Open in app

Sign in

Write

Sign in

[HTB]OpenKeys Write-Up

Personal Blog
3 min readNov 5, 2020

I always start an nmap scan with this parameters:

sudo nmap -A -T4 -p- <IP>

It returned me the most amount of info on a IP address. Saw that port 80 was opened running OpenBSD and has an authentication login form, tried to brute force it but no luck. Then searched numerous vulnerabilities on OpenBSD and found a page with some syntaxes that can be used to bypass the authentication, I only needed a valid username!

The syntax was “-schallenge” , next was to find a valid username…. Tried using admin but failed to authenticate, brute forced it but no luck either. I managed to bypass the login form by putting the syntax on both the username and password but just returned me “no user was found”. Was almost time to give up the vulnerability but decided to run a Gobuster just to see what directories where open.

sudo gobuster dir -u http://10.10.10.199/ -w <WORDLIST>

Found /includes was opened with 2 files in it, one of them had nothing but the other file had some logs of headers and a name with the link of the box “jenniferopenkey.htb”, just by guessing I assumed “jennifer” was a username! Tried username=jennifer and password=“-schallenge” and got Access Denied…… So Jennifer is a valid user!

Nothing worked until burp came in place, I already knew that using the syntax in both the username and password worked to bypass the login, what if I waited till the server authenticated the syntax then change the user to Jennifer using burp?

First try worked! And got some useful data out of it! Got a key for an OpenSSH session on the user jennifer.

Save it to ssh.key and lets try it

ssh -i ssh.key jennifer@10.10.10.199

Got in and user.txt is in the same directory. It also show us the version of the OpenBSD it’s running, it’s 6.6 (Generic) #353:

Now to escalate privilege I searched on google for local escalations on the version of OpenBSD and found a CVE-2020–7247 that’s already written in bash from this user from GitHub:

Now just copy the raw GitHub code, make a file called exploit.sh on the target machine and paste it there, make it executable by:

chmod +x exploit.sh

Then execute the exploit by:

./exploit.sh

We owned the box!

Hackthebox
Htb
Openkeys
Writeup
Walkthrough

--

--

Personal Blog

Written by Personal Blog

0 Followers

Cristian J. Rivera Santiago

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams