I learned this technique from the Cyber June'Gle Virtual Training Summit --ty @texas_cyber @VillageRedTeam @randoriattack.
In the "VM instances" page, on your Debian instance's line, on the right side, click the three-dot icon and click "View network details".
On the left side, click Firewall.
At the top center, click "CREATE FIREWALL RULE".
Enter these values, as shown below.
Give the user a password you can remember, and press Enter enough times to complete the process, as shown below.
sudo adduser waldo
sudo apt update sudo apt install strace -y
Make sure these lines appear uncommented, as shown below.
cd sudo cp /etc/ssh/sshd_config sshd_config sudo chmod 777 sshd_config nano sshd_config
Press Ctrl+X, Y, Enter to save the file. On your Linux server, in an SSH session, execute these commands:
An sshd process is listening on port 2222, as shown below.
sudo /usr/sbin/sshd -f sshd_config -p 2222 & sudo ss -ntlp
If you get a warning that the fingerprint is not recognized, enter yes, as shown below.
ssh email@example.com -p 2222
When it asks for a password, don't answer yet.
Find the process labelled waldo [priv], as shown below. Note the process ID in the second column in that row, outlined in the image below.
sudo ps aux | grep ssh
Execute this command, changing the process ID to the correct value:
sudo strace -p 23927 2> foo
Flag H 131.1: Stolen Password (10 pts)On the ssh server, execute this command to see the stolen password, which appears in the fourth line:The flag is covered by a green rectangle in the image below.