 Hey everyone, my name is John Hammond. Welcome back to a little more Pico CTF 2017, trying to get ourselves started in the capture the flag scene. So I would normally continue on the same track we've been working on in the miscellaneous challenges, just moving on to the next 30-point challenge. However, this is more of the same idea of the original leaf of the tree challenge we had approached earlier. That puts us in a location in the file system, but it's on their shell server. So we would normally have to use on the right-hand side that console into the server that is running over in the Pico CTF infrastructure. But since we're on Linux, I want to kind of do it ourselves. So we're not using that web shell. I want to use our own shell. So I'm going to deviate over to the cryptography section, just so I can showcase the keys challenge, which helps us get started and kind of move into using our own shell, our own console to connect to the server on the Pico CTF infrastructure. So the challenge problem here is while web shells are nice, it'd be nice to be able to log in directly. To do so, please add your own public key to tilde forward slash SSH forward slash authorized keys using the web shell. Make sure to copy it correctly. Keys in the SSH banner display when you log in remotely. If you haven't heard of SSH or you don't know some of these authorized keys things or whatever, that's okay. We're going to jump in together. We're going to take a look at the hints and they'll explain like, okay, there are plenty of tutorials out there and it gives us a link here. That's awesome, right? Because we're trying to drive home the point that you can research, you can Google. Let's go ahead and paste this and go to that link and see what it has to say for us. So this is an article on creating SSH keys. SSH is secure shell and that pretty much allows like remote control or communication between one computer and another. Normally, you'll have just a console connection. You'll just be using a bash is the name of the shell or the name of the language that you're typing in when you're typing in that dark purple or black box. That is the command line. So SSH allows us to do that from one computer to another remotely, like across the internet. So that's what we're going to do. We're going to get a shell on the Pico CTF server and be able to explore their file system and access those files that they provide for us. So SSH keys allow us to create a secure connection that doesn't end up using a password but is using a secure key that is cryptographic, etc. So we can scroll down. We don't need to create an SSH key on Windows, but we do need to create an SSH key on Linux. So you can check for existing SSH keys and we do that with our own computer, with the physical computer or the virtual machine that you're using to run Linux, not on the web server. We're going to check if we have any SSH keys. We can CD into this directory. The tilde represents our home directory. So like forward slash home forward slash john in my case, but that may be whatever user account that you created and dot SSH maybe a hidden directory for SSH configuration files and keys, etc. So if you wanted to try this, you can just put that in a terminal on your own. Again, I'll get a big window up here. And then if you get that error, as it says, no such file directory, then you just don't have that file or that directory already created. That's okay. Remember, as you saw earlier, you can run makedir.ssh if you want to create that directory and then CD into it from your home directory from the tilde. And then if you wanted to LS to see if you had any IDs or any other private keys in there or public keys that ID refers to a key that ID underscore. So we'll see them as they are created. But since we don't have any, we won't have to backup any old keys. Now if we want to generate a new key, the step here, if you don't have an existing key, you can generate one with this command. So SSH tag key gen, tag TRSA, tag capital C. Remember, these tags are arguments like the type here that we can assume tag T, and then contact or whatever, perhaps our email address. So it will ask us where we want to save the key and it'll give us a default location. Again, just putting it in our home directory with the dot SSH configuration folder and then ID RSA or that ID key. Cool. Once it's created, you can enter a passphrase and then you will have an SSH key created. So let's go ahead and try that SSH tag key gen, tag TRSA, tag capital C, and then our email address that we want to use. I'm going to go johnhammon010 at gmail.com. We can again hit enter to have the location for us. I'll enter a passphrase here. Type it again. You will not see output as you type it because in the command line, it won't show any change or it won't show any characters being echoed, echoed to the screen or displayed. So no one looking over your shoulder, it can see a password. So once it's been created, you have a public key saved here, john.ssh tag idrsa.pub, cool. And the key fingerprint is whatever, whatever, random mark, blah, blah, blah. So now we can LS and we have ID RSA, which is our private key, and ID RSA.pub. You do not want to share your private key with anyone, literally ever. I mean, it's yours. That's your private key. So the front as try and add your own public key to .ssh authorized keys using the web shell. Okay, so if we wanted to cat out the idrsa.pub, so our public key right here, that will give us a little bit of crazy tax, a little bit of nonsense, but this magic string, all of this good content, we can copy again, control shift C, and we'll paste that in to the web shell in that authorized keys location, just as it says here. So we can cd.ssh in the web shell. And if this directory doesn't exist again, we can just create it .ssh, cool. Great. And now we can use a nano to create an authorized keys file. Because remember, nano is our text editor, and we can right click, paste from browser, paste that in, hit Ctrl O to save, Ctrl X to exit, and perfect. Now, we should be able to ssh into this location with that ID, with that idrsa. Our public key is what we'll be using to authenticate. They'll check it with the public key, and we'll be able to log in with ssh or secure shell. So ssh does like exist already, typically it's installed by default on our Linux computer, like fire on ssh, just that command, it'll give us that help file, that help information on how to run this command. So ssh, all of these optional tags we can use arguments, but really it wants a host name, which we know is that shell 27 at pgoctf.com. And then the lowercase tac i, here, will give it an identity file to use a private key with. So let's try that. Let's ssh tac i, the tilde to notar home directory, forward slash dot ssh, and then idrsa, again I use tab complete to complete those, and then I'll paste in that shell 2017 dot pgoctf.com, hit enter, it'll ask me do I really trust this, the authenticity of this host? Do you want to continue? Yes we do because we trust it, and I failed. So the reason that that happened is because I didn't specify a username. It's trying to log in with me as my current username, John. It's not prompting me for a password or anything because we're using that key to actually authenticate with, but that's not my username in the web shell or on their server. I'm actually underscore underscore John Hammond. So we need to supply that as the username we want to connect with because that disparity just isn't going to fly. That's a non-starter. So whatever your username is that you can see in the web shell when you're playing pgoctf, that's what you have to use to actually ssh in. I use control arrow keys to just move around dot around the shell like that, and then as you can see in the output of that ssa help information we can specify a user at hostname. That's optional, otherwise it will use the default username that you're running on your local computer, but a user at will let you specify what you want to log in as. So if I ssh tag i into with that private key with the user and the correct hostname, now we'll be able to connect and it says congratulations on setting up ssh key authentication. Here's your flag. Who needs passwords anyways? All right, cool. So that's it. Now we're just like we are on the web shell server, on the server in the web shell, etc., etc., and we've got that flag. So let's take note of that, go into our pgoctf directory, make a directory keys, right, cd into that, create the flag so we can save it, and let's create our own simple, simple script just so we don't have to type that over and over and over again when we're trying to actually connect to that pgoctf shell. Let's actually, in the above directory and just the regular pgoctf folder, let's try and create a simple, simple bash script. It's not going to be a whole lot of code, it's only just going to be this one command, but that way we can like alias it or kind of give it a new name, so we don't have to type that all the time. First, let's move keys to complete. Holy cow, can't type. And in fact, let's go ahead and submit this flag so we can get the points for it. Who needs p words? Anyways, awesome, we are all correct. So since we can actually go access that file system now, we can move into leaf of the forest and other challenges that require us to use that shell server. But let's go ahead and create that small script so we don't have to type that long command every time. Let's nano, how about connect.sh can be the file name that we're going to call it or shell.sh might be better for us because I like to use connect.sh for when we actually are connecting to a netcat service and just for convenience sake. So I'll call this shell.sh. So the very, very top of any script that you write is going to need what's called a shebang line. And you can Google that if you want. Shebang line. Yeah, it is a sequence of characters or just a special notation that tells the computer or tells your program tells your system that I want to use this specific program to execute this code or run these commands or do this thing. So you can use special ones like on Linux to denote, okay, I want to use the location of the Python interpreter, the Python command, the Python shell or script, etc. The Python scripting language. Same thing with bash. If we want to use bash or the like command line that we're using in Linux, we can say this pound symbol or hashtag exclamation point and then the location of that program in our file system. So bin is where a lot of binaries or computer programs are stored on Linux that are by default in your path that you can run inside your shell. So if I break out of that, if I actually run which, which is a command to help you find the location of commands or where they live on your file system, like if I were to run which bash, it'll tell me, oh, it's in bin bash. And that's the location that we want to use, especially in our shebang line. So up arrow to go through back in our history. And let's type that hashtag exclamation point bin bash location of the shell program that we're running. So let's paste in our command, control shift V, remember, control O to save, control X to exit. And now we have this script that we can use. But if I try and run it, well, it's going to give me a little bit of an error. You can run a script by using a relative location from your current directory. So that means typing the period and then a forward slash. So you're saying like from this directory, use this file, and then you could run shell.sh or the name of your script, but we're going to get a permission denied. So that's because if I list all the permissions in these files here, these, this shell.sh does not have an executable bit set, we can read and write to this file, but we can't execute it. And these come in kind of triplets here. Obviously, the D at the very front refers to these files as directories, they're folders, but you can also have either the actual user that owns this file or folder, read, write and execute, depending on what is set here, you can have the same group that owns this folder or file, that's the second column displayed here, read, write and execute, or you can have everyone that absolute last column in threes, read, write and execute. However, we even in the column for our shell.sh script, we cannot execute it. So we'll use a command chmod. If you want to learn more about it, remember you can check the man page. That'll give you a description, maybe some examples, an explanation of what the parameters and arguments do. But if we want to just add a form or add a permission to this, we can like plus or minus if we want to remove it, any specific thing, like read, write or execute. So in our case, if we want to execute, we can plus x or simply add the executable bit to it, chmod plus x shell.sh, because you want to specify the file or the file name, directory, whatever that you want to work with. And once that's done, you can lstack l. Now you'll see I can read, write and execute this. And it's highlighted in green from LS colors. So now I can dot slash autocomplete, because now it'll want to execute this, shell.sh, hit enter, it'll go through the connection for us and we've just sshed back in. So now we can look at those other challenges, like leaf of the forest that require us to be in a specific location on their shell server. So cd paste in that location and LS, cool. Now we're in that leaf of the forest challenge because we're accessing the files there. Fantastic. So that guide that we were able to walk through, what we were able to learn from doing a little bit of reading, doing our own research and experimenting, tinkering with those commands gave us a shell connection, an ssh connection that we can use from our own computer, own Linux virtual machine to do the same thing that we could do in the web shell. But we have a little bit more control now, because web shells, they're not the best. Cool. Thank you guys so much for watching. We will jump into the leaf of the forest challenge in the next video. But for now, I want to give a shout out to my supporters. So thank you to all of these individuals that are helping support me, a little bit of a donation every month. I am so grateful. I really appreciate everything that you do. No matter how small or how big it is, it means the world to me. Hey, if you did like this video, please do press that like button. If you're willing to, maybe leave me a comment or subscribe. And if you really want to support me, check me out on Patreon. Thanks. See you in the next video.