Open in app

Sign in

Write

Sign in

OpenKeyS — HTB walkthrough

Dhanishtha Awasthi
4 min readJan 11, 2021

--

Medium level hack the box challenge, based on OpenBSD vulnerabilities for SSH keys.

ENUMERATION

Running nmap scan for default scripts and service version we see port 80 and port 22 open.

PORT 80 HTTP Enumeration

Visiting port 80 we see login page.

Viewing source code we see, 100 characters are allowed in username and password field.

Before trying SQL injection , we can try to send more than 100 characters to username and password field.

Capture the login request on burp

Now create 100 character length string containing A’s

Enter the characters in place of Username and Password field, the send the request through burp.

We see no changes. Well this was not the intended exploit method I guess. And wasted a lots of time on same, along with SQL injection. Till then our background recon was completed. The gobuster scans were completed.

Visiting each directory one by one. I reached to the conclusion that, includes directory was having important content.

visiting each php page one by one.

Important information disclosure.

  1. User : Jennifer
  2. Current path : /var/www/htdocs/includes/auth.php
  3. Also if cookies get verified then we won’t require username and password to login. The session resumes as it was.

Searching for exploits we see, there exists an SSH keys exploit for OpenBSD.

trying to exploit the same, via login

We get redirected to sshkey.php page , which says OpenSSH key not found for user -schallenge:passwd

Failures :

1. I tried to send -a skeys to get keys if possible in username

2. sent -schallengejennifer, didn’t work as CVE should

3. tried to capture cookie after sshkeys.php page opens and place it on index.php, doesn’t work

So what worked was,

4. replaced phpsessionid with username=jennifer

EXPLOITATION

Since we have already got the private SSH keys for user jennifer. We save it, change the mode to 600 and use it to get SSH session for Jennifer.

PRIVILEGE ESCALATION

Searching for OpenBSD exploits, which we have already came across

bcoles/local-exploits

Various local exploits. Contribute to bcoles/local-exploits development by creating an account on GitHub.

github.com

For exploitation , we need to be in auth group then we can exploit skey LPE exploit.

So we directly go to /tmp dir. Then we write c code in swrast_dri.c . Then we compile the same code using gcc . Then we set the environment and echo new md5 value for password for root in /etc/skey/root. Then we simply switch user to root.

Hurray we are now root. We can now collect the proof.txt from /root dir.

ROOTED!!!

Openkeys Htb Walkthrough
Openkeys
Hackthebox Writeup
Openkeys Writeup
Openkeys Walkthrough

--

--

Dhanishtha Awasthi
Dhanishtha Awasthi

Written by Dhanishtha Awasthi

95 Followers
21 Following

OSCP | CEH | Cyber Security Enthusiast.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams