A few weeks ago at [RITlug](https://ritlug.com) I gave a talk teaching people
about how to use SSH. After a quick presentation going over the basics of SSH
there was a CTF-esk challenge. We had a great turnout and engagement during this
meeting so I look forward to making more interactive workshops like this in the future.  

<customHTML />

# SSH Challenge

This section will go over the SSH challenge and how to solve it.
Please note: although passwords, hosts, etc are given, the challenge is no-longer active so none of them will work.


## 1 Basic SSH

This initial challenge was simply connecting to the base VM with a provided username and password.

```
ssh ritlug@demo.ritlug.com
```

In the home directory there is a file called hint.md.
Since no text editors were installed, you had to use the cat command to view the contents of the file.

```
host: localhost
user: ritlug1
port: 8888
password: password21
```


## 2 SSH With Different Port

Based on the previous hint, you have to SSH into another SSH server from the base VM running on a non-default port.

```
# on main connection(demo.ritlug.com)
ssh ritlug1@localhost -p 8888
```

Once again you will find a file called hint.md in the home directory. There is also
a key file called id_rsa in the home directory.

```
Time to jump ships again :)

host: ssh2
port: 22
user: ritlug2
auth: key in home directory
```

## 3 SSH With Key File

While in the first container, SSH into another container with a key file.

```
# on ritlug1@localhost connection
ssh ritlug2@ssh2 -i id_rsa
```

The hint in this vm is as follows:

```
Shall we play a game?

SSH back into the starting vm (demo.ritlug.com)

host: localhost
port: 3333
user: ritlug4
password: something?
```


## 4 SSH into Custom SSH Python Server

SSH into a custom SSH server and play a RITlug trivia game.

```
# on main ssh connection
ssh ritlug4@localhost -p 3333
```

![ssh game](media/ssh/game.png)

Since the screenshot does not show it, here are the answers to the three RITlug trivia questions:

```
rit-lug.slack.com
teleirc
mirrors.ritlug.com
```

## 5 Access and Play and Hack Game on Internal Web Server

This is the part of the challenge where it starts getting more difficult.
This challenge requires you to port forward localhost:someport to the remote machine's localhost:7777 so you can access a website on your computer.

```
# On your computer
ssh -L 7777:localhost:7777 ritlug@demo.ritlug.com
```

The key was given in the last hint as "ritlugFunziesPassword".

![ssh game](media/ssh/enterKey.png)

Open web browser and play the game....

![ssh game](media/ssh/zombieGame.png)

The game is way to hard to win; hack it!
There are many ways to hack this basic Javascript game, but, the most basic is to just tell the server that you are scoring a ton of points and then navigate to the /endgame page. 


```javascript
//run this in the console of the game or end game page
for(var i = 0; i < 500; i++)
{
	console.log("Sending stonks.");
	$.ajax({
		type:'POST',
		url: "/stonks",
		crossDomain: true,
		dataType: "json",
		timeout: 3000
	});
}
```

After you acquired a score of over 100 "stonks" you see this at the /endGame page.

![ssh game](media/ssh/finalHint.png)


## 6 Forward Local Web Server to Remote Host

Deciphering and figuring out how to complete this challenge was by far the hardest challenge.
There was a remote nginx web server running in a docker container which only had its SSH and web ports exposed.

Here is the nginx config for this server:

```nginx
worker_processes 1;

events { worker_connections 1024; }

http {
    server {
        listen 80;
        location / {
            proxy_pass         http://localhost:4444;
            proxy_redirect     off;
            proxy_set_header   Host $host;
            proxy_set_header   X-Real-IP $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header   X-Forwarded-Host $server_name;
        }
    }
}
```

To complete this challenge you had to make a web server running on port 4444 visible to the nginx server.
To do this it took three steps. First, you have to start some web server. Second, you had to local forward the external
VM's ssh port to your computer. Next using that local forwarded port, you have to reverse forward the port of your web server
to the remote computer. 

```
# start your web server listening on port 8989 or something
node server.js

# forward the ssh port of the remote machine to your local computer.
ssh -L 5555:localhost:5555 ritlug@demo.ritlug.com

# forward your web server to the remote machine
ssh ritlug6@localhost -p 5555 -R 4444:localhost:8989
```

Once this is done, your local web-server will be visible on demo.ritlug.com.
Neat.

## High Level Answer Key

![key diagram](media/ssh/key.png)

# Installing an Instance of this Challenge

This section goes over how to run the docker containers used in this challenge on a stock Debian install.

## Install Docker

```
apt update
apt upgrade
apt install apt-transport-https ca-certificates curl software-properties-common gnupg2
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"

apt update
apt install docker-ce
```


## Install Docker-Compose

```
curl -L https://github.com/docker/compose/releases/download/1.25.0-rc2/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
```


## Create Firewall

Create firewall to block everything that is not ports 80 or 22

```
apt-get install ufw
ufw enable
ufw allow 22:80/tcp
ufw deny 1000:9999/tcp
```

### Docker Firewall Trickery

Docker tampers directly with IPTables, so, ufw alone won't block people from accessing the internal services running on ports 7777, etc.

#### When When Running Single Container

Edit /etc/default/docker and uncomment the DOCKER_OPTS line:

```
DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4 --iptables=false"
```

#### Running Docker Compose

Since we are using systemd with Docker Compose, we have to set the iptables flag by creating the following file with:

/etc/docker/daemon.json

```
{
    "iptables": false
}
```


## Add Base User For Demo

```
useradd -ms /bin/bash ritlug
echo ritlug:ritLugSep6! | chpasswd
```

## Install project files on system

```
git clone https://github.com/jrtechs/ssh-challenge.git

cd ssh-challenge

# Prevents the ritlug user from modifying the hint file
cp hint.md /home/ritlug/hint.md
chmod 0555 /home/ritlug/
```

## Running the Project

```
docker-compose build
docker-compose up
```

# Resources

- [SSH Essentials](https://www.digitalocean.com/community/tutorials/ssh-essentials-working-with-ssh-servers-clients-and-keys)
- [SSH Config Files](https://linuxize.com/post/using-the-ssh-config-file/)
- [Git Repo and Write Up for Challenges](https://github.com/jrtechs/ssh-challenge)