Official OpenKeyS Discussion

Thanka to @TazWake for initial foothold.
Stuck in rabbit hole RE

@GHOSTontheWire said:

Thanka to @TazWake for initial foothold.
Stuck in rabbit hole RE

RE isn’t needed. Think a bit bigger picture with the surface information from the binary.

This was actually a surprisingly easy and short box.
Great to see a BSD box for once.

Feel free to PM me for questions.

Great box! I had not practised with BSD, and I really enjoyed!
Congrats @GibParadox and @polarbearer

PM if you need a nudge

@Rayz said:

How did you guys figure out the second thing required for user? that took me quite some time to figure…by ‘second thing’ i mean :

first thing: the -s…
second thing: u…e=j… ?? this one!

any article describing the second thing?

If you are still looking for some references, take a closer look at differences between files index.php:45 and a***.php:49.

That should be enough for pointing you to the right google search.
I guess the link to the actual documentation page for that would be a big spoiler, but feel free to PM me if you need it.

@TazWake I guessed you may be interested too. Sorry for the spam if you are not.

@aquilante said:

If you are still looking for some references, take a closer look at differences between files index.php:45 and a***.php:49.

That should be enough for pointing you to the right google search.
I guess the link to the actual documentation page for that would be a big spoiler, but feel free to PM me if you need it.

@TazWake I guessed you may be interested too. Sorry for the spam if you are not.

Nice find, thanks!

Having a rough time with root. I think I’ve found “the article” that is the key to this box but none of the priv esc is working after a few attempts. Have tried several variations of the original user exploit as well. Any help is much appreciated

Nevermind, figured it out. I was on the right path but for some reason it didn’t work on the first couple tries. PM if you need help

This was a fun box. I went down a couple of rabbit holes, and completely missed the first step to foothold, but once I slowed down and paid attention it went quickly.

All you need for foothold->user->root is in prior posts.

good one!!!

nice box Got #root
Learned alot about new things
Feel freee to pm me for nudges

Rooted. fun box thanks to aswathamasam for the nudge on foothold. If you’re trying to get root and you’re sure that you’re using the right exploit but it’s not working, try creating a folder in tmp and run it from there.

pm for nudge

Username should be get using bruteforce? Or I missed something?

@ompamo said:

Username should be get using bruteforce? Or I missed something?

I think you missed something. It is in the file.

Rooted!!!
ping me for any hints and tips

first thing: the -s…
second thing: u…e=j… ?? this one!

any article describing the second thing?

This was a weak part of this box, found by guessing (number of possibilities is limited). This one part could have been arranged better IMHO. Overall very enjoyable box. Regarding root part - if one exploit does not work, then try another. Do not waste too much time like me -:slight_smile:

openkeys# id
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)

ROOTED! I agreed with this one being a fun box.

spoiler removed

openkeys# id
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)

Fun box, easy root. Kinda cool working with a different OS. If you need help feel free to DM me

First time taking on BSD machine. I think I found all elements I could get from enum and googling, however I can’t seem to get my foot in. I’m probably not providing the information in a correct way :(.

EDIT: I think I’m on something, let’s hope it will work !
EDIT2: Rooted. Once in, it’s almost a piece of cake.