OpenKeyS HackTheBox WalkThrough
This is OpenKeyS HackTheBox Walkthrough. In this writeup, I have demonstrated step by step procedure how I got rooted to OpenKeyS OpenBSD htb machine. Before starting let us know something about OpenKeyS hackthebox machine. It is an
OpenBSD OS machine with difficulty level
medium assigned by its maker with IP address
First of all connect your PC with VPN and confirm the connectivity by pinging the IP address 10.10.10.199. As usual I started by
scanning the IP address for open ports and banner grab the services running on it.
Nmap [a port scanner] gave the following result.
$ nmap -sC -sV -oN nmap_scan 10.10.10.199
Port 22 and 80 is open.
OpenSSH 8.1 and
OpenBSD webserver is running over them respectively. Ongoing to website http://10.10.10.199 found a
As usual tried to login with some default credentials like
admin : admin and
admin : password but login failed due to wrong credential. Checked the
Page Source to get information about some CMS or some important comments but did not get anything interesting. Then tried directory
brute force using
dirsearch (best directory brute forcing tool so far) and got this result.
Directory brute forcing
$ dirsearch -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e all -t 20 -u http://10.10.10.199/
At URL http://10.10.10.199/includes/auth.php.swp. Got a domain
jenniferopenkeys.htb. Added this to my
/etc/hosts file because there may be some website running over this domain if
virtual hosting is enabled. However, got the same page as http://10.10.10.199/index.php on http://jenniferopenkeys.htb/index.php. In this domain name,
jennifer is present so added it to my notes in case it may be our SSH user.
After further enumeration got this link . According to this link, an attacker can
bypass the login screen if he/she login with credential
-schallenge : passwd.
Successfully bypassed the login screen. And redirected to the page sshkey.php. According to the message of the page sshkey.php, OpenSSH key for the user -schallenge is missing because user -schallenge does not exist. So captured the request of page http://jenniferopenkeys.htb/index.php in
burpsuite to modify the request.
Added cookie value
username=jennifer by terminating the PHPSESSID with
cookie addition sent the request and redirected to page
Followed the redirection and we got the
OpenSSH Private Key for user
After requesting the page in browser got the SSH key.
1. Copied the private key inside the file named
private_key inside my
2. Changed the permission of
3. Now connect to the remote OpenKeyS machine using the private_key
$ cd /root/.ssh/
$ nano private_key
$ chmod 600 private_key
Getting User Shell
$ ssh -i private_key [email protected]
Capture User Flag
$ cat user.txt
Finding PrivEsc Vector
$uname -a reveals that OpenKeyS is running kernel version
6.6. So googled
openbsd 6.6 privilege escalation exploit if there exits any kernel exploit related to version 6.6 or not. Got this article. On reading this, found that OpenBSD 6.6 is vulnerable to local privilege escalation and many more.
So here, our privilege escalation vector is
Vulnerable Kernel Version and a suitable kernel exploit is sufficient to escalate the privilege to root. Used this exploit to get privilege escalation.
Getting Root Shell
Used exactly the same steps as directed in the above link and got root.
Note: Try to change to home directory of user jennifer if you get error in running this exploit.
$ cd /tmp
$ nano openbsd-authroot # copy & paste the content from just above link to this file
$ chmod +x openbsd-authroot
Capture Root Flag
This is how I got rooted to OpenKeyS HackTheBox. Learnt a lot from this walkthrough. Thanks for reading this article. Having any issue, write in the comment section. For any suggestion about writeup, feel free to write us at [email protected].