OpenKeyS

OpenKeys - K3nX

• This Machine name is OpenKeys and IP Address is 10.10.10.199
• This is OpenBSD Machine

Nmap

#cat openkey.nmap
# Nmap 7.80 scan initiated Wed Jul 29 23:45:58 2020 as: nmap -sSV -O -A -T4 -sC -oN openkey.nmap 10.10.10.199
Nmap scan report for 10.10.10.199
Host is up (0.47s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.1 (protocol 2.0)
| ssh-hostkey:
|   3072 5e:ff:81:e9:1f:9b:f8:9a:25:df:5d:82:1a:dd:7a:81 (RSA)
|   256 64:7a:5a:52:85:c5:6d:d5:4a:6b:a7:1a:9a:8a:b9:bb (ECDSA)
|_  256 12:35:4b:6e:23:09:dc:ea:00:8c:72:20:c7:50:32:f3 (ED25519)
80/tcp open  http    OpenBSD httpd
|_http-title: Site doesn't have a title (text/html).
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=7/29%OT=22%CT=1%CU=33015%PV=Y%DS=2%DC=T%G=Y%TM=5F21AF2
OS:5%P=x86_64-pc-linux-gnu)SEQ(SP=F8%GCD=1%ISR=10F%TI=RD%CI=RI%II=RI%TS=22)
OS:OPS(O1=M54BNNSNW6NNT11%O2=M54BNNSNW6NNT11%O3=M54BNW6NNT11%O4=M54BNNSNW6N
OS:NT11%O5=M54BNNSNW6NNT11%O6=M54BNNSNNT11)WIN(W1=4000%W2=4000%W3=4000%W4=4
OS:000%W5=4000%W6=4000)ECN(R=Y%DF=N%T=40%W=4000%O=M54BNNSNW6%CC=N%Q=)T1(R=Y
OS:%DF=N%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%
OS:A=S%F=AR%O=%RD=0%Q=)T5(R=Y%DF=N%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y
OS:%DF=Y%T=40%W=0%S=A%A=S%F=AR%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=FF%IPL=38%UN
OS:=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=S%T=FF%CD=S)

TRACEROUTE (using port 993/tcp)
HOP RTT       ADDRESS
1   451.30 ms 10.10.16.1
2   246.59 ms 10.10.10.199
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

As nmap result port 22 (ssh) and port 80 (OpenBSD httpd) are open

Web Enumeration

• I see this web page
  

• Let's Dir Scanning

  # gobuster dir -u http://openkeys.htb/ -w /opt/wordlists/directory-list-2.3-medium.txt
  ===============================================================
  Gobuster v3.0.1
  by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
  ===============================================================
  [+] Url:            http://openkeys.htb/
  [+] Threads:        10
  [+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
  [+] Status codes:   200,204,301,302,307,401,403
  [+] User Agent:     gobuster/3.0.1
  [+] Timeout:        10s
  ===============================================================
  2020/07/30 00:21:28 Starting gobuster
  ===============================================================
  /images (Status: 301)
  /css (Status: 301)
  /includes (Status: 301)
  /js (Status: 301)
  /vendor (Status: 301)
  /fonts (Status: 301)
  ===============================================================
  2020/07/30 00:36:38 Finished
  ===============================================================
  

• I found one interesting dir call includes



• I found first one auth.php is nothing and the second one is useful for me
  

• I got username jennifer from this second one

  User Shell

  • I know this is OpenBSD Machine. In this time, I think auth.php.swp , It may be authentication error and I searched OpenBSD Authentication vulnerabality at google

  • After few min searching , I found one useful from packetstorm

  • I login with -schallenge:passwd

    

  • I added the username jenniferwith the cookie editor like that
    

  • I login again , Boom I got user jennifer SSH Key

    

  • Login SSH with this key , I got user flag

    

  Privileges Escalation to root

  • After a few time Enumeration , I found this machine is vulnerable to CVE-2019-19522 (OpenBSD local root exploit)
  • I found an exploit from github Exploit
  • I uploaded this exploit into htb machine and I run it

  • After waiting a few sec, Boom I got root

  
  • Finally I got root flag and owned this machine