Official OpenKeyS Discussion

anyone else getting an “invalid format” error?

Type your comment> @zenrasta said:

anyone else getting an “invalid format” error?

solved

@zweeden said:

trying to root. pretty sure i found the correct cve but when I execute I’m still uid=1001.
I’ve tried both “manually” and from a well known repo. any thoughts?

With the second option there, have you entered the password it suggests?

Funny box, really easy after getting initial foothold. Nice to do an OpenBSD box

openkeys# id && hostname
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
openkeys.htb

This was quite a fun box, but finding the right articles was the hardest part. :slight_smile:

Think I have tried all privesc techniques as described in articles quite a few times but I have had no joy. Also tried the exploit in one of the favoured tools but again without any luck. Does the location of where I create files matter? Please DM me with a hint.

** Solved **

Ok, I’ve got the binary, I’ve pulled key words from it, but I just don’t know what I’m googling for here… ¯\(ツ)

@Shadow6 said:

Ok, I’ve got the binary, I’ve pulled key words from it, but I just don’t know what I’m googling for here… ¯\(ツ)

A combination of what information you have and what it is you are trying to bypass might help.

Type your comment> @TazWake said:

@Shadow6 said:

Ok, I’ve got the binary, I’ve pulled key words from it, but I just don’t know what I’m googling for here… ¯\(ツ)

A combination of what information you have and what it is you are trying to bypass might help.

It seems I was googling the wrong key word, but I think I am back on track now. Thanks @TazWake

Ok I finally got it…
However can somebody explain (PM me) how the binary is not a complete rabbit hole ?

From analyzing the binary with Strings, I see no reason why the CVE’s that you need to find, would actually work in this particular case…

Awesome machine! Thanks to @polarbearer and @GibParadox for all the effort on this one, I really appreciate a BSD box!

The rabbit hole of the user part is face palm style, so don’t waste time walking in circles like me

My hints:

User

  • Don’t forget the OS that you are pwning
  • Looks like that file was not useless at all (try to not get confused with this one)

Root

  • Is something that you usually don’t try in HTB machines (or at least I don’t)

If this is spoiler feel free to remove it

Really nice to work on a BSD box for a change! As many people have said the initial foothold is probably the most difficult part, but there are lots of clues that might help you get on the right path.
If you get stuck after finding the finding the vulnerable input, remember that there are several ways to send data to the server.

I was able to get root, but from some of the comments I’m lead to believe that there is a way to do it with that one really popular exploit tool, but I was unable to do so. If anyone did the privesc that way I would appreciate if you sent me a DM and let me know how (which module etc.).

Nice box! Learnt about a new vulnerability in BSD.
Feel free to PM me if you’re stuck :wink:

Not sure what to think of the box. Was mostly google’ing and reading. Nevertheless, had fun.

Thanka to @TazWake for initial foothold.
Stuck in rabbit hole RE

@GHOSTontheWire said:

Thanka to @TazWake for initial foothold.
Stuck in rabbit hole RE

RE isn’t needed. Think a bit bigger picture with the surface information from the binary.

This was actually a surprisingly easy and short box.
Great to see a BSD box for once.

Feel free to PM me for questions.

Great box! I had not practised with BSD, and I really enjoyed!
Congrats @GibParadox and @polarbearer

PM if you need a nudge

@Rayz said:

How did you guys figure out the second thing required for user? that took me quite some time to figure…by ‘second thing’ i mean :

first thing: the -s…
second thing: u…e=j… ?? this one!

any article describing the second thing?

If you are still looking for some references, take a closer look at differences between files index.php:45 and a***.php:49.

That should be enough for pointing you to the right google search.
I guess the link to the actual documentation page for that would be a big spoiler, but feel free to PM me if you need it.

@TazWake I guessed you may be interested too. Sorry for the spam if you are not.

@aquilante said:

If you are still looking for some references, take a closer look at differences between files index.php:45 and a***.php:49.

That should be enough for pointing you to the right google search.
I guess the link to the actual documentation page for that would be a big spoiler, but feel free to PM me if you need it.

@TazWake I guessed you may be interested too. Sorry for the spam if you are not.

Nice find, thanks!