OpenKeyS — HTB walkthrough

Medium level hack the box challenge, based on OpenBSD vulnerabilities for SSH keys.

Running nmap scan for default scripts and service version we see port 80 and port 22 open.

PORT 80 HTTP Enumeration

Visiting port 80 we see login page.

Viewing source code we see, 100 characters are allowed in username and password field.

Before trying SQL injection , we can try to send more than 100 characters to username and password field.

Capture the login request on burp

Now create 100 character length string containing A’s

Enter the characters in place of Username and Password field, the send the request through burp.

We see no changes. Well this was not the intended exploit method I guess. And wasted a lots of time on same, along with SQL injection. Till then our background recon was completed. The gobuster scans were completed.

Visiting each directory one by one. I reached to the conclusion that, includes directory was having important content.

visiting each php page one by one.

Important information disclosure.

  1. User : Jennifer
  2. Current path : /var/www/htdocs/includes/auth.php
  3. Also if cookies get verified then we won’t require username and password to login. The session resumes as it was.

Searching for exploits we see, there exists an SSH keys exploit for OpenBSD.

trying to exploit the same, via login

We get redirected to sshkey.php page , which says OpenSSH key not found for user -schallenge:passwd

Failures :

1. I tried to send -a skeys to get keys if possible in username

2. sent -schallengejennifer, didn’t work as CVE should

3. tried to capture cookie after sshkeys.php page opens and place it on index.php, doesn’t work

So what worked was,

4. replaced phpsessionid with username=jennifer


Since we have already got the private SSH keys for user jennifer. We save it, change the mode to 600 and use it to get SSH session for Jennifer.


Searching for OpenBSD exploits, which we have already came across

For exploitation , we need to be in auth group then we can exploit skey LPE exploit.

So we directly go to /tmp dir. Then we write c code in swrast_dri.c . Then we compile the same code using gcc . Then we set the environment and echo new md5 value for password for root in /etc/skey/root. Then we simply switch user to root.

Hurray we are now root. We can now collect the proof.txt from /root dir.




OSCP | CEH | Cyber Security Enthusiast.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store