Post

Keeper

A Request Tracker ticketing system left on its documented default root/password login exposes an admin panel where a user's SSH password sits in clear text inside a comment field, granting a direct SSH foothold and the user flag.

Keeper

Overview

Keeper is an easy-difficulty Linux box whose foothold is a chain of two classic operational mistakes: a Request Tracker (RT) instance still running with vendor default credentials, and a live SSH password pasted in clear text into a user comment field inside that admin panel. Together they hand over an SSH login with no real exploitation required. This post covers recon through the user flag.

Machine Matrix

Enumeration Real-Life CVE Custom Exploitation CTF-like

Pure real-life operational failure — vendor default RT creds plus a cleartext SSH password in a comment field — with no CVE, no custom work, and almost no enumeration, scoring high only on realism.

Recon

PortServiceNotes
22/tcpOpenSSH 8.9p1Ubuntu
80/tcpnginx 1.18.0redirects to a ticketing portal
1
nmap -sC -sV <target-ip>

Two ports. With no credentials for SSH, the web server on port 80 is the starting point.

Enumeration

Browsing to port 80 returns a single hyperlink pointing at a ticketing portal on a virtual host:

1
To raise an IT support ticket, please visit tickets.keeper.htb/rt/

Add the vhost to /etc/hosts:

1
echo "<target-ip> tickets.keeper.htb keeper.htb" | sudo tee -a /etc/hosts

Visiting http://tickets.keeper.htb/rt/ presents a Request Tracker (RT) login page — an open-source web-based ticketing system by Best Practical. RT ships with a documented default superuser account, and a quick look at the RT documentation confirms the credentials:

  • Username: root
  • Password: password

These were never changed, and they log straight into the RT admin dashboard.

Foothold

Inside the dashboard, Admin → Users lists two privileged users: lnorgaard and root. Opening the lnorgaard user and scrolling to the Comments about this user section reveals a note left by an administrator:

1
New user. Initial password set to Welcome2023!

A live SSH password stored in clear text. It works verbatim against OpenSSH:

1
2
ssh lnorgaard@<target-ip>
# password: Welcome2023!

User flag

With a shell as lnorgaard, the user flag is in the home directory:

1
2
cat /home/lnorgaard/user.txt
# [redacted]

The path to root runs through a KeePass memory dump (KeePassDumpFull.dmp / passcodes.kdbx) in this user’s home and CVE-2023-32784 master-password recovery — but this post stops at user.

This post is licensed under CC BY 4.0 by the author.