Personal blog written from scratch using Node.js, Bootstrap, and MySQL. https://jrtechs.net
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

280 lines
6.8 KiB

  1. A few weeks ago at [RITlug](https://ritlug.com) I gave a talk teaching people
  2. about how to use SSH. After a quick presentation going over the basics of SSH
  3. there was a CTF-esk challenge. We had a great turnout and engagement during this
  4. meeting so I look forward to making more interactive workshops like this in the future.
  5. <customHTML />
  6. # SSH Challenge
  7. This section will go over the SSH challenge and how to solve it.
  8. Please note: although passwords, hosts, etc are given, the challenge is no-longer active so none of them will work.
  9. ## Basic SSH
  10. This initial challenge was simply connecting to the base VM with a provided username and password.
  11. ```
  12. ssh ritlug@demo.ritlug.com
  13. ```
  14. In the home directory there is a file called hint.md.
  15. Since no text editors were installed, you had to use the cat command to view the contents of the file.
  16. ```
  17. host: localhost
  18. user: ritlug1
  19. port: 8888
  20. password: password21
  21. ```
  22. ## SSH With Different Port
  23. Based on the previous hint, you have to SSH into another SSH server from the base VM running on a non-default port.
  24. ```
  25. # on main connection(demo.ritlug.com)
  26. ssh ritlug1@localhost -p 8888
  27. ```
  28. Once again you will find a file called hint.md in the home directory. There is also
  29. a key file called id_rsa in the home directory.
  30. ```
  31. Time to jump ships again :)
  32. host: ssh2
  33. port: 22
  34. user: ritlug2
  35. auth: key in home directory
  36. ```
  37. ## SSH With Key File
  38. While in the first container, SSH into another container with a key file.
  39. ```
  40. # on ritlug1@localhost connection
  41. ssh ritlug2@ssh2 -i id_rsa
  42. ```
  43. The hint in this vm is as follows:
  44. ```
  45. Shall we play a game?
  46. SSH back into the starting vm (demo.ritlug.com)
  47. host: localhost
  48. port: 3333
  49. user: ritlug4
  50. password: something?
  51. ```
  52. ## SSH into Custom SSH Python Server
  53. SSH into a custom SSH server and play a RITlug trivia game.
  54. ```
  55. # on main ssh connection
  56. ssh ritlug4@localhost -p 3333
  57. ```
  58. ![ssh game](media/ssh/game.png)
  59. Since the screenshot does not show it, here are the answers to the three RITlug trivia questions:
  60. ```
  61. rit-lug.slack.com
  62. teleirc
  63. mirrors.ritlug.com
  64. ```
  65. ## Access and Play and Hack Game on Internal Web Server
  66. This is the part of the challenge where it starts getting more difficult.
  67. This challenge requires you to port forward localhost:someport to the remote machine's localhost:7777 so you can access a website on your computer.
  68. ```
  69. # On your computer
  70. ssh -L 7777:localhost:7777 ritlug@demo.ritlug.com
  71. ```
  72. The key was given in the last hint as "ritlugFunziesPassword".
  73. ![ssh game](media/ssh/enterKey.png)
  74. Open web browser and play the game....
  75. ![ssh game](media/ssh/zombieGame.png)
  76. The game is way to hard to win; hack it!
  77. There are many ways to hack this basic Javascript game, but, the most basic is to just tell the server that you are scoring a ton of points and then navigate to the /endgame page.
  78. ```javascript
  79. //run this in the console of the game or end game page
  80. for(var i = 0; i < 500; i++)
  81. {
  82. console.log("Sending stonks.");
  83. $.ajax({
  84. type:'POST',
  85. url: "/stonks",
  86. crossDomain: true,
  87. dataType: "json",
  88. timeout: 3000
  89. });
  90. }
  91. ```
  92. After you acquired a score of over 100 "stonks" you see this at the /endGame page.
  93. ![ssh game](media/ssh/finalHint.png)
  94. ## Forward Local Web Server to Remote Host
  95. Deciphering and figuring out how to complete this challenge was by far the hardest challenge.
  96. There was a remote nginx web server running in a docker container which only had its SSH and web ports exposed.
  97. Here is the nginx config for this server:
  98. ```nginx
  99. worker_processes 1;
  100. events { worker_connections 1024; }
  101. http {
  102. server {
  103. listen 80;
  104. location / {
  105. proxy_pass http://localhost:4444;
  106. proxy_redirect off;
  107. proxy_set_header Host $host;
  108. proxy_set_header X-Real-IP $remote_addr;
  109. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  110. proxy_set_header X-Forwarded-Host $server_name;
  111. }
  112. }
  113. }
  114. ```
  115. To complete this challenge you had to make a web server running on port 4444 visible to the nginx server.
  116. To do this it took three steps. First, you have to start some web server. Second, you had to local forward the external
  117. VM's ssh port to your computer. Next using that local forwarded port, you have to reverse forward the port of your web server
  118. to the remote computer.
  119. ```
  120. # start your web server listening on port 8989 or something
  121. node server.js
  122. # forward the ssh port of the remote machine to your local computer.
  123. ssh -L 5555:localhost:5555 ritlug@demo.ritlug.com
  124. # forward your web server to the remote machine
  125. ssh ritlug6@localhost -p 5555 -R 4444:localhost:8989
  126. ```
  127. Once this is done, your local web-server will be visible on demo.ritlug.com.
  128. Neat.
  129. ## High Level Answer Key
  130. ![key diagram](media/ssh/key.png)
  131. # Installing an Instance of this Challenge
  132. This section goes over how to run the docker containers used in this challenge on a stock Debian install.
  133. ## Install Docker
  134. ```
  135. apt update
  136. apt upgrade
  137. apt install apt-transport-https ca-certificates curl software-properties-common gnupg2
  138. curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
  139. add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
  140. apt update
  141. apt install docker-ce
  142. ```
  143. ## Install Docker-Compose
  144. ```
  145. curl -L https://github.com/docker/compose/releases/download/1.25.0-rc2/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
  146. chmod +x /usr/local/bin/docker-compose
  147. ```
  148. ## Create Firewall
  149. Create firewall to block everything that is not ports 80 or 22
  150. ```
  151. apt-get install ufw
  152. ufw enable
  153. ufw allow 22:80/tcp
  154. ufw deny 1000:9999/tcp
  155. ```
  156. ### Docker Firewall Trickery
  157. Docker tampers directly with IPTables, so, ufw alone won't block people from accessing the internal services running on ports 7777, etc.
  158. #### When When Running Single Container
  159. Edit /etc/default/docker and uncomment the DOCKER_OPTS line:
  160. ```
  161. DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4 --iptables=false"
  162. ```
  163. #### Running Docker Compose
  164. Since we are using systemd with Docker Compose, we have to set the iptables flag by creating the following file with:
  165. /etc/docker/daemon.json
  166. ```
  167. {
  168. "iptables": false
  169. }
  170. ```
  171. ## Add Base User For Demo
  172. ```
  173. useradd -ms /bin/bash ritlug
  174. echo ritlug:ritLugSep6! | chpasswd
  175. ```
  176. ## Install project files on system
  177. ```
  178. git clone https://github.com/jrtechs/ssh-challenge.git
  179. cd ssh-challenge
  180. # Prevents the ritlug user from modifying the hint file
  181. cp hint.md /home/ritlug/hint.md
  182. chmod 0555 /home/ritlug/
  183. ```
  184. ## Running the Project
  185. ```
  186. docker-compose build
  187. docker-compose up
  188. ```
  189. # Resources
  190. - [SSH Essentials](https://www.digitalocean.com/community/tutorials/ssh-essentials-working-with-ssh-servers-clients-and-keys)
  191. - [SSH Config Files](https://linuxize.com/post/using-the-ssh-config-file/)
  192. - [Git Repo and Write Up for Challenges](https://github.com/jrtechs/ssh-challenge)