Pentest
  • Homepage
  • Pentest Links
  • 01 Prep
    • Target Inventory
    • OSINT and Dorks
    • Recon-ng dns zone snoop
    • ❤️Gitbook
  • 02 Scan
    • *Favorites
    • Burp
    • Dirb nikto wpscan etc
    • Enum Finger and Brute SSH
    • Fuzzing
    • Nmap
    • Open Port Checks OneLiner
    • Port Knocking
    • SSL Issues
    • Tcpdump
  • 03 Getting In
    • Char Evasion Tricks
    • Email SMTP
    • Eternal Blue
    • FTP
    • heartbleed
    • Metasploit
    • MySql
    • NFS
    • Oracle
    • Postgres
    • PowerShell Empire
    • Shells
    • rpc
    • SMB Samba
    • SSH Tips
    • SQLite3
    • Veil
  • 04 WebApps
    • Apache
    • Blogs
    • Coldfusion
    • Content Management (CMS)
    • Drupal
    • Elastix FreePBX
    • HttpFileServer (HFS)
    • IIS
    • IIS6 WebDav
    • Local File Inclusion (LFI)
    • Magento
    • Nagios
    • PFSense
    • php
    • php type juggling
    • phpLite
    • Web Injections
    • Javascript
    • Shellshock
    • SQL Injections (sqli)
    • SQLMap
    • WAF
    • Webmin
    • Web Scrape
    • Wordpress
  • 05 Passwords & Ciphers
    • Cipher Decrypt
    • Cipher RSA Wiener P-Q-E
    • Cracking
    • Dict Guess List Mangle
    • Get Hashes
    • Hydra Brutes
    • Images Exif Steg
    • Malware Analysis
    • Pull Hashes PCredz
    • SSH PrivKey Passphrase
    • Unzip Crack
    • Windows PW
  • 06 Linux PrivEsc
    • 1 Look Around
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • binaries
    • Buffer Overflow
    • bash prison
    • Monitor Files
    • mongodb node
    • Pivots
    • Remote Execute
    • Shell TTY Fix
    • TAR backups
    • Transfer Files
    • vnc
  • 07 Windows PrivEsc
    • 1 Windows cmd kungfu
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • Bloodhound
    • DLL Hijack MSF
    • Kerberos
    • Memory Analysis
    • NTDS
    • Powershell
    • Responder
    • Saved Creds runas
Powered by GitBook
On this page
  • Connect with pem/user/ip
  • Root Logins Allowed
  • Unable to negotiate
  • keys
  • SSH Konami Code (pivot)
  • ssh key crack

Was this helpful?

  1. 03 Getting In

SSH Tips

Connect with pem/user/ip

  • This will allow you to stay connected to the CTF (metasploitCtf)

chmod 600 ctf.pem
ssh -i ctf.pem user@54.x.x.x

Root Logins Allowed

  • Found an ssh key, but can you log in with root?

grep PermitRootLogin /etc/sshd_config 
vim root_key 
mod 600 root_key 
ssh -i root_key root@192.168.x.x

Unable to negotiate

REF: sundayHTB

> ssh sunny@10.129.87.203 -p 22022
Unable to negotiate with 10.129.87.203 port 22022: no matching key exchange method found. 
Their offer: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

> ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 sunny@10.129.87.203 -p 22022
..connect!

keys

  • If you found the ssh_key and the password

  • You can decode it like this:

> openssl rsa -in privkey -out decodedkey     ..enter: mysecretkey

SSH Konami Code (pivot)

  • While still in the same ssh session

  • Dynamic Port Forward listening on localhost:1080 going to SSH

  • And you get to keep your session!

  • Scenario: VNC Server is only exposed locally on PoisonHTB.

-----------
ssh myserver
<Enter>                    ..new line
~C                         ..commandline options for ssh
ssh> -D 1080               ..Dynamic port to 9001 

netstat -anlp | grep 1080  ..local to confirm listening

-----------
Firefox
New Proxy > Manual > 127.0.0.1 1080 SOCKSv5
(dont block localhost)

Firefox
http://127.0.0.1:5901      ..route through 1080 to vnc port 5901

ssh key crack

PreviousSMB SambaNextSQLite3

Last updated 2 years ago

Was this helpful?

ssh port forward (ref: )

https://www.sans.org/blog/using-the-ssh-konami-code-ssh-control-sequences/
SSHPivots
ssh2john