jrtechs
/
jrtechs-NodeJSBlog
mirror of https://github.com/jrtechs/NodeJSBlog.git
1
0
Fork 0
Code Issues 0 Releases 0 Wiki Activity
Personal blog written from scratch using Node.js, Bootstrap, and MySQL. https://jrtechs.net
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
342 Commits
6 Branches
1014 MiB
Tree: 83b7d0237c
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '83b7d0237c'
${ noResults }
jrtechs-NodeJSBlog/blogContent/posts/open-source/teaching-ssh-through-a-ctf.md

280 lines
6.8 KiB
Raw Normal View History

Wrote the ssh ctf blog post.
4 years ago
 
  1. A few weeks ago at [RITlug](https://ritlug.com) I gave a talk teaching people
  2. about how to use SSH. After a quick presentation going over the basics of SSH
  3. there was a CTF-esk challenge. We had a great turnout and engagement during this
  4. meeting so I look forward to making more interactive workshops like this in the future.  
  5. 

  6. <customHTML />
  7. 

  8. # SSH Challenge

  9. 

  10. This section will go over the SSH challenge and how to solve it.
  11. Please note: although passwords, hosts, etc are given, the challenge is no-longer active so none of them will work.
  12. 

  13. 

  14. ## 1 Basic SSH

  15. 

  16. This initial challenge was simply connecting to the base VM with a provided username and password.
  17. 

  18. ```
  19. ssh ritlug@demo.ritlug.com
  20. ```
  21. 

  22. In the home directory there is a file called hint.md.
  23. Since no text editors were installed, you had to use the cat command to view the contents of the file.
  24. 

  25. ```
  26. host: localhost
  27. user: ritlug1
  28. port: 8888
  29. password: password21
  30. ```
  31. 

  32. 

  33. ## 2 SSH With Different Port

  34. 

  35. Based on the previous hint, you have to SSH into another SSH server from the base VM running on a non-default port.
  36. 

  37. ```
  38. # on main connection(demo.ritlug.com)

  39. ssh ritlug1@localhost -p 8888
  40. ```
  41. 

  42. Once again you will find a file called hint.md in the home directory. There is also
  43. a key file called id_rsa in the home directory.
  44. 

  45. ```
  46. Time to jump ships again :)
  47. 

  48. host: ssh2
  49. port: 22
  50. user: ritlug2
  51. auth: key in home directory
  52. ```
  53. 

  54. ## 3 SSH With Key File

  55. 

  56. While in the first container, SSH into another container with a key file.
  57. 

  58. ```
  59. # on ritlug1@localhost connection

  60. ssh ritlug2@ssh2 -i id_rsa
  61. ```
  62. 

  63. The hint in this vm is as follows:
  64. 

  65. ```
  66. Shall we play a game?
  67. 

  68. SSH back into the starting vm (demo.ritlug.com)
  69. 

  70. host: localhost
  71. port: 3333
  72. user: ritlug4
  73. password: something?
  74. ```
  75. 

  76. 

  77. ## 4 SSH into Custom SSH Python Server

  78. 

  79. SSH into a custom SSH server and play a RITlug trivia game.
  80. 

  81. ```
  82. # on main ssh connection

  83. ssh ritlug4@localhost -p 3333
  84. ```
  85. 

  86. ![ssh game](media/ssh/game.png)
  87. 

  88. Since the screenshot does not show it, here are the answers to the three RITlug trivia questions:
  89. 

  90. ```
  91. rit-lug.slack.com
  92. teleirc
  93. mirrors.ritlug.com
  94. ```
  95. 

  96. ## 5 Access and Play and Hack Game on Internal Web Server

  97. 

  98. This is the part of the challenge where it starts getting more difficult.
  99. This challenge requires you to port forward localhost:someport to the remote machine's localhost:7777 so you can access a website on your computer.
  100. 

  101. ```
  102. # On your computer

  103. ssh -L 7777:localhost:7777 ritlug@demo.ritlug.com
  104. ```
  105. 

  106. The key was given in the last hint as "ritlugFunziesPassword".
  107. 

  108. ![ssh game](media/ssh/enterKey.png)
  109. 

  110. Open web browser and play the game....
  111. 

  112. ![ssh game](media/ssh/zombieGame.png)
  113. 

  114. The game is way to hard to win; hack it!
  115. There are many ways to hack this basic Javascript game, but, the most basic is to just tell the server that you are scoring a ton of points and then navigate to the /endgame page. 
  116. 

  117. 

  118. ```javascript
  119. //run this in the console of the game or end game page
  120. for(var i = 0; i < 500; i++)
  121. {
  122. 	console.log("Sending stonks.");
  123. 	$.ajax({
  124. 		type:'POST',
  125. 		url: "/stonks",
  126. 		crossDomain: true,
  127. 		dataType: "json",
  128. 		timeout: 3000
  129. 	});
  130. }
  131. ```
  132. 

  133. After you acquired a score of over 100 "stonks" you see this at the /endGame page.
  134. 

  135. ![ssh game](media/ssh/finalHint.png)
  136. 

  137. 

  138. ## 6 Forward Local Web Server to Remote Host

  139. 

  140. Deciphering and figuring out how to complete this challenge was by far the hardest challenge.
  141. There was a remote nginx web server running in a docker container which only had its SSH and web ports exposed.
  142. 

  143. Here is the nginx config for this server:
  144. 

  145. ```nginx
  146. worker_processes 1;
  147. 

  148. events { worker_connections 1024; }
  149. 

  150. http {
  151.     server {
  152.         listen 80;
  153.         location / {
  154.             proxy_pass         http://localhost:4444;
  155.             proxy_redirect     off;
  156.             proxy_set_header   Host $host;
  157.             proxy_set_header   X-Real-IP $remote_addr;
  158.             proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
  159.             proxy_set_header   X-Forwarded-Host $server_name;
  160.         }
  161.     }
  162. }
  163. ```
  164. 

  165. To complete this challenge you had to make a web server running on port 4444 visible to the nginx server.
  166. To do this it took three steps. First, you have to start some web server. Second, you had to local forward the external
  167. VM's ssh port to your computer. Next using that local forwarded port, you have to reverse forward the port of your web server
  168. to the remote computer. 
  169. 

  170. ```
  171. # start your web server listening on port 8989 or something

  172. node server.js
  173. 

  174. # forward the ssh port of the remote machine to your local computer.

  175. ssh -L 5555:localhost:5555 ritlug@demo.ritlug.com
  176. 

  177. # forward your web server to the remote machine

  178. ssh ritlug6@localhost -p 5555 -R 4444:localhost:8989
  179. ```
  180. 

  181. Once this is done, your local web-server will be visible on demo.ritlug.com.
  182. Neat.
  183. 

  184. ## High Level Answer Key

  185. 

  186. ![key diagram](media/ssh/key.png)
  187. 

  188. # Installing an Instance of this Challenge

  189. 

  190. This section goes over how to run the docker containers used in this challenge on a stock Debian install.
  191. 

  192. ## Install Docker

  193. 

  194. ```
  195. apt update
  196. apt upgrade
  197. apt install apt-transport-https ca-certificates curl software-properties-common gnupg2
  198. curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
  199. add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
  200. 

  201. apt update
  202. apt install docker-ce
  203. ```
  204. 

  205. 

  206. ## Install Docker-Compose

  207. 

  208. ```
  209. curl -L https://github.com/docker/compose/releases/download/1.25.0-rc2/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
  210. chmod +x /usr/local/bin/docker-compose
  211. ```
  212. 

  213. 

  214. ## Create Firewall

  215. 

  216. Create firewall to block everything that is not ports 80 or 22
  217. 

  218. ```
  219. apt-get install ufw
  220. ufw enable
  221. ufw allow 22:80/tcp
  222. ufw deny 1000:9999/tcp
  223. ```
  224. 

  225. ### Docker Firewall Trickery

  226. 

  227. Docker tampers directly with IPTables, so, ufw alone won't block people from accessing the internal services running on ports 7777, etc.
  228. 

  229. #### When When Running Single Container

  230. 

  231. Edit /etc/default/docker and uncomment the DOCKER_OPTS line:
  232. 

  233. ```
  234. DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4 --iptables=false"
  235. ```
  236. 

  237. #### Running Docker Compose

  238. 

  239. Since we are using systemd with Docker Compose, we have to set the iptables flag by creating the following file with:
  240. 

  241. /etc/docker/daemon.json
  242. 

  243. ```
  244. {
  245.     "iptables": false
  246. }
  247. ```
  248. 

  249. 

  250. ## Add Base User For Demo

  251. 

  252. ```
  253. useradd -ms /bin/bash ritlug
  254. echo ritlug:ritLugSep6! | chpasswd
  255. ```
  256. 

  257. ## Install project files on system

  258. 

  259. ```
  260. git clone https://github.com/jrtechs/ssh-challenge.git
  261. 

  262. cd ssh-challenge
  263. 

  264. # Prevents the ritlug user from modifying the hint file

  265. cp hint.md /home/ritlug/hint.md
  266. chmod 0555 /home/ritlug/
  267. ```
  268. 

  269. ## Running the Project

  270. 

  271. ```
  272. docker-compose build
  273. docker-compose up
  274. ```
  275. 

  276. # Resources

  277. 

  278. - [SSH Essentials](https://www.digitalocean.com/community/tutorials/ssh-essentials-working-with-ssh-servers-clients-and-keys)
  279. - [SSH Config Files](https://linuxize.com/post/using-the-ssh-config-file/)
  280. - [Git Repo and Write Up for Challenges](https://github.com/jrtechs/ssh-challenge)