OpenKeyS — HTB walkthrough
Medium level hack the box challenge, based on OpenBSD vulnerabilities for SSH keys.
Running nmap scan for default scripts and service version we see port 80 and port 22 open.
PORT 80 HTTP Enumeration
Visiting port 80 we see login page.
Viewing source code we see, 100 characters are allowed in username and password field.
Before trying SQL injection , we can try to send more than 100 characters to username and password field.
Capture the login request on burp
Now create 100 character length string containing A’s
Enter the characters in place of Username and Password field, the send the request through burp.
We see no changes. Well this was not the intended exploit method I guess. And wasted a lots of time on same, along with SQL injection. Till then our background recon was completed. The gobuster scans were completed.
Visiting each directory one by one. I reached to the conclusion that, includes directory was having important content.
Important information disclosure.
- User : Jennifer
- Current path : /var/www/htdocs/includes/auth.php
- Also if cookies get verified then we won’t require username and password to login. The session resumes as it was.
Searching for exploits we see, there exists an SSH keys exploit for OpenBSD.
We get redirected to sshkey.php page , which says OpenSSH key not found for user -schallenge:passwd
1. I tried to send -a skeys to get keys if possible in username
2. sent -schallengejennifer, didn’t work as CVE should
3. tried to capture cookie after sshkeys.php page opens and place it on index.php, doesn’t work
So what worked was,
4. replaced phpsessionid with username=jennifer
Since we have already got the private SSH keys for user jennifer. We save it, change the mode to 600 and use it to get SSH session for Jennifer.
Searching for OpenBSD exploits, which we have already came across
Various local exploits. Contribute to bcoles/local-exploits development by creating an account on GitHub.
For exploitation , we need to be in auth group then we can exploit skey LPE exploit.
So we directly go to /tmp dir. Then we write c code in swrast_dri.c . Then we compile the same code using gcc . Then we set the environment and echo new md5 value for password for root in /etc/skey/root. Then we simply switch user to root.
Hurray we are now root. We can now collect the proof.txt from /root dir.