Something is not right? I feel like I am in a prison!
We netcat into the given ip and see that we are inside a Linux shell. We try going to the topmost directory and printing all files, but we did not get the flag. So we start inspecting things inside the shell one by one. We notice that, we are able to access the
/root directory. Inside that we see the
.ssh directory with the SSH public and private keys.
We notice that the public key and authorized key files contain the same key. Seeing this we realize that
root user can ssh into the machine without needing any password. So we try
ssh root@localhost 2>&1
We see the error message and realize that it is checking for .ssh keys in
ctf user's repo. So we try explicity mentioning the root user's public key with:
ssh -i /root/.ssh/id_rsa root@localhost
But, it still does not work. When trying to reproduce this in our local machine, we find that whenever we ssh for the first time, there is a prompt which appears, where we need to agree by typing
yes to add the system to the known hosts. So we try to supress the host checking with:
ssh -i /root/.ssh/id_rsa -o StrictHostKeyChecking=no root@localhost
It worked and gave us the flag.