SSH
Service
service ssh start
#Verification
netstat -antp | grep sshd
Keys
SSH Connection
chmod 600 id_rsa
ssh -i id_rsa user@host -p port
Generate Keys
0xSs0rZ@pico-2018-shell:~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/0xSs0rZ/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/0xSs0rZ/.ssh/id_rsa.
Your public key has been saved in /home/0xSs0rZ/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:YPsf7PTkrxc7owo8NkyxQVnfL3ZOS3xf+YDmJNVcMR0 0xSs0rZ@pico-2018-shell
The key's randomart image is:
+---[RSA 2048]----+
| .o. E=|
| .. . + .o|
| o o o + |
| . o + . ....|
| . S . + ++*|
| = . = .o**|
| O + o ++|
| . B = = |
| +.==.o |
+----[SHA256]-----+
0xSs0rZ@pico-2018-shell:~$ cd /home/0xSs0rZ/.ssh
0xSs0rZ@pico-2018-shell:~/.ssh$
0xSs0rZ@pico-2018-shell:~/.ssh$ ls
id_rsa id_rsa.pub
0xSs0rZ@pico-2018-shell:~/.ssh$ cp id_rsa.pub ~/.ssh/authorized_keys
0xSs0rZ@pico-2018-shell:~/.ssh$ ssh -i id_rsa 0xSs0rZ@localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:1/2OUR2IggrhZwLysFuJlUZ169yf1BFVeTIDW8Fo5XU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
picoCTF{quelquechose}
Authorized-Keys
# Atacker
root@Host-001:~/Bureau/htb# cat traceback.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDsgaUFHPKR6TQf7rXuPcaSXyujJaBUvFlPWCYDeVR5adR+bHOh508cgCn9HxC79hNCPtv1a+8uRdK/0Ana1GMa35F2ugEMtHzoAjQA3zdrDRu7GS1LL/VdGqa9PMn3jKOzV1FZJrrqxqfSMhOsLXMkFJatjiSAjV0tmd8AI16p7C8nIbFmVfVHp3sLyzeB3VN6dKtFpCiWmmrdMDv5Nta9Y2FCKL20vo+dQvpfZPSPn5SzZjbpv5ITiPUdaKB2e+E4dDihuFE/VubKEWM71ns5xUPRb3DB4o5NrH8iE68/5BBUu3OT9fmo6FTUg2WsJzTZOThQQrADRNISnY9zD642pUHuT33+3JHj9XTWyojl4QYQQKENvL+rY31eGtkrvQYBXIAOvZV9KL9CNVFQb9ix5V8vCGsrG8slOpW3RaIAyJ5tm+mnWPO+P23tsdQsOudYbQE1sNdQfN/zOEqMgcfZG/3g5REqqSOAA6w0xjoJThKpYtKUvUdk2vePWA0bGb8= root@Host-001
root@Host-001:~/Bureau/htb#
# Victim
webadmin@traceback:/home/webadmin/.ssh$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDsgaUFHPKR6TQf7rXuPcaSXyujJaBUvFlPWCYDeVR5adR+bHOh508cgCn9HxC79hNCPtv1a+8uRdK/0Ana1GMa35F2ugEMtHzoAjQA3zdrDRu7GS1LL/VdGqa9PMn3jKOzV1FZJrrqxqfSMhOsLXMkFJatjiSAjV0tmd8AI16p7C8nIbFmVfVHp3sLyzeB3VN6dKtFpCiWmmrdMDv5Nta9Y2FCKL20vo+dQvpfZPSPn5SzZjbpv5ITiPUdaKB2e+E4dDihuFE/VubKEWM71ns5xUPRb3DB4o5NrH8iE68/5BBUu3OT9fmo6FTUg2WsJzTZOThQQrADRNISnY9zD642pUHuT33+3JHj9XTWyojl4QYQQKENvL+rY31eGtkrvQYBXIAOvZV9KL9CNVFQb9ix5V8vCGsrG8slOpW3RaIAyJ5tm+mnWPO+P23tsdQsOudYbQE1sNdQfN/zOEqMgcfZG/3g5REqqSOAA6w0xjoJThKpYtKUvUdk2vePWA0bGb8= root@Host-001" >> authorized_keys
<UvUdk2vePWA0bGb8= root@Host-001" >> authorized_keys
webadmin@traceback:/home/webadmin/.ssh$
# Connection
root@Host-001:~/Bureau/htb# ssh -i traceback webadmin@10.10.10.181
Pseudo-Terminal
ssh -t bandit18@localhost /bin/sh
SSL Encryption
echo pass | openssl s_client -quiet -connect localhost:30001
Brute Force
Sources
Last updated