Summary

OpenKeys is a OpenBSD, medium box is a created by polarbearer & GibParadox. Initial foothold was Bypassing Authentication by using a CVE. which get us user private key. Privilege Escalation as also related to CVE and getting root.

Initial Enumeration

nmap

# Nmap 7.80 scan initiated Fri Aug 28 08:43:26 2020 as: nmap -sC -sV -oN nmap/openKeys 10.10.10.199
Nmap scan report for 10.10.10.199
Host is up (0.075s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.1 (protocol 2.0)
| ssh-hostkey:
|   3072 5e:ff:81:e9:1f:9b:f8:9a:25:df:5d:82:1a:dd:7a:81 (RSA)
|   256 64:7a:5a:52:85:c5:6d:d5:4a:6b:a7:1a:9a:8a:b9:bb (ECDSA)
|_  256 12:35:4b:6e:23:09:dc:ea:00:8c:72:20:c7:50:32:f3 (ED25519)
80/tcp open  http    OpenBSD httpd
|_http-title: Site doesn't have a title (text/html).

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Aug 28 08:43:50 2020 -- 1 IP address (1 host up) scanned in 24.15 seconds

We only see port 22 and 80 open

Web (Port:80)

Opening the page in browser we see an login screen

Lets run gobuster and see if we find anything interesting

gobuster dir  -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.199/ -x php -o root_php.gobuster

/images (Status: 301)
/index.php (Status: 200)
/css (Status: 301)
/includes (Status: 301)
/js (Status: 301)
/vendor (Status: 301)
/fonts (Status: 301)

Enumerating the Web-page we find something interesting when we visit

Reading the swp file we can determine the username as jennifer

I used strings auth.php.swp | tac > auth.php to convert it to readable file

We also see another very intresting line as

$cmd = escapeshellcmd("../auth_helpers/check_auth " . $username . " " . $password)

which tell us about some check_auth file.

downloading that and checking it we see it is x64 bit ELF file.

Analyzing it in ghidra don’t yeild anything for me.

The Other information we have is that this is a OpenBSD system.

Googling for OpenBSD authentication bypass yield me to this blog

which state if we pass -schallenge as username or -schallenge:password as password we can bypass any authentication

trying that we can bypass the authentication

we can trick the server by passing username=jennifer in cookie while login.

and we can get a private key

User

Using the key we can get the user

Privilege Escalation

Enumerating again i didn’t saw anything interesting

So I went back to that blog and saw we can Privilege Escalate using

xlock (CVE-2019-19520) googling for a POC we find an exploit on github

copying that on the box and running it give us a root shell.

and we have pwned OpenKeys 💃