Official OpenKeyS Discussion

Rooted!

openkeys# whoami && id && hostname
root
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
openkeys.htb

Foothold was tricky. If anyone is not able to get root, you’ll have to try multiple times. I got it on my third try.

Rooted this machine just now. Very easy machine.

Missing an important thing will cost hours of time. Thanks @tomunderhill for reminding me what I missed during the enumeration phase.

My hints:
For user/foothold: How you read ‘strings’ from a bin? (No RE needed) - Google FU - CVE
For system: CVE again

Rooted but unlike @gunroot, I didn’t think it was that easy :smile:

I got caught up in lots of rabbit holes at the start but, with a nudge from @MariaB I got out and, looking back, a lot of the data I gathered flailing around the start, made getting root super easy.

Getting user is one of those things which, once you’ve done it, seems obvious but when you are going the other way, it can seem impossible. All I can say is the hints in the forum help, enumerate services, try to download everything you find, analyse everything you find. From there, practice google-fu and find some public vulnerabilities.

As @VoltK has said, you can get everything you need from one article via Google.

However, you might find it easier to get the repo for privesc as that is genuinely click-root.

Rooted!!!
Good machine to learn from. Took a while to know what to do at first.
:slight_smile:

PM for help

Rooted!

openkeys# id && hostname
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
openkeys.htb

Very Easy :smile::smile: :smile:

Is it need OPENBDS machine for RE ?

@NFire0111111 said:

Is it need OPENBDS machine for RE ?

No.

Didi port 80 died? I am not getting it

kind of cve

Type your comment> @gunroot said:

Rooted this machine just now. Very easy machine.

Missing an important thing will cost hours of time. Thanks @tomunderhill for reminding me what I missed during the enumeration phase.

My hints:
For user/foothold: How you read ‘strings’ from a bin? (No RE needed) - Google FU - CVE
For system: CVE again

agreed very close hints

Finally Rooted!!!

maybe i late for start pwning this box… but trust me for pwn this box you just googling more and more…

openkeys# whoami;id;hostname
root
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
openkeys.htb

Foothold had me for a really long time, thanks to @SanderZ31 for their help with that!

I wouldn’t consider foothold to be RCE. The binary is helpful in identifying the vulnerability but then you need to combine this with a bit of session trickery to get what you are hoping to get. If you have spent time on foothold, no doubt you also came across privesc for root. You can either do it manually or find a public exploit.

Happy to help if you need a nudge in the right direction.

Alrighty, I found the interesting article and am able to login on the webapp, but now I need to find a way to get the username right to do what the webapp says because it lets me in but it only shows an error… any hints?

Type your comment> @Baud said:

Alrighty, I found the interesting article and am able to login on the webapp, but now I need to find a way to get the username right to do what the webapp says because it lets me in but it only shows an error… any hints?

Have you ever ate choco-cookies?

rooted !!!

Worst part was trying the same thing manually didn’t work but script did. Still figuring that out.

PM for nudges. Thanx @SanderZ31

Manual exploitation worked too.

Thanks for the box, overall good experience even if the start was a bit bumpy :smile:

For those struggling with the foothold - search for vulns and combine the read with some delicious cookies :wink: