Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with thousands of people in the security field.
Header

OpenKeyS is a Medium level OpenBSD machine. Based on the community statistics, it looks like we’ll be focusing primarily on leveraging existing CVEs. Statistics

Information Gathering

Nmap:

By scanning the target IP with Nmap, we’re able to find what ports are open (-p), while fingerprinting the services running and their versions (-sV). We’re also running the default set of scripts (-sC), which can help find additional information and automate some of our initial steps. Once the scan is completed, nmap will write the results to our Extracts folder (-oA)
>> nmap -p22,80 -sC -sV -oA Extracts/OpenKeyS 10.10.10.199
Nmap

OpenKeyS

One of the first things we see when loading up 10.10.10.199 is the login. At the top of the screen, we can also see the title “OpenKeyS - Retrieve your OpenSSH Keys”.

What happens why we try the credentials admin and password?
Login

Directory Enumeration

Lets kick off a scan using Gobuster. This will allow us to enumerate any paths and files we can use to find additional information. We can point the tool at the desired url (-u) while passing in a list of directories and filenames to look for (-w). Because our wordlist may not contain all the file extensions we care about, we can specify endings like php and txt (-x). Lastly, there are thousands of calls being made, so speeding up the tool with higher threads can help (-t).
>> gobuster dir -u http://10.10.10.199 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php,txt -t 100
Gobuster

Navigating to 10.10.10.199/includes shows us a directory containing two files, auth.php, and auth.php.swp. Looking at the details of the latter discloses the username “jennifer”, perhaps this is the username we need to login?
File Command

Code Review

In addition to the username, we also learn that the file originated in Vim. By loading the file in recovery mode, we’re able to read its contents and learn more about how the application handles its auth.
Auth Code

The piece worth looking at here is in the init_session() function, where it’s setting the session username with $_REQUEST['username']. This tells the server to retrieve the value of username from not only the body of the request, but also from the cookies.

Searching for vulnerabilities

The fact that most boxes on Hack The Box are Windows and Linux-based makes the creator’s OpenBSD choice a little suspicious. After focusing on vulnerabilities around authentication in OpenBSD, one particular article stands out. It appears that by substituting a username with -schallenge, we’re able to bypass the authentication. Let’s try it out:
SChallenge

Interesting, while our bypass seems to have worked, there is no OpenSSH Key found for our user.

Foothold

Traffic Manipulation

Knowing we have a way to bypass the authentication, and a potential username, let’s intercept the request in Burpsuite and modify it. Burpsuite is a tool for proxying, manipulating, and scanning web traffic making it extremely beneficial to use when tinkering with requests. Here, we’ve intercepted our -schallenge request, and added a username cookie with the value set to jennifer. This should combine our authentication bypass with the $_REQUEST['username'] weakness we discovered earlier.
Cookie

Success! Forwarding that manipulated traffic results in tricking the server into sending us back the OpenSSH Key for Jennifer.
Key

SSH

We should now be able to remote into the machine as Jennifer using her private key.
>> ssh -i Extracts/jennifer.key jennifer@10.10.10.199
Jennifer

User Flag

>> cat user.txt
User

Privilege Escalation

Keeping in mind that we’re targetting an OpenBSD machine, we can research different exploits allowing us to escalate privileges. While there were a number of options available, this exploit appears to work just fine.
>> ./exploit.sh
Exploit

Root Flag

>> cat /root/root.txt
Root