Official OpenKeyS Discussion

Ok I finally got it…
However can somebody explain (PM me) how the binary is not a complete rabbit hole ?

From analyzing the binary with Strings, I see no reason why the CVE’s that you need to find, would actually work in this particular case…

Awesome machine! Thanks to @polarbearer and @GibParadox for all the effort on this one, I really appreciate a BSD box!

The rabbit hole of the user part is face palm style, so don’t waste time walking in circles like me

My hints:

User

  • Don’t forget the OS that you are pwning
  • Looks like that file was not useless at all (try to not get confused with this one)

Root

  • Is something that you usually don’t try in HTB machines (or at least I don’t)

If this is spoiler feel free to remove it

Really nice to work on a BSD box for a change! As many people have said the initial foothold is probably the most difficult part, but there are lots of clues that might help you get on the right path.
If you get stuck after finding the finding the vulnerable input, remember that there are several ways to send data to the server.

I was able to get root, but from some of the comments I’m lead to believe that there is a way to do it with that one really popular exploit tool, but I was unable to do so. If anyone did the privesc that way I would appreciate if you sent me a DM and let me know how (which module etc.).

Nice box! Learnt about a new vulnerability in BSD.
Feel free to PM me if you’re stuck :wink:

Not sure what to think of the box. Was mostly google’ing and reading. Nevertheless, had fun.

Thanka to @TazWake for initial foothold.
Stuck in rabbit hole RE

@GHOSTontheWire said:

Thanka to @TazWake for initial foothold.
Stuck in rabbit hole RE

RE isn’t needed. Think a bit bigger picture with the surface information from the binary.

This was actually a surprisingly easy and short box.
Great to see a BSD box for once.

Feel free to PM me for questions.

Great box! I had not practised with BSD, and I really enjoyed!
Congrats @GibParadox and @polarbearer

PM if you need a nudge

@Rayz said:

How did you guys figure out the second thing required for user? that took me quite some time to figure…by ‘second thing’ i mean :

first thing: the -s…
second thing: u…e=j… ?? this one!

any article describing the second thing?

If you are still looking for some references, take a closer look at differences between files index.php:45 and a***.php:49.

That should be enough for pointing you to the right google search.
I guess the link to the actual documentation page for that would be a big spoiler, but feel free to PM me if you need it.

@TazWake I guessed you may be interested too. Sorry for the spam if you are not.

@aquilante said:

If you are still looking for some references, take a closer look at differences between files index.php:45 and a***.php:49.

That should be enough for pointing you to the right google search.
I guess the link to the actual documentation page for that would be a big spoiler, but feel free to PM me if you need it.

@TazWake I guessed you may be interested too. Sorry for the spam if you are not.

Nice find, thanks!

Having a rough time with root. I think I’ve found “the article” that is the key to this box but none of the priv esc is working after a few attempts. Have tried several variations of the original user exploit as well. Any help is much appreciated

Nevermind, figured it out. I was on the right path but for some reason it didn’t work on the first couple tries. PM if you need help

This was a fun box. I went down a couple of rabbit holes, and completely missed the first step to foothold, but once I slowed down and paid attention it went quickly.

All you need for foothold->user->root is in prior posts.

good one!!!

nice box Got #root
Learned alot about new things
Feel freee to pm me for nudges

Rooted. fun box thanks to aswathamasam for the nudge on foothold. If you’re trying to get root and you’re sure that you’re using the right exploit but it’s not working, try creating a folder in tmp and run it from there.

pm for nudge

Username should be get using bruteforce? Or I missed something?

@ompamo said:

Username should be get using bruteforce? Or I missed something?

I think you missed something. It is in the file.

Rooted!!!
ping me for any hints and tips