Official OpenKeyS Discussion

Rooted. fun box thanks to aswathamasam for the nudge on foothold. If you’re trying to get root and you’re sure that you’re using the right exploit but it’s not working, try creating a folder in tmp and run it from there.

pm for nudge

Username should be get using bruteforce? Or I missed something?

@ompamo said:

Username should be get using bruteforce? Or I missed something?

I think you missed something. It is in the file.

Rooted!!!
ping me for any hints and tips

first thing: the -s…
second thing: u…e=j… ?? this one!

any article describing the second thing?

This was a weak part of this box, found by guessing (number of possibilities is limited). This one part could have been arranged better IMHO. Overall very enjoyable box. Regarding root part - if one exploit does not work, then try another. Do not waste too much time like me -:slight_smile:

openkeys# id
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)

ROOTED! I agreed with this one being a fun box.

spoiler removed

openkeys# id
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)

Fun box, easy root. Kinda cool working with a different OS. If you need help feel free to DM me

First time taking on BSD machine. I think I found all elements I could get from enum and googling, however I can’t seem to get my foot in. I’m probably not providing the information in a correct way :(.

EDIT: I think I’m on something, let’s hope it will work !
EDIT2: Rooted. Once in, it’s almost a piece of cake.

Rooted. This is one of those boxes which makes you pull your hair while you are doing it but once it’s done you’re like “That was easy!” Lol

Thanks @TazWake for your guidance yet again.

For me, the foothold wasn’t too tough, but a failure during the enumeration killed about 6 hours of my time. See, when I enumerated, the tool I used told me that a certain thing was inaccessible, so I never tried to further enumerate it. Thus, even though I had found the CVE, and had seen what -s********* could do, I was stuck. I had not found the much discussed binary or the username. Much thanks to @cre4k on discord for encouraging me to go back and check that unreadable thing again; I honestly didn’t know if I was missing something obvious (I was) or had a fundamental misunderstanding of what was going on.

Once I went back and checked that, and found out what was hiding there, the foothold was just trial-and-error and some handwaving, and everything after that was quick.

So I guess the lesson is, if you’re stuck, go back and re-enumerate just to see if anything comes up different the second time around.

Could someone explain why the foothold works the way it works?

@gs4l said:

Could someone explain why the foothold works the way it works?

It is difficult without insane amounts of spoilers. If you google the process you can find a series of articles and blog posts which talk about the vulnerability being exploited which might help.

There is some kind of problem “in the final phase”. Please be patient, I tried many times without results.

Just rooted, this was a fun one. I’d actually say this was easier than most of the easy boxes out right now.

But I’m still confused about the foothold. I struggled pretty hard with the second step of the foothold where you have to adjust something to get the user you want… I got it to work eventually but used an extension to help me out. I’m still unsure how you could manually modify the request to get what you want.

I saw a prior comment about adding something with a semicolon, but couldn’t figure out how to do it after unsuccessfully trying a few different ways… could I message someone to try to understand how this works?

Completely missed that basic enumeration part so had to restart then I found it.
User:
1)Enum
2)Google
3)CVE

Root:
1)CVE

This is one of those boxes where you just have to tough it out.
Foothold is definitely the most mind tiring phases of this box, after that its a matter of constant research
Its all on google, after finding that valuable article adapt what you found to the circumstances and dont rely on it too much.
Had no need to Reverse Engineer.

I somehow managed to enumerate so well that I found the privilege escalation vulnerability before even getting a shell on the system, that was quite weird. Anyways I rooted it! what a great box! Thanks for @N3s for the assistance during the initial foothold.

Initial foothold:

  • Remember the OS you are trying to pwn.
  • Enumeration, enumeration, enumeration
  • Don’t over complicate things at all, imagine how the file you found can connect to something else, and how it may interact with index.php.

Root:

  • Google & Enumeration, and also backtrack from the previous vulnerability you found.

I’m sorry if I’m revealing too much, please do not hesitate to delete/remove this post if that is the case.

As always, knowledge is very subjective, some people know more, some people know less, and that’s fine! If you’re still exhausted and confused out of options, do not hesitate to DM me! I am utmost willing to nudge you in the right direction.

finally rooted. got stuck on root for several hours…
guys, if smthing not working - search for other ways. when you find right way all things will go smoothly.
good luck :wink:

So I managed to root this box a few days ago. I would like to thank @TazWake for the nudge on the initial foothold.

Here are some hints:

User: Enumerate, google and some tasty baked goods
Root: IF you have gotten this far, remember how you got in. See if that thing could help you priv esc. If you did your enumeration correctly this should be very straight forward.