Official OpenKeyS Discussion

spoiler removed

openkeys# id
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)

Fun box, easy root. Kinda cool working with a different OS. If you need help feel free to DM me

First time taking on BSD machine. I think I found all elements I could get from enum and googling, however I can’t seem to get my foot in. I’m probably not providing the information in a correct way :(.

EDIT: I think I’m on something, let’s hope it will work !
EDIT2: Rooted. Once in, it’s almost a piece of cake.

Rooted. This is one of those boxes which makes you pull your hair while you are doing it but once it’s done you’re like “That was easy!” Lol

Thanks @TazWake for your guidance yet again.

For me, the foothold wasn’t too tough, but a failure during the enumeration killed about 6 hours of my time. See, when I enumerated, the tool I used told me that a certain thing was inaccessible, so I never tried to further enumerate it. Thus, even though I had found the CVE, and had seen what -s********* could do, I was stuck. I had not found the much discussed binary or the username. Much thanks to @cre4k on discord for encouraging me to go back and check that unreadable thing again; I honestly didn’t know if I was missing something obvious (I was) or had a fundamental misunderstanding of what was going on.

Once I went back and checked that, and found out what was hiding there, the foothold was just trial-and-error and some handwaving, and everything after that was quick.

So I guess the lesson is, if you’re stuck, go back and re-enumerate just to see if anything comes up different the second time around.

Could someone explain why the foothold works the way it works?

@gs4l said:

Could someone explain why the foothold works the way it works?

It is difficult without insane amounts of spoilers. If you google the process you can find a series of articles and blog posts which talk about the vulnerability being exploited which might help.

There is some kind of problem “in the final phase”. Please be patient, I tried many times without results.

Just rooted, this was a fun one. I’d actually say this was easier than most of the easy boxes out right now.

But I’m still confused about the foothold. I struggled pretty hard with the second step of the foothold where you have to adjust something to get the user you want… I got it to work eventually but used an extension to help me out. I’m still unsure how you could manually modify the request to get what you want.

I saw a prior comment about adding something with a semicolon, but couldn’t figure out how to do it after unsuccessfully trying a few different ways… could I message someone to try to understand how this works?

Completely missed that basic enumeration part so had to restart then I found it.
User:
1)Enum
2)Google
3)CVE

Root:
1)CVE

This is one of those boxes where you just have to tough it out.
Foothold is definitely the most mind tiring phases of this box, after that its a matter of constant research
Its all on google, after finding that valuable article adapt what you found to the circumstances and dont rely on it too much.
Had no need to Reverse Engineer.

I somehow managed to enumerate so well that I found the privilege escalation vulnerability before even getting a shell on the system, that was quite weird. Anyways I rooted it! what a great box! Thanks for @N3s for the assistance during the initial foothold.

Initial foothold:

  • Remember the OS you are trying to pwn.
  • Enumeration, enumeration, enumeration
  • Don’t over complicate things at all, imagine how the file you found can connect to something else, and how it may interact with index.php.

Root:

  • Google & Enumeration, and also backtrack from the previous vulnerability you found.

I’m sorry if I’m revealing too much, please do not hesitate to delete/remove this post if that is the case.

As always, knowledge is very subjective, some people know more, some people know less, and that’s fine! If you’re still exhausted and confused out of options, do not hesitate to DM me! I am utmost willing to nudge you in the right direction.

finally rooted. got stuck on root for several hours…
guys, if smthing not working - search for other ways. when you find right way all things will go smoothly.
good luck :wink:

So I managed to root this box a few days ago. I would like to thank @TazWake for the nudge on the initial foothold.

Here are some hints:

User: Enumerate, google and some tasty baked goods
Root: IF you have gotten this far, remember how you got in. See if that thing could help you priv esc. If you did your enumeration correctly this should be very straight forward.

Took me way too long, but rooted!
Once you have user, priv-esc is pretty easy

Rooted.
A long way in the foothold but a quick privesc for root.

Alright Team, Im asking this in here in hopes that someone can finally assist. I have watched every IPPSEC video that I can and still cant figure this out.

Whenever I am in a remote shell and want to edit a file ie:php file, I open vi and when I utilize my arrow keys to try and navigate, it leaves a ton of silly characters and greatly degrades my ability to edit ANY file. I watch IPPSEC crush edits in vi and I cannot for the life of me figure out how to make my terminal operate unhindered like he does.

ANY HELP WOULD BE AMAZING!

@W4rF4ther said:

Alright Team, Im asking this in here in hopes that someone can finally assist. I have watched every IPPSEC video that I can and still cant figure this out.

Whenever I am in a remote shell and want to edit a file ie:php file, I open vi and when I utilize my arrow keys to try and navigate, it leaves a ton of silly characters and greatly degrades my ability to edit ANY file. I watch IPPSEC crush edits in vi and I cannot for the life of me figure out how to make my terminal operate unhindered like he does.

ANY HELP WOULD BE AMAZING!

Not super helpful but I dont use vi if I can avoid it - I find nano is much more effective on HTB boxes.

The characters you are are probably the result of the terminal emulator not really understanding what it going on (for example if you are using nc to sling bash, it isn’t a terminal in the normal sense), so some of the shell “upgrade” fixes might solve it.

However, as I said, I gave up trying to fix this and just use nano on HTB.

Hello, Can someone help on the initial foothold on OpenKeys? Am able to login & know the -s*** thing but can’t make an rce out of it. Read a few comments about “choco-cookies” and I get what they mean but still no idea on what to do. I’d super-duper appreciate any help or nudge about this one :smiley: <3

Very cool box. Although I got the initial foothold very quickly, I couldn’t manage to convince PHP that my name begins with J for a long time. The privesc part was interesting, although rather easy if you can use google.