Introduction
OpenKeyS from HTB is a Medium Easy box based on a fictitious SSH sharing platform and the OpenBSD Authentication Bypass (CVE-2019-19521). Honestly I don’t know if I was lucky finding this article HERE but give it a read through.
I start every scan with AutoRecon:
I’ve mentioned my love for the -vv
flag in AutoRecon and this time was no different. I noticed Port 80
right away. This lead me to a login page. I ran gobuster
to find the includes
directory.
Opening the auth.php.swp file allowed me to see the sub-domain openkeys.htb
, a user, jennifer and a link – ../auth_helpers/check_auth
. I downloaded the file check_auth
and checked what type of file it was.

/usr/libexec/ld.so
A short Google later lead me to the link above. The next part is the most interesting part of the box. I loaded up Burp suite and used -schallenge with test as the password to test the authentication bypass. I then added tried with jennifer which didn’t work. Eventually I found that if I simply added jennifer and -schallenge into a valid session I could access her key. I would highly recommend this guide HERE for more information.

Burp Suite cookie manipulation.

OpenSSH key for Jennifer
User Escalation
I saved the key, set the correct permissions and logged in as Jennifer. That was the user flag (I expected another user or two…).
Next, was the escalation to the root. Luckily the same article from before has CVE-2019-19520 which states ‘Local privilege escalation via xlock’. I find the Github link HERE, use curl
to put it on the box and run it…. root.

Run the SH file for root.