OpenKeyS from HTB is a Medium Easy box based on a fictitious SSH sharing platform and the OpenBSD Authentication Bypass (CVE-2019-19521). Honestly I don’t know if I was lucky finding this article HERE but give it a read through.

I start every scan with AutoRecon:

I’ve mentioned my love for the -vv flag in AutoRecon and this time was no different. I noticed Port 80 right away. This lead me to a login page. I ran gobuster to find the includes directory.

Opening the auth.php.swp file allowed me to see the sub-domain openkeys.htb, a user, jennifer and a link – ../auth_helpers/check_auth. I downloaded the file check_auth and checked what type of file it was.

/usr/libexec/ld.so

A short Google later lead me to the link above. The next part is the most interesting part of the box. I loaded up Burp suite and used -schallenge with test as the password to test the authentication bypass. I then added tried with jennifer which didn’t work. Eventually I found that if I simply added jennifer and -schallenge into a valid session I could access her key. I would highly recommend this guide HERE for more information.

Burp Suite cookie manipulation.

OpenSSH key for Jennifer

I saved the key, set the correct permissions and logged in as Jennifer. That was the user flag (I expected another user or two…).

Next, was the escalation to the root. Luckily the same article from before has CVE-2019-19520 which states ‘Local privilege escalation via xlock’. I find the Github link HERE, use curl to put it on the box and run it…. root.

Run the SH file for root.