maybe i late for start pwning this box… but trust me for pwn this box you just googling more and more…
openkeys# whoami;id;hostname
root
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
openkeys.htb
Foothold had me for a really long time, thanks to @SanderZ31 for their help with that!
I wouldn’t consider foothold to be RCE. The binary is helpful in identifying the vulnerability but then you need to combine this with a bit of session trickery to get what you are hoping to get. If you have spent time on foothold, no doubt you also came across privesc for root. You can either do it manually or find a public exploit.
Happy to help if you need a nudge in the right direction.
Alrighty, I found the interesting article and am able to login on the webapp, but now I need to find a way to get the username right to do what the webapp says because it lets me in but it only shows an error… any hints?
Type your comment> @Baud said:
Alrighty, I found the interesting article and am able to login on the webapp, but now I need to find a way to get the username right to do what the webapp says because it lets me in but it only shows an error… any hints?
Have you ever ate choco-cookies?
rooted !!!
Worst part was trying the same thing manually didn’t work but script did. Still figuring that out.
PM for nudges. Thanx @SanderZ31
Manual exploitation worked too.
Thanks for the box, overall good experience even if the start was a bit bumpy 
For those struggling with the foothold - search for vulns and combine the read with some delicious cookies 
I took my pass and I have my biscuit but idk what to do with these. I understand @sn0b4ll hint, but idk the attack vector or trick. One more hint will be a spoiler? If so, Im gonna try to figure it out myself, if not, put your hint here => <= please :
EDIT: Forget it, now i know how to play with my food. 
I must be missing something or just impatient. Just starting out, only 2 open.
My fuzzing not good enough? Or do we need to bypass or maybe do some mapping of some kind? 
this box rips, lots of weird new and easy things once you calibrate the google machine, don’t stray from the box name or you will have a bad time.
thanks boys for the work.
stay clean, stay focused
Found the interesting article, I remember hearing about it and being shocked.
Got it to work as written, but cannot, for the life of me, combine what it talks about, with a discovered username and baked goods. All it gives me is access denied and sweet gastric distress.
edit: Rooted, thanks to hints from @TazWake and @offs3cg33k .
I still have some questions regarding exactly how this works in the PHP, but will need to talk about that in a PM because it’d be full of spoilers.
-s…
@zweeden said:
I must be missing something or just impatient. Just starting out, only 2 open.
That seems about right.
My fuzzing not good enough?
It depends. Have you looked at everything you’ve found with the fuzzing?
Or do we need to bypass or maybe do some mapping of some kind?
Have a look at everything you can find and then it might be a bit clearer.
@cyberpathogen said:
Found the interesting article, I remember hearing about it and being shocked.
Got it to work as written, but cannot, for the life of me, combine what it talks about, with a discovered username and baked goods. All it gives me is access denied and sweet gastric distress.
Your baked product needs two things, separate with a ;.
Type your comment> @cyberpathogen said:
Found the interesting article, I remember hearing about it and being shocked.
Got it to work as written, but cannot, for the life of me, combine what it talks about, with a discovered username and baked goods. All it gives me is access denied and sweet gastric distress.
Same problem here…
binaries as rabbit holes 
– wasting 90% of the time …
Rooted!
I had some issues on my way to root. Everything worked fine after a reset.
For Initial foothold make sure you Include all your test cases and tools.
Hope its not a spoiler
Reversing is required to fully understand why does it work the way it does