Difficulty: Medium

Posted by Admin on December 12, 2020

Foothold

First, let's scan the ip address.

nmap -A -T5 -sC -p19-65000 10.10.10.199

And so, as we see, scanning with nmap showed us that the operating system is OpenBSD installed on the machine.Also i added openkeys.htb at my /etc/hosts file. Now it's worth checking the web server

vim /etc/hosts

I wonder if this is the login page.

User

First, I'll run ffuf to find interesting files or directories and while ffuf is fuzzing the web page, I will proceed to study the login page with burp suite.

ffuf -u http://openkeys.htb/FUZZ -w /usr/share/wordlists/dirb/big.txt -e .txt,.html,.php -c

As you can see, the post request is quite simple and we can try using hydra to brute force credentials, but I think this is not our way. Now I think we need to take a look at what ffuf found

I think we should check the includes web directory

In the includes directory I found auth.php and auth.php.swp. In order to restore the contents of the auth.php file, I will use the auth.php.swp file

wget http://openkeys.htb/includes/auth.php.swp && vim -r auth.php.swp

Just click enter and we get the auth.php source code

It looks like the authorization mechanism is related to the file ../auth_helpers/check_auth, so we should download it and study

curl openkeys.htb/../auth_helpers/check_auth -o check_auth && file check_auth

After I downloaded this file using curl I used the utility file to find out what the file is. File showed me that it was an executable file, but I could not run it. At first I thought it was time for RE, but then I came to the conclusion that RE is a rabbit hole so I need to take a different path. After some time, I came to the conclusion that I need to check these files using the string utility. Using it, in the auth.php.swp file I found a potential username jennifer, and in the check_auth file I found the libc.so.95.1 library

Googling I found an article describing and exploiting a vulnerability in the libc library in OpenBSD. It wrote that using -schallenge you can bypass the authentication mechanism. Now let's try to exploit this vulnerability on the login page

Now exploiting the vulnerability, I successfully login in web app

"No keys found for user -schallenge". It looks like we need to get the ssh authentication key, but how do we do that if we can only bypass the authentication mechanism if we use the username -schallenge? After some thought, I came to the conclusion to put the username in the cookie with firefox extension Cookie-Editor and I successfully logged in as jennifer and get id_rsa key (the username I got from the auth.php.swp file)

Now connect via ssh

chmod 700 id_rsa
ssh jennifer@openkeys.htb -p 22 -i id_rsa

Privilege Escalation

After googling i found exploit for CVE-2019-19520 in github.

Now I download it from my machine using Curl and SimpleHTTPServer and then run and get root

That's all. Thanks for your attention.