{
"$type": "site.standard.document",
"canonicalUrl": "https:/finxol.eu/posts/writeup-heroctf-prog-ssh",
"description": "Write-up for the programming challenge \"SSHs\" @ HeroCTF 2022",
"path": "/posts/writeup-heroctf-prog-ssh",
"publishedAt": "2022-05-30T00:00:00.000Z",
"site": "at://did:plc:hpmpe3pzpdtxbmvhlwrevhju/site.standard.publication/3mndozltfas27",
"tags": [
"writeup",
"HeroCTF"
],
"textContent": "Description\n\nEvery user can read the private rsa key of the next user. You just have to grab it, and ssh as the next. But... there\nare 250 ?!?<br>\nLet's automate it ! (The last user has a _flag.txt_ at the root of his home directory)\n\nThe base credentials are:\n\n<code-group>\n <code-block label=\"Username\" active>\n\n user1:password123\n\n </code-block>\n <code-block label=\"Host\">\n\n Host : xxxx.heroctf.fr\n Port : xxxx\n\n </code-block>\n</code-group>\n\nFormat : Hero{flag}<br>\nAuthor : Log_s\n\nSolution\n\nBefore doing anything else, let's just login as the base user to have a look around.\n\nWith a simple ssh user1@xxxx.heroctf.fr and using password123 as the password,\nwe can get ssh access to the machine as user1.\n\nOnce logged in, we can see that in the home directory, there is an executable file called getSSHKey,\nwhich simply returns the SSH key of the next user as plaintext.\nWe also know from the description of the challenge that there are 249 users.\n\nWith this information, we can now write a simple bash script to automate the retrieval of the SSH keys and, in turn, the flag.\n(sorry not sorry Windows users)\n\nThe use of sshpass instead of the plain old ssh for the first login enables us to give the password\ndirectly as a command argument instead of being prompted to enter it manually.<br>\nThe use of 1> at the end of each command redirects the standard output (stdout not stderr) to a specified file;\nhere the file is used to save the key.\n\nEt voilĂ !\nWe can now simply wait for the programme to execute and the flag will magically appear a few seconds later!",
"title": "HeroCTF Write-Up SSHs"
}