HTB — OpenKeyS Walkthrough
We first run nmap to enumerate open ports and services running on those ports.
We start off with enumerating HTTP which is running on port 80. We visit the page and see the authentication login form.
We need admin credentials.
As the first thing we try the common credentials such as admin/admin, admin/password, admin/openkeys. However, it does not work out.
After searching some vulnerabilities on OpenBSD we discover that there is authentication vulnerabilities post published by Qualys.
Let’s visit the post.
As it is explained above, we specify the username as “-challenge:passwd “ that is bypassing the authentication automatically.
Well, this is good in a way. But we need a real user. How can we find it out? Let’s run dirb which is used to find directories and files in web sites.
The “includes” directory might be interesting.
Let’s check them out.
Well. It is empty. How about the other one?
Now we got something.
Before continuing to enumeration, we add the host names.
We open Burp in order to intervene the traffic.
Adjust it via FoxyProxy on the browser.
We see the request. By typing “CTRL+R” we send it to the Repeater tab.
Note: We are on the Repeater in the picture below.
Here we try various combinations in order get accepted by the service. And adding “username=jennifer” into Cookie, works fine finally.
Voila! We get the ssh private key.
In order to get the private key in web browser, we go to the login form and login again with the same credentials. Then, we forward the request after adding “username=jennifer” inside.
Forward the request again.
Yes! We get it properly.
We copy the key and save it into the file. After, we give it the appropriate privileges which is permissions of 600.
Permissions of 600: The owner of the file has full read and write access privilege, while no other users have.
Let’s SSH into Jennifer’s account.
Perfect! We are in and grabbing the user.txt flag.
Searching the release of OpenBSD leads to here.
After checking out blog post above, we jump to the another post published by Qualys in order to escalate privilege.
https://www.qualys.com/2019/12/04/cve-2019-19521/authentication-vulnerabilities-openbsd.txt
Firstly, we check whether we bypass the authentication by trying a invalid user “-schallenge”.
We got segmentation fault because of a null pointer dereference. That means we can go through this vulnerability.
xlock in OpenBSD 6.6 allows local users to gain the privileges of the auth group by providing a LIBGL_DRIVERS_PATH environment variable, because xenocara/lib/mesa/src/loader/loader.c mishandles dlopen.
The third step is to use local privilege escalation via S/Key and Yubikey.
OpenBSD 6.6, in a non-default configuration where S/Key or YubiKey authentication is enabled, allows local users to become root by leveraging membership in the auth group. This occurs because root’s file can be written to /etc/skey or /var/db/yubikey, and need not be owned by root.
We have a shell! Grab the root.txt flag.
Thank you for your time.
Originally published at https://atalaysblog.wordpress.com on December 12, 2020.
