# SSH Tips

## Connect with pem/user/ip

* This will allow you to stay connected to the CTF (metasploitCtf)

```
chmod 600 ctf.pem
ssh -i ctf.pem user@54.x.x.x
```

## Root Logins Allowed

* Found an ssh key, but can you log in with root?

```
grep PermitRootLogin /etc/sshd_config 
vim root_key 
mod 600 root_key 
ssh -i root_key root@192.168.x.x 
```

## Unable to negotiate

REF: sundayHTB

```
> ssh sunny@10.129.87.203 -p 22022
Unable to negotiate with 10.129.87.203 port 22022: no matching key exchange method found. 
Their offer: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

> ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 sunny@10.129.87.203 -p 22022
..connect!
```

## keys

* If you found the ssh\_key and the password
* You can decode it like this:

```
> openssl rsa -in privkey -out decodedkey     ..enter: mysecretkey
```

## SSH Konami Code (pivot)

* ssh port forward (ref: [SSHPivots](https://pentest.mxhx.org/06-linux-privesc/06-pivots#ssh-pivots))
* While still in the same ssh session
* <https://www.sans.org/blog/using-the-ssh-konami-code-ssh-control-sequences/>
* Dynamic Port Forward listening on localhost:1080 going to SSH
* And you get to keep your session!
* Scenario: VNC Server is only exposed locally on PoisonHTB.

```
-----------
ssh myserver
<Enter>                    ..new line
~C                         ..commandline options for ssh
ssh> -D 1080               ..Dynamic port to 9001 

netstat -anlp | grep 1080  ..local to confirm listening

-----------
Firefox
New Proxy > Manual > 127.0.0.1 1080 SOCKSv5
(dont block localhost)

Firefox
http://127.0.0.1:5901      ..route through 1080 to vnc port 5901
```

## ssh key crack

* [ssh2john](https://pentest.mxhx.org/05-passwords-ciphers/05-crask-sshprivkey-passphrase#ssh-2-john)