Official OpenKeyS Discussion

Hi, could someone help me out please. I am stuck at getting the machine conviced to use user j. I have the -s********* part working. Maybe a nudge or a link to some additional info into the right direction would be much appreciated. Thx

Type your comment> @zaphoxx said:

Hi, could someone help me out please. I am stuck at getting the machine conviced to use user j. I have the -s********* part working. Maybe a nudge or a link to some additional info into the right direction would be much appreciated. Thx

ok, nvm, after tons of trial and error I got it right.

finally root … of course it was the last exploit I tried … it is always the last one eyeroll. but nice box that teached me some new stuff especially on foothold and user. my first openbsd box … woohoo.

Rooted the machine. It was a nice and a very cool box.

user: you found the name and now just google your way out of the login
Root: the same place where you found the solution for user

PM if you need help

I feel really stupid here, managed to do the very first thing you need to and been told nothing is available. Not sure how other people are getting a user from there or knowing how to edit any parameters correctly.

@JonnyGill said:

I feel really stupid here, managed to do the very first thing you need to and been told nothing is available. Not sure how other people are getting a user from there or knowing how to edit any parameters correctly.

Think about a thing that HTTP uses to maintain state between page requests. If you modify that you could add something which tells the second part who you are.

Type your comment> @TazWake said:

@JonnyGill said:

I feel really stupid here, managed to do the very first thing you need to and been told nothing is available. Not sure how other people are getting a user from there or knowing how to edit any parameters correctly.

Think about a thing that HTTP uses to maintain state between page requests. If you modify that you could add something which tells the second part who you are.

Thanks @TazWake, I get what I have to edit but I’m not sure with what. I’m assuming other people have found a user name and I haven’t so I’ll poke around a bit more.

@JonnyGill said:

Thanks @TazWake, I get what I have to edit but I’m not sure with what. I’m assuming other people have found a user name and I haven’t so I’ll poke around a bit more.

If you have the file, it is in there.

Okay figured user out with a nudge from @TazWake and then checking all the files available (which I hadn’t done before, doh). Now I can’t get any of the privesc techniques to work. The one that I think might be the right one runs without any errors but then doesn’t escalate my privileges and it’s giving me flashbacks to my first OSCP attempt and not being able to get privesc for the last points I needed.

Keep trying i guess!

EDIT: Nevermind, rooted!

Rooted! Pretty cool box!

openkeys# id && whoami && hostname
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
root
openkeys.htb

user: quickly found everything I needed, but got slightly stuck on the RE rabbit hole. After I ignored that I was able to move forward pretty easily with the information found using Google Fu.

root: The information found to get user will lead you to root pretty easily.

DM if you need a nudge.

Done and Dusted! Thanks @polarbearer & @GibParadox for a fun box! The IFH was a little painful, but once I worked out how to correctly set the name (Double Face Palm!!) all went smoothly.

Wx

Rooted!
PM me for nudges! But first tell me what you have tried.

Rooted!!
Basically a box full og googling .

Rooted. Fun box!

PM me if you need help!

I found the user, the files and I guess I found the article but don’t know what to do with it, everything I get it’s a not found error. Any nudge?

@mrg3ntl3m4n said:

I found the user, the files and I guess I found the article but don’t know what to do with it, everything I get it’s a not found error. Any nudge?

If you are trying to get a foothold, think about how the protocol you are using maintains state between requests. That’s a good thing to try and exploit. It can be as simple as appending the data you want it to keep, based on the error messages you are getting, to an existing value.

@TazWake said:

If you are trying to get a foothold, think about how the protocol you are using maintains state between requests. That’s a good thing to try and exploit. It can be as simple as appending the data you want it to keep, based on the error messages you are getting, to an existing value.

Got it, thanks!

Rooted! Plenty of good hints already in this thread but if you find yourself stuck feel free to PM me for a nudge!

Just a quick reminder/notification - this box retires on Saturday.

There is still time to root it but don’t leave it too long.

This is now a retired box - there are some good write-ups out there if you found any steps particularly confusing or challenging.