Official OpenKeyS Discussion

This was quite a fun box, but finding the right articles was the hardest part. :slight_smile:

Think I have tried all privesc techniques as described in articles quite a few times but I have had no joy. Also tried the exploit in one of the favoured tools but again without any luck. Does the location of where I create files matter? Please DM me with a hint.

** Solved **

Ok, Iā€™ve got the binary, Iā€™ve pulled key words from it, but I just donā€™t know what Iā€™m googling for hereā€¦ ĀÆ\(惄)/ĀÆ

@Shadow6 said:

Ok, Iā€™ve got the binary, Iā€™ve pulled key words from it, but I just donā€™t know what Iā€™m googling for hereā€¦ ĀÆ\(惄)/ĀÆ

A combination of what information you have and what it is you are trying to bypass might help.

Type your comment> @TazWake said:

@Shadow6 said:

Ok, Iā€™ve got the binary, Iā€™ve pulled key words from it, but I just donā€™t know what Iā€™m googling for hereā€¦ ĀÆ\(惄)/ĀÆ

A combination of what information you have and what it is you are trying to bypass might help.

It seems I was googling the wrong key word, but I think I am back on track now. Thanks @TazWake

Ok I finally got itā€¦
However can somebody explain (PM me) how the binary is not a complete rabbit hole ?

From analyzing the binary with Strings, I see no reason why the CVEā€™s that you need to find, would actually work in this particular caseā€¦

Awesome machine! Thanks to @polarbearer and @GibParadox for all the effort on this one, I really appreciate a BSD box!

The rabbit hole of the user part is face palm style, so donā€™t waste time walking in circles like me

My hints:

User

  • Donā€™t forget the OS that you are pwning
  • Looks like that file was not useless at all (try to not get confused with this one)

Root

  • Is something that you usually donā€™t try in HTB machines (or at least I donā€™t)

If this is spoiler feel free to remove it

Really nice to work on a BSD box for a change! As many people have said the initial foothold is probably the most difficult part, but there are lots of clues that might help you get on the right path.
If you get stuck after finding the finding the vulnerable input, remember that there are several ways to send data to the server.

I was able to get root, but from some of the comments Iā€™m lead to believe that there is a way to do it with that one really popular exploit tool, but I was unable to do so. If anyone did the privesc that way I would appreciate if you sent me a DM and let me know how (which module etc.).

Nice box! Learnt about a new vulnerability in BSD.
Feel free to PM me if youā€™re stuck :wink:

Not sure what to think of the box. Was mostly googleā€™ing and reading. Nevertheless, had fun.

Thanka to @TazWake for initial foothold.
Stuck in rabbit hole RE

@GHOSTontheWire said:

Thanka to @TazWake for initial foothold.
Stuck in rabbit hole RE

RE isnā€™t needed. Think a bit bigger picture with the surface information from the binary.

This was actually a surprisingly easy and short box.
Great to see a BSD box for once.

Feel free to PM me for questions.

Great box! I had not practised with BSD, and I really enjoyed!
Congrats @GibParadox and @polarbearer

PM if you need a nudge

@Rayz said:

How did you guys figure out the second thing required for user? that took me quite some time to figureā€¦by ā€˜second thingā€™ i mean :

first thing: the -sā€¦
second thing: uā€¦e=jā€¦ ?? this one!

any article describing the second thing?

If you are still looking for some references, take a closer look at differences between files index.php:45 and a***.php:49.

That should be enough for pointing you to the right google search.
I guess the link to the actual documentation page for that would be a big spoiler, but feel free to PM me if you need it.

@TazWake I guessed you may be interested too. Sorry for the spam if you are not.

@aquilante said:

If you are still looking for some references, take a closer look at differences between files index.php:45 and a***.php:49.

That should be enough for pointing you to the right google search.
I guess the link to the actual documentation page for that would be a big spoiler, but feel free to PM me if you need it.

@TazWake I guessed you may be interested too. Sorry for the spam if you are not.

Nice find, thanks!

Having a rough time with root. I think Iā€™ve found ā€œthe articleā€ that is the key to this box but none of the priv esc is working after a few attempts. Have tried several variations of the original user exploit as well. Any help is much appreciated

Nevermind, figured it out. I was on the right path but for some reason it didnā€™t work on the first couple tries. PM if you need help

This was a fun box. I went down a couple of rabbit holes, and completely missed the first step to foothold, but once I slowed down and paid attention it went quickly.

All you need for foothold->user->root is in prior posts.

good one!!!