Official OpenKeyS Discussion

12357

Comments

  • edited August 2020

    Think I have tried all privesc techniques as described in articles quite a few times but I have had no joy. Also tried the exploit in one of the favoured tools but again without any luck. Does the location of where I create files matter? Please DM me with a hint.

    ** Solved **

  • edited July 2020

    Ok, I've got the binary, I've pulled key words from it, but I just don't know what I'm googling for here.... ¯\_(ツ)_/¯

    Shadow6

  • @Shadow6 said:

    Ok, I've got the binary, I've pulled key words from it, but I just don't know what I'm googling for here.... ¯\_(ツ)_/¯

    A combination of what information you have and what it is you are trying to bypass might help.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Type your comment> @TazWake said:

    @Shadow6 said:

    Ok, I've got the binary, I've pulled key words from it, but I just don't know what I'm googling for here.... ¯\_(ツ)_/¯

    A combination of what information you have and what it is you are trying to bypass might help.

    It seems I was googling the wrong key word, but I think I am back on track now. Thanks @TazWake

    Shadow6

  • Ok I finally got it...
    However can somebody explain (PM me) how the binary is not a complete rabbit hole ?

    From analyzing the binary with Strings, I see no reason why the CVE's that you need to find, would actually work in this particular case.....

  • edited August 2020

    Awesome machine! Thanks to @polarbearer and @GibParadox for all the effort on this one, I really appreciate a BSD box!

    The rabbit hole of the user part is face palm style, so don't waste time walking in circles like me

    My hints:

    User

    • Don't forget the OS that you are pwning
    • Looks like that file was not useless at all (try to not get confused with this one)

    Root

    • Is something that you usually don't try in HTB machines (or at least I don't)

    If this is spoiler feel free to remove it

  • Really nice to work on a BSD box for a change! As many people have said the initial foothold is probably the most difficult part, but there are lots of clues that might help you get on the right path.
    If you get stuck after finding the finding the vulnerable input, remember that there are several ways to send data to the server.

    I was able to get root, but from some of the comments I'm lead to believe that there is a way to do it with that one really popular exploit tool, but I was unable to do so. If anyone did the privesc that way I would appreciate if you sent me a DM and let me know how (which module etc.).

  • Nice box! Learnt about a new vulnerability in BSD.
    Feel free to PM me if you're stuck ;)

  • Not sure what to think of the box. Was mostly google'ing and reading. Nevertheless, had fun.

    Hack The Box

  • Thanka to @TazWake for initial foothold.
    Stuck in rabbit hole RE
  • @GHOSTontheWire said:

    Thanka to @TazWake for initial foothold.
    Stuck in rabbit hole RE

    RE isn't needed. Think a bit bigger picture with the surface information from the binary.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • This was actually a surprisingly easy and short box.
    Great to see a BSD box for once.

    Feel free to PM me for questions.

  • Great box! I had not practised with BSD, and I really enjoyed!
    Congrats @GibParadox and @polarbearer

    PM if you need a nudge

  • @Rayz said:

    How did you guys figure out the second thing required for user? that took me quite some time to figure..by 'second thing' i mean :

    first thing: the -s........
    second thing: u.....e=j....... ?? this one!

    any article describing the second thing?

    If you are still looking for some references, take a closer look at differences between files index.php:45 and a***.php:49.

    That should be enough for pointing you to the right google search.
    I guess the link to the actual documentation page for that would be a big spoiler, but feel free to PM me if you need it.

    @TazWake I guessed you may be interested too. Sorry for the spam if you are not.

  • @aquilante said:

    If you are still looking for some references, take a closer look at differences between files index.php:45 and a***.php:49.

    That should be enough for pointing you to the right google search.
    I guess the link to the actual documentation page for that would be a big spoiler, but feel free to PM me if you need it.

    @TazWake I guessed you may be interested too. Sorry for the spam if you are not.

    Nice find, thanks!

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Having a rough time with root. I think I've found "the article" that is the key to this box but none of the priv esc is working after a few attempts. Have tried several variations of the original user exploit as well. Any help is much appreciated

  • Nevermind, figured it out. I was on the right path but for some reason it didn't work on the first couple tries. PM if you need help

  • This was a fun box. I went down a couple of rabbit holes, and completely missed the first step to foothold, but once I slowed down and paid attention it went quickly.

    All you need for foothold->user->root is in prior posts.

    pugpug

  • nice box Got #root
    Learned alot about new things
    Feel freee to pm me for nudges

  • Rooted. fun box thanks to aswathamasam for the nudge on foothold. If you're trying to get root and you're sure that you're using the right exploit but it's not working, try creating a folder in tmp and run it from there.

    pm for nudge
    Hack The Box

  • Username should be get using bruteforce? Or I missed something?

    ompamo

  • @ompamo said:

    Username should be get using bruteforce? Or I missed something?

    I think you missed something. It is in the file.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Rooted!!!
    ping me for any hints and tips

    Scorpion4347

  • first thing: the -s........
    second thing: u.....e=j....... ?? this one!

    any article describing the second thing?

    This was a weak part of this box, found by guessing (number of possibilities is limited). This one part could have been arranged better IMHO. Overall very enjoyable box. Regarding root part - if one exploit does not work, then try another. Do not waste too much time like me -:)

    m4rc1n

  • openkeys# id
    uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
    

    ROOTED! I agreed with this one being a fun box.

    Hack The Box
    CISSP | eJPT

  • edited September 2020

    spoiler removed

    LMAY75
    Always happy to help, DM me if you need anything!
    Link to Profile

  • openkeys# id
    uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)

    Fun box, easy root. Kinda cool working with a different OS. If you need help feel free to DM me

    LMAY75
    Always happy to help, DM me if you need anything!
    Link to Profile

  • edited September 2020

    First time taking on BSD machine. I think I found all elements I could get from enum and googling, however I can't seem to get my foot in. I'm probably not providing the information in a correct way :(.

    EDIT: I think I'm on something, let's hope it will work !
    EDIT2: Rooted. Once in, it's almost a piece of cake.

  • Rooted. This is one of those boxes which makes you pull your hair while you are doing it but once it's done you're like "That was easy!" Lol

    Thanks @TazWake for your guidance yet again.

Sign In to comment.