture of the services that were exposed and set the foundation for the rest of the assessment. Checking the web service on port 80, […]<\/p>\n","protected":false},"author":1,"featured_media":241,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-240","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","category-pentesting"],"brizy_media":[],"_links":{"self":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/240","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=240"}],"version-history":[{"count":2,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/240\/revisions"}],"predecessor-version":[{"id":358,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/240\/revisions\/358"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/media\/241"}],"wp:attachment":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=240"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=240"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=240"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}