HTB Keeper: From Default Credentials to Root
Overview
Keeper is a medium-difficulty HackTheBox machine that tests your ability to enumerate services, identify default credentials, and exploit a known vulnerability in KeePass to escalate privileges.
Initial Enumeration
Starting with a full port scan reveals two open services: SSH on port 22 and an HTTP server on port 80. The web server redirects to a Request Tracker instance — an open-source ticketing system commonly used in IT operations.
Gaining Access
Request Tracker ships with well-documented default credentials. A quick check of the documentation reveals the default admin account, which hasn't been changed on this instance. Once inside the admin panel, browsing user accounts reveals a support technician whose profile contains an initial password stored in the comments field. This password also works for SSH access.
Privilege Escalation
On the target machine, the user's home directory contains a ZIP archive with a KeePass database file and a memory dump. Using a known CVE affecting KeePass versions prior to 2.54, it's possible to extract the master password from the memory dump. Opening the database with the recovered password reveals the root user's SSH private key stored as a note entry.
Lessons Learned
This box reinforces several fundamental security principles: always change default credentials, never store passwords in user-accessible fields, keep software updated to patch known CVEs, and treat memory dumps as sensitive artifacts. The attack chain here is straightforward but realistic — each step mirrors mistakes commonly found in real-world environments.