Capture the flag (CTF)

Hack the Box (HTB) machines walkthrough series — OpenKeyS

Security Ninja
February 4, 2021 by
Security Ninja

Today, we will be continuing with our exploration of Hack the Box (HTB) machines, as seen in previous articles. This walkthrough is of an HTB machine named OpenKeyS.

HTB is an excellent platform that hosts machines belonging to multiple OSes. It also has some other challenges as well. Individuals have to solve the puzzle (simple enumeration plus pentest) in order to log into the platform and download the VPN pack to connect to the machines hosted on the HTB platform.

Note: Only write-ups of retired HTB machines are allowed. The machine in this article, named OpenKeyS, is retired.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

The walkthrough

Let’s start with this machine.

  1. Download the VPN pack for the individual user and use the guidelines to log into the HTB VPN.
  2. The OpenKeyS machine IP is 10.10.10.199.
  3. We will adopt the usual methodology of performing penetration testing. Let’s start with enumeration in order to gain as much information as possible.
  4. As usual, let’s start with the Nmap scan to gather more information around the services running on this machine. [CLICK IMAGES TO ENLARGE] nmap -sC -sV -oA OpenKeyS 10.10.10.199

  5. Initial Nmap results show that ports 22 and 80 are open. Let’s start enumeration on port 80. Below is the login page on port 80.
  6. Performing directory brute-forcing reveals the following directories. Out of these, the directory “includes” looks like an interesting one.
  7. Enumerating the “includes” directory, we see two files: auth.php and auth.php.swp.
  8. File auth.php.swp shows a username, “jennifer”.
  9. Now since this box is based out of OpenBSD, there are some exploits that we can use.
  10. Going through the exploits, it is mentioned that user “-schallenge” can bypass authentication. Doing that, we get the page below.
  11. Modifying the request a bit more to check the keys of “jennifer”:
  12. Running the above request shows the key for the user.
  13. Saving the key and logging into box, as shown below
  14.  Enumerate the flag user.txt.
  15. Looking into the kernel version, there is a ready exploit for the same and targets either YubiKey or openkeys.
  16. Running the exploit, as shown below, escalated privileges to root:
  17. Enumerate to grab the root flag.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

This machine was very straightforward, with some interesting twists to capture the initial foothold. From user to root, the path was totally based on an exploit.

We will continue this series with many more examples of interesting HTB machines.

Security Ninja
Security Ninja