Recap of Last Lesson:

Bandit Level 14

Objective

Find the password to the next level

Intel Given

  • The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14.
  • For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on

How to

Checking out our home directory we no longer have data.txt! Now we have a file called sshkey.private to work with. If cat or file on it you’ll see that sshkey.private is a RSA private key. In short, we will use this as our password to SSH into level 14.

SSH keypair exchange is a much more secure method of authentication. Major benefits include difficulty to brute force due to complexity as well as the security of your key in general. In a typical login & password authentication scenario the distant server requires knowledge of your login and password. With a key the distant server only has your public key and your private key remains with you. Thus, if the distant server was ever compromised he hacker would only have your public key and be unable to steal your login information.

You could go about this in two ways. Typically we have been SSHing into our bandit sessions like such.

$ ssh bandit13@bandit.labs.overthewire.org

When prompted for a password we then enter it and we are granted access to the machine. Well now we need to use our private key so that the distant server can bump it up against our public key. To do that we type the following line.

$ ssh bandit14@localhost -i ~/sshkey.private

Why did I use localhost instead of the FQDN (Fully Qualified Domain Name)? Well, for one I used the hint, and two I know something about our environment. We are already logged into the bandit.labs.overthewire.org server. If I wish to SSH into it again with another account I just could just send my command through the loopback interface (localhost) to send it to itself. If you typed the FQDN it wouldn’t know who to contact, probably because there is no internal DNS to resolve the address.

The other way would be to download the key to yourself using secure copy (scp). To copy the file from theoverthewire server simply type

$ scp bandit13@bandit.overthewire.labs.org:sshkey.private ~/Desktop

Enter the password to authenticate to level 13 and the key will be downloaded to your Desktop.

Now you can type the command below from your host machine to authenticate to bandit 14.

sudo ssh bandit14@bandit.labs.overthewire.org -i ~/Desktop/sshkey.private

Note: You have to run the command as a sudo because file permissions are preserved when you scp’d the file. You could change the permissions if you wish.

Conclusion

We discussed connecting to an SSH service with an RSA private key to a distant server who already has our public key. I also very very very briefly went over over how Private/Public key encryption works when authenticating to a service.

Hackmethod is proud to announce Mal_Wear by HM. Exploit/Vulnerability themed nerdy t-shirts! Get them while they last. Dismiss