finxol.io / blog
Personal blog finxol.io
blog
fork atom
blog / content / posts / writeup-heroctf-prog-ssh.md
at main 2.5 kB view raw view rendered
1--- 2title: HeroCTF Write-Up SSHs 3description: Write-up for the programming challenge "SSHs" @ HeroCTF 2022 4image: /blog/heroctf.jpg 5date: 2022-05-30 6authors: 7 - name: finxol 8tags: 9 - writeup 10 - HeroCTF 11published: true 12--- 13 14### Description 15 16Every user can read the private rsa key of the next user. You just have to grab it, and ssh as the next. But... there 17are 250 ?!?<br> 18Let's automate it ! (The last user has a *flag.txt* at the root of his home directory) 19 20The base credentials are: 21 22<code-group> 23 <code-block label="Username" active> 24 25 user1:password123 26 27 </code-block> 28 <code-block label="Host"> 29 30 Host : xxxx.heroctf.fr 31 Port : xxxx 32 33 </code-block> 34</code-group> 35 36Format : **Hero{flag}**<br> 37Author : **Log_s** 38 39 40## Solution 41 42Before doing anything else, let's just login as the base user to have a look around. 43 44With a simple `ssh user1@xxxx.heroctf.fr` and using `password123` as the password, 45we can get ssh access to the machine as `user1`. 46 47Once logged in, we can see that in the home directory, there is an executable file called `getSSHKey`, 48which simply returns the SSH key of the next user as plaintext. 49We also know from the description of the challenge that there are 249 users. 50 51With this information, we can now write a simple bash script to automate the retrieval of the SSH keys and, in turn, the flag. 52(sorry not sorry Windows users) 53 54The use of `sshpass` instead of the plain old `ssh` for the first login enables us to give the password 55directly as a command argument instead of being prompted to enter it manually.<br> 56The use of `1>` at the end of each command redirects the standard output (stdout not stderr) to a specified file; 57here the file is used to save the key. 58 59```bash 60# Log into the first user and save the key of the next user to a file named id1 61sshpass -p password123 ssh user1@chall.heroctf.fr -p 10045 "./getSSHKey" 1> id1 62 63# For each user, log in using the previously fetched key, and save the next key in a file name idX, 64# where X is the number of the current iteration 65for i in {2..249} 66do 67 prev=id$(expr $i - 1) 68 # Set the correct permissions for the ssh key 69 chmod 600 $prev 70 # Retrieve the next ssh key 71 ssh -i "${prev}" user${i}@chall.heroctf.fr -p 10045 "./getSSHKey" 1> id${i} 72done 73 74# For the last user, instead of calling getSSHKey, we simply print the contents of flag.txt 75ssh -i id249 user250@chall.heroctf.fr -p 10045 "cat flag.txt" 76``` 77 78Et voilà! 79We can now simply wait for the programme to execute and the flag will magically appear a few seconds later!