HTB is an excellent platform that hosts machines belonging to multiple OSes. It also has some other challenges as well. Individuals have to solve the puzzle (simple enumeration plus pentest) in order to log into the platform and download the VPN pack to connect to the machines hosted on the HTB platform. Note: Only write-ups of retired HTB machines are allowed. The machine in this article, named OpenKeyS, is retired.
The walkthrough
Let’s start with this machine.
Download the VPN pack for the individual user and use the guidelines to log into the HTB VPN. The OpenKeyS machine IP is 10.10.10.199. We will adopt the usual methodology of performing penetration testing. Let’s start with enumeration in order to gain as much information as possible. As usual, let’s start with the Nmap scan to gather more information around the services running on this machine. [CLICK IMAGES TO ENLARGE] nmap -sC -sV -oA OpenKeyS 10.10.10.199
Initial Nmap results show that ports 22 and 80 are open. Let’s start enumeration on port 80. Below is the login page on port 80.
Performing directory brute-forcing reveals the following directories. Out of these, the directory “includes” looks like an interesting one.
Enumerating the “includes” directory, we see two files: auth.php and auth.php.swp.
File auth.php.swp shows a username, “jennifer”.
Now since this box is based out of OpenBSD, there are some exploits that we can use. Going through the exploits, it is mentioned that user “-schallenge” can bypass authentication. Doing that, we get the page below.
Modifying the request a bit more to check the keys of “jennifer”:
Running the above request shows the key for the user.
Saving the key and logging into box, as shown below
Enumerate the flag user.txt.
Looking into the kernel version, there is a ready exploit for the same and targets either YubiKey or openkeys. Running the exploit, as shown below, escalated privileges to root:
Enumerate to grab the root flag.
This machine was very straightforward, with some interesting twists to capture the initial foothold. From user to root, the path was totally based on an exploit. We will continue this series with many more examples of interesting HTB machines.