# SSH Tips

## Connect with pem/user/ip

* This will allow you to stay connected to the CTF (metasploitCtf)

```
chmod 600 ctf.pem
ssh -i ctf.pem user@54.x.x.x
```

## Root Logins Allowed

* Found an ssh key, but can you log in with root?

```
grep PermitRootLogin /etc/sshd_config 
vim root_key 
mod 600 root_key 
ssh -i root_key root@192.168.x.x 
```

## Unable to negotiate

REF: sundayHTB

```
> ssh sunny@10.129.87.203 -p 22022
Unable to negotiate with 10.129.87.203 port 22022: no matching key exchange method found. 
Their offer: gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

> ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 sunny@10.129.87.203 -p 22022
..connect!
```

## keys

* If you found the ssh\_key and the password
* You can decode it like this:

```
> openssl rsa -in privkey -out decodedkey     ..enter: mysecretkey
```

## SSH Konami Code (pivot)

* ssh port forward (ref: [SSHPivots](/06-linux-privesc/06-pivots.md#ssh-pivots))
* While still in the same ssh session
* <https://www.sans.org/blog/using-the-ssh-konami-code-ssh-control-sequences/>
* Dynamic Port Forward listening on localhost:1080 going to SSH
* And you get to keep your session!
* Scenario: VNC Server is only exposed locally on PoisonHTB.

```
-----------
ssh myserver
<Enter>                    ..new line
~C                         ..commandline options for ssh
ssh> -D 1080               ..Dynamic port to 9001 

netstat -anlp | grep 1080  ..local to confirm listening

-----------
Firefox
New Proxy > Manual > 127.0.0.1 1080 SOCKSv5
(dont block localhost)

Firefox
http://127.0.0.1:5901      ..route through 1080 to vnc port 5901
```

## ssh key crack

* [ssh2john](/05-passwords-ciphers/05-crask-sshprivkey-passphrase.md#ssh-2-john)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pentest.mxhx.org/03-getting-in/03-ssh-tips.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.