풀이
rcity11@35e08a7255bf:~$ ls -l
total 8
-r--r----- 1 root rcity11 1876 Mar 6 08:04 id_rsa.rcity12
-rw-r--r-- 1 root root 1556 Mar 6 08:04 wordlist.txt우선 ssh 접속한 이후에 파일을 확인한다
문제에서 wordlist.txt 를 다운 받을 수 있지만 id_rsa.rcity12를 이동 시켜야하기 때문에 rcity11이 아닌 호스트에서 진행하기 위하여 scp 를 이용하여 파일을 가져와 준다
┌──(root㉿kali)-[~/raccoon/rcity/11]
└─# scp -P 31338 rcity11@ctf.redraccoon.kr:/home/rcity11/* .
rcity11@ctf.redraccoon.kr's password:
id_rsa.rcity12 100% 1876 4.5KB/s 00:00
wordlist.txt 100% 1556 3.7KB/s 00:00
┌──(root㉿kali)-[~/raccoon/rcity/11]
└─# ls
id_rsa.rcity12 wordlist.txt
┌──(root㉿kali)-[~/raccoon/rcity/11]
└─# file id_rsa.rcity12
id_rsa.rcity12: OpenSSH private key
┌──(root㉿kali)-[~/raccoon/rcity/11]
└─# cat id_rsa.rcity12
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBRoGKpka
dAoXrZevW/dGamAAAAEAAAAAEAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQDIRhd4rX23
ouE4C5tX65S9RczDYUdIYtpYi6n/i5cwUkeGo21CUESaObHL2RSOOShgKJG92qFobOONX5
4LZ3Wogf6BcCPqx4togY7LDex34KS0vUAsGSOZr19KWvNGrveywv5vRxomCyDnXOLgeB8q
R23tlwCgIVWoQUT2OxLP20emrG2HJveVwRQ2ux70+s3z1Dk9ELxsT/jq9IvU2sQRmfvqa7
1pvC96L7ZzTX2RYPKXJZVc37Ku3iqSRHxM+INZvT5O5UqoYcb3dKfl2/w70/0hvpGMFnzM
5zutNycVuAPtPm9KoEmJ1d+LAC12Wxw6YWnGitNztFQ8B6zVfo7tAAAD0Jh/0ccMw5hZQT
4cMCq6bUOxwouahC9Tg7IjI9KcZRqoo1TVB5of50ANoOnOsPDJJsaQoPDQW5Xw5hUbDLOB
0836SrHjCit3GtljxLBj2+pKFzi5r7mEashD1Ch5B9h6xqP/if8sdc5lNtgPb8ZdNnemeN
XeJ319Rq6yFRTRr8kHGD5zcqgqXVMYMaFzBQri/Bab6QYwEsGzLpfFKyQpTMkJP2JSb5JG
lHNuq/5tArX3xUBz/z3VnHlNg/OR9S1pn9MYrru/4qPIMYmzyqi/9oYjEWUqCpkBo5kahv
oIc/Z3OodlMUuitpOhu/46OJU0dQjx4eR8nCgS1M/LrHjgt+84u5l8GeaC3xY5uYJXZwpv
tzw2sW3orV/0ztbwuUprY2qHhwTfbfxuI8Kl6SrbjOco1wVQRcAKKUZRPHBvjoML92p+G0
c3bODlx1+/njuGI9dTzyi7cvug1UXcsDfp4iSOkEVZ+y6pVU/AoNuijy7oN+mrwl0TQ2MF
MHv6yAkEQ/jPWkL6w2Mcx2VrSemUrgLv5ZaDKhdYIuPJjjAPBS+/2S/wzTeKtC66rh48et
RfIm+8Vx1CCTljjnAzsHDH9dTR3TVgwlCRQ+spt7IHiHMiV3lsSYA41Y8b6IOE4wCWzykH
lKsgRWP8a/3pCKiuYV7sDzmHcAwgeZrxnaLu2pnHxtEljHepChKn127ufN4cVo9YqsSzpi
GGqPK2zBLY50VjcHs/SQ44Qqu+AwE0LmWZB924qLI5Q0bYQ+F+NdtfwNK6sI7acpIlSWvE
7Q7EJFRodOspRMq8ZARBAx+0jVJiIhaRD1PEz/cocpTM0NpJ1uDv+EIHhoZSHlJNCh84ii
j7DcSObLikn1BKoMP6g7eWXKxqyUFjNfvWuci3oCcz1kzFIobGkf7vYBkFIvQk9RDjmTMC
zMc3jjHnPLIEDZ/rB/JfdsgbUv1E87+FKazR+0WXqvDS6g+NhHT+1J4H0sFp+yHuOHlmE/
P+Yv8ocgcj37ikIkAaP0QHvEef6WQ+Cw0fqZNW2RXDMMzoWJDxEgPnbPeCMG0SuaSW8jfn
8y/uUTFGZLIlTQckWvHvGJOBgvDJp5p+nNV2sCJPgIVoMPac7jqte9gsVfOjVEMJp0+gYa
FZEbkZ/oMAmtedek4ntLtRkfO2NwI3HgAxG75Y8NBx5iWUWWPAZDo1xDVtiBEA2LzLAmgP
6KIHzDaKUbna4yKJMAVDAQsT/e6S2IuzgvyNGH9qNbEdMzyTAGPvOxjkMrrU7ijwR9pmrL
b/pCRGP5UtFWO7L/dYWWiZ6C4X9DY=
-----END OPENSSH PRIVATE KEY-----확인을 해보니 id_rsa.rcity12는 rcity12의private key(개인키) 인것으로 추정된다
기본적으로 칼리 리눅스에는 john the ripper가 깔려있는거같은데 일단 힌트에 나와있는 링크를 통해 진행을 해보자
hint 링크 : https://null-byte.wonderhowto.com/how-to/crack-ssh-private-key-passwords-with-john-ripper-0302810/
How to Crack SSH Private Key Passwords with John the Ripper
Secure Shell is one of the most common network protocols, typically used to manage remote machines through an encrypted connection. However, SSH is prone to password brute-forcing. Key-based authentication is much more secure, and private keys can even be
null-byte.wonderhowto.com
여기에 자세히 설명이 나와있다
┌──(root㉿kali)-[~/raccoon/rcity/11]
└─# wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/ssh2john.py
--2024-04-01 04:27:53-- https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/ssh2john.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.108.133, 185.199.111.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9677 (9.5K) [text/plain]
Saving to: ‘ssh2john.py’
ssh2john.py 100%[=====================================>] 9.45K --.-KB/s in 0.004s
2024-04-01 04:27:54 (2.11 MB/s) - ‘ssh2john.py’ saved [9677/9677]
ssh2john.py를 wget을 이용하여 다운 받아준다 이후 openssh private key를 john에 사용할 수 있게 변환 하기 위해서 아래와 같이 진행한 후에 주어진 wordlist.txt 에서는 구분자가 , 로 되어있는데 이것을 \n 으로 치환을 해줘야한다
┌──(root㉿kali)-[~/raccoon/rcity/11]
└─# python ssh2john.py id_rsa.rcity12 > id_rsa.hash
┌──(root㉿kali)-[~/raccoon/rcity/11]
└─# ls
id_rsa.hash id_rsa.rcity12 ssh2john.py wordlist.txt
┌──(root㉿kali)-[~/raccoon/rcity/11]
└─# cat wordlist.txt
123456,Jok3r,12345,123456789,password,iloveyou,princess,1234567,rockyou,12345678,abc123,nicole,daniel,babygirl,monkey,lovely,jessica,654321,michael,ashley,qwerty,111111,iloveu,000000,michelle,tigger,sunshine,chocolate,password1,soccer,anthony,friends,butterfly,purple,angel,jordan,liverpool,justin,loveme,fuckyou,123123,football,secret,andrea,carlos,jennifer,joshua,bubbles,1234567890,superman,hannah,amanda,loveyou,pretty,basketball,andrew,angels,tweety,flower,playboy,hello,elizabeth,hottie,tinkerbell,charlie,samantha,barbie,chelsea,lovers,teamo,jasmine,brandon,666666,shadow,melissa,eminem,matthew,robert,danielle,forever,family,jonathan,987654321,computer,whatever,dragon,vanessa,cookie,naruto,summer,sweety,spongebob,joseph,junior,softball,taylor,yellow,daniela,lauren,mickey,princesa,alexandra,alexis,jesus,estrella,miguel,william,thomas,beautiful,mylove,angela,poohbear,patrick,iloveme,sakura,adrian,alexander,destiny,christian,121212,sayang,america,dancer,monica,richard,112233,princess1,555555,diamond,carolina,steven,rangers,louise,orange,789456,999999,shorty,11111,nathan,snoopy,gabriel,hunter,cherry,killer,sandra,alejandro,buster,george,brittany,alejandra,patricia,rachel,tequiero,7777777,cheese,159753,arsenal,dolphin,antonio,heather,david,ginger,stephanie,peanut,blink182,sweetie,222222,beauty,987654,victoria,honey,00000,fernando,pokemon,maggie,corazon,chicken,pepper,cristina,rainbow,kisses,manuel,myspace,rebelde,angel1,ricardo,babygurl,heaven,55555,baseball,martin,greenday,november,alyssa,madison,mother,123321,123abc,mahalkita,batman
┌──(root㉿kali)-[~/raccoon/rcity/11]
└─# sed 's/,/\n/g' wordlist.txt > sed_word.txt
┌──(root㉿kali)-[~/raccoon/rcity/11]
└─# cat sed_word.txt
123456
Jok3r
12345
123456789
password
iloveyou
princess
1234567
rockyou
12345678
abc123
nicole
이렇게 말이다 보통 password.lst 의 파일 가지고 bruteforce 하는데 그 형식이 구분자가 , 가 아닌 \n 즉 칸바꿈을 이용해서 적용이 되어있기 때문에 이렇게 해줘야 인식이 되어 brutefocing이 가능하다
┌──(root㉿kali)-[~/raccoon/rcity/11]
└─# john id_rsa.hash --wordlist=sed_word.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
sayang (id_rsa.rcity12)
1g 0:00:00:07 DONE (2024-04-01 04:37) 0.1253g/s 16.04p/s 16.04c/s 16.04C/s patrick..555555
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
이렇게 brutefoce 공격이 성곡하여 sayang 이라는 비밀번호를 찾았다
┌──(root㉿kali)-[~/raccoon/rcity/11]
└─# chmod 400 id_rsa.rcity12
┌──(root㉿kali)-[~/raccoon/rcity/11]
└─# ssh -i id_rsa.rcity12 rcity12@ctf.redraccoon.kr -p 31338
Enter passphrase for key 'id_rsa.rcity12': sayang
rcity12@35e08a7255bf:~$ ls
rcity11-flag-for-ctfd.txt rcity12-flag1.txt rcity12-flag2.txt
rcity12@35e08a7255bf:~$ cat rcity11-flag-for-ctfd.txt
d7M6h9R3jP4w1Z2c0V8
rcity12@35e08a7255bf:~$
flag 획득
'rcity' 카테고리의 다른 글
| rcity13 Write-Up (0) | 2024.04.01 |
|---|---|
| rcity12 Wirte-Up (0) | 2024.04.01 |
| rcity10 Write-Up (0) | 2024.03.31 |
| rcity9 Write-Up (1) | 2024.03.31 |
| rcity8 Write-Up (1) | 2024.03.31 |