SSH

Service

service ssh start
#Verification
netstat -antp | grep sshd

Keys

SSH Connection

chmod 600 id_rsa
ssh -i id_rsa user@host -p port

Generate Keys

0xSs0rZ@pico-2018-shell:~$ ssh-keygen -t rsa                                                                   
Generating public/private rsa key pair.                                                                        
Enter file in which to save the key (/home/0xSs0rZ/.ssh/id_rsa):                                               
Enter passphrase (empty for no passphrase):                                                                    
Enter same passphrase again:                                                                                   
Your identification has been saved in /home/0xSs0rZ/.ssh/id_rsa.                                               
Your public key has been saved in /home/0xSs0rZ/.ssh/id_rsa.pub.                                               
The key fingerprint is:                                                                                        
SHA256:YPsf7PTkrxc7owo8NkyxQVnfL3ZOS3xf+YDmJNVcMR0 0xSs0rZ@pico-2018-shell                                     
The key's randomart image is:                                                                                  
+---[RSA 2048]----+                                                                                            
|        .o.    E=|                                                                                            
|       ..  . + .o|                                                                                            
|      o o   o +  |                                                                                            
|     . o + . ....|                                                                                            
|      . S . + ++*|                                                                                            
|       = . = .o**|                                                                                            
|        O + o  ++|                                                                                            
|       . B =  =  |                                                                                            
|          +.==.o |                                                                                            
+----[SHA256]-----+                                                                                            
0xSs0rZ@pico-2018-shell:~$ cd /home/0xSs0rZ/.ssh                                                               
0xSs0rZ@pico-2018-shell:~/.ssh$                                                                                
0xSs0rZ@pico-2018-shell:~/.ssh$  ls                                                                            
id_rsa  id_rsa.pub                                                                                             
0xSs0rZ@pico-2018-shell:~/.ssh$ cp id_rsa.pub ~/.ssh/authorized_keys                                           
0xSs0rZ@pico-2018-shell:~/.ssh$ ssh -i id_rsa 0xSs0rZ@localhost                                                
The authenticity of host 'localhost (127.0.0.1)' can't be established.                                         
ECDSA key fingerprint is SHA256:1/2OUR2IggrhZwLysFuJlUZ169yf1BFVeTIDW8Fo5XU.                                   
Are you sure you want to continue connecting (yes/no)? yes                                                     
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.                                     
picoCTF{quelquechose}

Authorized-Keys

# Atacker
root@Host-001:~/Bureau/htb# cat traceback.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDsgaUFHPKR6TQf7rXuPcaSXyujJaBUvFlPWCYDeVR5adR+bHOh508cgCn9HxC79hNCPtv1a+8uRdK/0Ana1GMa35F2ugEMtHzoAjQA3zdrDRu7GS1LL/VdGqa9PMn3jKOzV1FZJrrqxqfSMhOsLXMkFJatjiSAjV0tmd8AI16p7C8nIbFmVfVHp3sLyzeB3VN6dKtFpCiWmmrdMDv5Nta9Y2FCKL20vo+dQvpfZPSPn5SzZjbpv5ITiPUdaKB2e+E4dDihuFE/VubKEWM71ns5xUPRb3DB4o5NrH8iE68/5BBUu3OT9fmo6FTUg2WsJzTZOThQQrADRNISnY9zD642pUHuT33+3JHj9XTWyojl4QYQQKENvL+rY31eGtkrvQYBXIAOvZV9KL9CNVFQb9ix5V8vCGsrG8slOpW3RaIAyJ5tm+mnWPO+P23tsdQsOudYbQE1sNdQfN/zOEqMgcfZG/3g5REqqSOAA6w0xjoJThKpYtKUvUdk2vePWA0bGb8= root@Host-001
root@Host-001:~/Bureau/htb#

# Victim
webadmin@traceback:/home/webadmin/.ssh$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDsgaUFHPKR6TQf7rXuPcaSXyujJaBUvFlPWCYDeVR5adR+bHOh508cgCn9HxC79hNCPtv1a+8uRdK/0Ana1GMa35F2ugEMtHzoAjQA3zdrDRu7GS1LL/VdGqa9PMn3jKOzV1FZJrrqxqfSMhOsLXMkFJatjiSAjV0tmd8AI16p7C8nIbFmVfVHp3sLyzeB3VN6dKtFpCiWmmrdMDv5Nta9Y2FCKL20vo+dQvpfZPSPn5SzZjbpv5ITiPUdaKB2e+E4dDihuFE/VubKEWM71ns5xUPRb3DB4o5NrH8iE68/5BBUu3OT9fmo6FTUg2WsJzTZOThQQrADRNISnY9zD642pUHuT33+3JHj9XTWyojl4QYQQKENvL+rY31eGtkrvQYBXIAOvZV9KL9CNVFQb9ix5V8vCGsrG8slOpW3RaIAyJ5tm+mnWPO+P23tsdQsOudYbQE1sNdQfN/zOEqMgcfZG/3g5REqqSOAA6w0xjoJThKpYtKUvUdk2vePWA0bGb8= root@Host-001" >> authorized_keys
<UvUdk2vePWA0bGb8= root@Host-001" >> authorized_keys
webadmin@traceback:/home/webadmin/.ssh$ 

# Connection
root@Host-001:~/Bureau/htb# ssh -i traceback webadmin@10.10.10.181

Pseudo-Terminal

ssh -t bandit18@localhost /bin/sh

SSL Encryption

echo pass | openssl s_client -quiet -connect localhost:30001

Manpage of SSH

Brute Force

Sources

PreviousExploitNextWindows

Last updated