OpenKeyS HackTheBox WalkThrough
This is OpenKeyS HackTheBox Walkthrough. In this writeup, I have demonstrated step by step procedure how I got rooted to OpenKeyS OpenBSD htb machine. Before starting let us know something about OpenKeyS hackthebox machine. It is an OpenBSD OS machine with difficulty level medium assigned by its maker with IP address 10.10.10.199.
First of all connect your PC with VPN and confirm the connectivity by pinging the IP address 10.10.10.199. As usual I started by scanning the IP address for open ports and banner grab the services running on it. Nmap [a port scanner] gave the following result.
Scanning
$ nmap -sC -sV -oN nmap_scan 10.10.10.199
Port 22 and 80 is open. OpenSSH 8.1 and OpenBSD webserver is running over them respectively. Ongoing to website http://10.10.10.199 found a login page.
As usual tried to login with some default credentials like admin : admin and admin : password but login failed due to wrong credential. Checked the Page Source to get information about some CMS or some important comments but did not get anything interesting. Then tried directory brute force using dirsearch (best directory brute forcing tool so far) and got this result.
Directory brute forcing
$ dirsearch -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e all -t 20 -u http://10.10.10.199/
At URL http://10.10.10.199/includes/auth.php.swp. Got a domain jenniferopenkeys.htb. Added this to my /etc/hosts file because there may be some website running over this domain if virtual hosting is enabled. However, got the same page as http://10.10.10.199/index.php on http://jenniferopenkeys.htb/index.php. In this domain name, jennifer is present so added it to my notes in case it may be our SSH user.
After further enumeration got this link . According to this link, an attacker can bypass the login screen if he/she login with credential -schallenge : passwd.
Authentication Bypass
Successfully bypassed the login screen. And redirected to the page sshkey.php. According to the message of the page sshkey.php, OpenSSH key for the user -schallenge is missing because user -schallenge does not exist. So captured the request of page http://jenniferopenkeys.htb/index.php in burpsuite to modify the request.
Added cookie value username=jennifer by terminating the PHPSESSID with ; (semi-colon)
After cookie addition sent the request and redirected to page sshkey.php
Followed the redirection and we got the OpenSSH Private Key for user jennifer
After requesting the page in browser got the SSH key.
1. Copied the private key inside the file named private_key inside my /root/.ssh/ directory.
2. Changed the permission of private_key
3. Now connect to the remote OpenKeyS machine using the private_key
$ cd /root/.ssh/
$ nano private_key
$ chmod 600 private_key
Getting User Shell
$ ssh -i private_key [email protected]
Capture User Flag
$ cat user.txt
Privilege Escalation
Finding PrivEsc Vector
Command $uname -a reveals that OpenKeyS is running kernel version 6.6. So googled openbsd 6.6 privilege escalation exploit if there exits any kernel exploit related to version 6.6 or not. Got this article. On reading this, found that OpenBSD 6.6 is vulnerable to local privilege escalation and many more.
So here, our privilege escalation vector is Vulnerable Kernel Version and a suitable kernel exploit is sufficient to escalate the privilege to root. Used this exploit to get privilege escalation.
Getting Root Shell
Used exactly the same steps as directed in the above link and got root.
Note: Try to change to home directory of user jennifer if you get error in running this exploit.
$ cd /tmp
$ nano openbsd-authroot # copy & paste the content from just above link to this file
$ chmod +x openbsd-authroot
$ ./openbsd-authroot
Capture Root Flag
$cat root.txt
This is how I got rooted to OpenKeyS HackTheBox. Learnt a lot from this walkthrough. Thanks for reading this article. Having any issue, write in the comment section. For any suggestion about writeup, feel free to write us at [email protected].
