Official OpenKeyS Discussion

comment voluntarily Removed to reduce confusion and rabbit holes for others._

Maybe exxxxxshxxlxxd exploit

Anyone else getting ld.so errors via gdb?

found bsd file not sure what i can do with it i did tryd ghidra and gdb but no luck

Do we really need to do RE ?

Tried RE the file but no luck, tried command injection on the found php file but probably prevented by escapeshellcmd. Bit stuck, perhaps trapped in a rabbithole? :wink:

Type your comment> @SanderZ31 said:

Tried RE the file but no luck, tried command injection on the found php file but probably prevented by escapeshellcmd. Bit stuck, perhaps trapped in a rabbithole? :wink:

same here. found a interesting function name in the file, but can’t find additional info about it. Any hints?

For foothold : don’t blind yourself to what’s in front of you. Sometimes, the thing that you’ve been looking for has been right there all along. Who is responding to your request ?

Type your comment> @barw said:

@m4lwhere if you want to get it executed on OpenBSD, ensure you are using correct arch/instruct as well…

thank you, i believe that is the problem i’m having. troubleshooting continues…

edit: it is unnecessary to get that deep into the program, simple enumeration of it is necessary. I overlooked this during my initial examination then got lost setting up new openbsd vms ?

@tomunderhill said:

Hmm ok RE looks likely, first time ever for me , anyone got some good starting points to learn the basics of ELF RE? Spent an hour googling so far, but if anyone one has a leg up on how to use and understand the tools (ghidra / gdb etc) that’d be appreciated.

Keep getting stuck on ‘No such file or directory’ - possibly libc 95 ?
Not making sense to me but always keen to learn.

Please remove if its in any way a spoiler, but seeing as I haven’t even got foot hold… thought it was ok.

It’s indeed concerning libc, you need the right version.
About how to use the tools you can check LiveOverflow channel on youtube, you get the basics of gdb, other debugging tools and ELF RE.

Is it RE?

@iampachinko said:

Is it RE?

Who knows, if i answer that all the fun of the box will be gone.

Root!

uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)

@Caracal

Much appreciated, thanks for the confirmation and steer towards some relevant learning.

kinda struggling with root, anyone got a hint?

Really Interesting machine , learned some new skills, thanks @polarbearer and @GibParadox !

openkeys# id;whoami;hostname
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
root
openkeys.htb
openkeys# 

Feel free to DM For NUDGES! :wink:

@OrkaThaHacker said:

kinda struggling with root, anyone got a hint?

If you’ve done user, the root part is straightforward before even getting on the box. Come back to your notes and also maybe the different articles that you have read for the first part.

I am working on root myself. I am working on more enumeration at the moment. I have a path for elevation (I believe) but looking for credentials.

Nevermind on what I stated, not the correct path…

I’m struggling with the RE bit, most functions appear to be useless and the only one with an interesting name is undefined, so I can’t see how this binary could be of any use, or how to dig deeper. Any hints?