Official OpenKeyS Discussion

Alright Team, Im asking this in here in hopes that someone can finally assist. I have watched every IPPSEC video that I can and still cant figure this out.

Whenever I am in a remote shell and want to edit a file ie:php file, I open vi and when I utilize my arrow keys to try and navigate, it leaves a ton of silly characters and greatly degrades my ability to edit ANY file. I watch IPPSEC crush edits in vi and I cannot for the life of me figure out how to make my terminal operate unhindered like he does.

ANY HELP WOULD BE AMAZING!

@W4rF4ther said:

Alright Team, Im asking this in here in hopes that someone can finally assist. I have watched every IPPSEC video that I can and still cant figure this out.

Whenever I am in a remote shell and want to edit a file ie:php file, I open vi and when I utilize my arrow keys to try and navigate, it leaves a ton of silly characters and greatly degrades my ability to edit ANY file. I watch IPPSEC crush edits in vi and I cannot for the life of me figure out how to make my terminal operate unhindered like he does.

ANY HELP WOULD BE AMAZING!

Not super helpful but I dont use vi if I can avoid it - I find nano is much more effective on HTB boxes.

The characters you are are probably the result of the terminal emulator not really understanding what it going on (for example if you are using nc to sling bash, it isn’t a terminal in the normal sense), so some of the shell “upgrade” fixes might solve it.

However, as I said, I gave up trying to fix this and just use nano on HTB.

Hello, Can someone help on the initial foothold on OpenKeys? Am able to login & know the -s*** thing but can’t make an rce out of it. Read a few comments about “choco-cookies” and I get what they mean but still no idea on what to do. I’d super-duper appreciate any help or nudge about this one :smiley: <3

Very cool box. Although I got the initial foothold very quickly, I couldn’t manage to convince PHP that my name begins with J for a long time. The privesc part was interesting, although rather easy if you can use google.

Hi, could someone help me out please. I am stuck at getting the machine conviced to use user j. I have the -s********* part working. Maybe a nudge or a link to some additional info into the right direction would be much appreciated. Thx

Type your comment> @zaphoxx said:

Hi, could someone help me out please. I am stuck at getting the machine conviced to use user j. I have the -s********* part working. Maybe a nudge or a link to some additional info into the right direction would be much appreciated. Thx

ok, nvm, after tons of trial and error I got it right.

finally root … of course it was the last exploit I tried … it is always the last one eyeroll. but nice box that teached me some new stuff especially on foothold and user. my first openbsd box … woohoo.

Rooted the machine. It was a nice and a very cool box.

user: you found the name and now just google your way out of the login
Root: the same place where you found the solution for user

PM if you need help

I feel really stupid here, managed to do the very first thing you need to and been told nothing is available. Not sure how other people are getting a user from there or knowing how to edit any parameters correctly.

@JonnyGill said:

I feel really stupid here, managed to do the very first thing you need to and been told nothing is available. Not sure how other people are getting a user from there or knowing how to edit any parameters correctly.

Think about a thing that HTTP uses to maintain state between page requests. If you modify that you could add something which tells the second part who you are.

Type your comment> @TazWake said:

@JonnyGill said:

I feel really stupid here, managed to do the very first thing you need to and been told nothing is available. Not sure how other people are getting a user from there or knowing how to edit any parameters correctly.

Think about a thing that HTTP uses to maintain state between page requests. If you modify that you could add something which tells the second part who you are.

Thanks @TazWake, I get what I have to edit but I’m not sure with what. I’m assuming other people have found a user name and I haven’t so I’ll poke around a bit more.

@JonnyGill said:

Thanks @TazWake, I get what I have to edit but I’m not sure with what. I’m assuming other people have found a user name and I haven’t so I’ll poke around a bit more.

If you have the file, it is in there.

Okay figured user out with a nudge from @TazWake and then checking all the files available (which I hadn’t done before, doh). Now I can’t get any of the privesc techniques to work. The one that I think might be the right one runs without any errors but then doesn’t escalate my privileges and it’s giving me flashbacks to my first OSCP attempt and not being able to get privesc for the last points I needed.

Keep trying i guess!

EDIT: Nevermind, rooted!

Rooted! Pretty cool box!

openkeys# id && whoami && hostname
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
root
openkeys.htb

user: quickly found everything I needed, but got slightly stuck on the RE rabbit hole. After I ignored that I was able to move forward pretty easily with the information found using Google Fu.

root: The information found to get user will lead you to root pretty easily.

DM if you need a nudge.

Done and Dusted! Thanks @polarbearer & @GibParadox for a fun box! The IFH was a little painful, but once I worked out how to correctly set the name (Double Face Palm!!) all went smoothly.

Wx

Rooted!
PM me for nudges! But first tell me what you have tried.

Rooted!!
Basically a box full og googling .

Rooted. Fun box!

PM me if you need help!

I found the user, the files and I guess I found the article but don’t know what to do with it, everything I get it’s a not found error. Any nudge?

@mrg3ntl3m4n said:

I found the user, the files and I guess I found the article but don’t know what to do with it, everything I get it’s a not found error. Any nudge?

If you are trying to get a foothold, think about how the protocol you are using maintains state between requests. That’s a good thing to try and exploit. It can be as simple as appending the data you want it to keep, based on the error messages you are getting, to an existing value.