Skip to content

Certificate SSHenanigans⚓︎

Difficulty:
Direct link: Function App
Target server: ssh-server-vm.santaworkshopgeeseislands.org

Objective⚓︎

Request

Go to Pixel Island and review Alabaster Snowball's new SSH certificate configuration and Azure Function App. What type of cookie cache is Alabaster planning to implement?

Alabaster Snowball

Goose of Pixel Island @ Rainraster Cliffs

hisssss

Alabaster Snowball @ Rainraster Cliffs

Hello there! Alabaster Snowball at your service.
I could use your help with my fancy new Azure server at ssh-server-vm.santaworkshopgeeseislands.org.
ChatNPT suggested I upgrade the host to use SSH certificates, such a great idea!
It even generated ready-to-deploy code for an Azure Function App so elves can request their own certificates. What a timesaver!
I'm a little wary though. I'd appreciate it if you could take a peek and confirm everything's secure before I deploy this configuration to all the Geese Islands servers.
Generate yourself a certificate and use the monitor account to access the host. See if you can grab my TODO list.
If you haven't heard of SSH certificates, Thomas Bouve gave an introductory talk and demo on that topic recently.
Oh, and if you need to peek at the Function App code, there's a handy Azure REST API endpoint which will give you details about how the Function App is deployed.

Hints⚓︎

SSH Certificates Talk

From: Alabaster Snowball
Objective: Certificate SSHenanigans
Check out Thomas Bouve's talk and demo to learn all about how you can upgrade your SSH server configuration to leverage SSH certificates.

Azure Function App Source Code

From: Alabaster Snowball
Objective: Certificate SSHenanigans
The get-source-control Azure REST API endpoint provides details about where an Azure Web App or Function App is deployed from.

Solution⚓︎

To get started with this challenge, it's a good idea to learn about SSH Certificates by attending KringeCon. Essentially, the goal of this set-up is instead of importing each individual public key, the server can just trust any client logging in with their private key who's public key been signed by the trusted CA. In exchange, client can also trust the CA and the server connection will always be verified (no unknown host warning). Also, from the client's perspective, their public key would need to be signed by this trusted CA and then logging in is possible via this established trust.

CA Trust

From Alabaster, we know the user is monitor and the target server is ssh-server-vm.santaworkshopgeeseislands.org. We also have the Request SSH Certificate function app served from their Azure environment.

Let's create an SSH key pair using ssh-keygen:

monitor Keys

Copy-paste the public key in the function app. This will sign the key using the CA (this is app's functionality) and ultimately will allow SSH.

Signed Key

Now save the cert returned from the app. Its validity can also be verified using ssh-keygen. This confirms what we would expect - it is an SSH user certificate, it's signed by principal elf and allows PTY access.

Cert Verify

At this point, we can SSH in, providing the private key and the certificate. This command really freaks you out the first time you run it. TWO?!?! -i parameters. 😂

monitor SSH

Also, Satellite Tracker app is an interesting find that's served when first logged in.

SatTracker

For now we have low permission access as the monitor account but it looks like ultimately we need to escalate to alabaster to find out what kind of cookie cache he's implementing.

Low Permissions

Look around the system to find some interesting information related to the SSH app. In the /etc/ssh/auth_principals, the certificate's principals are stored. In addition to the KringleCon talk, ChatGPT can be a good source to get more information about these principals. We know that monitor account was signed by elf principal so we can assume that admin is likely used for alabaster since he's the admin of this server.

Principals

ChatGPT Principals

Let's get admin principal to provide us the certificate. This can be done by that Azure REST API elfs mentioned because this machine is in their Azure environment. Specifically, Alabaster mentioned the get-source-control Azure REST API, which works on https://management.azure.com resource. This domain requires an authorization token but since the VM is joined to the Azure environment, it should be possible to get this token using Azure Managed Identity. This can be found by looking through Azure documentation or simply asking ChatGPT.

ChatGPT Get Token

The IMDS is Azure Instance Metadata Service and it does provide us the authorization token, just like ChatGPT suggested.

Authorization Token

This access token can now be used within the get-source-control Azure REST API call to get the source control configuration of the function app. For convenience, you can store this large token in a file for curl, just don't forget to properly format it:

Token File

To build the URL, we need subscriptionId, resourceGroupName and app's name - we have this information from all the recon we did at Azure 101 objective. 😉 Now make the REST API request and learn where source code is stored:

Source Control

At the GitHub repo, take a look at function app's source code. The interesting part here is as input from client is being processed (JSON form), there's ssh_pub_key that you would expect and pricipal which is apparently available 😁 but looks like if it's not provided, it's just set to DEFAULT_PRINCIPAL.

Code

Well, let's set it explicitly then to not use the default. Generate a new key-pair using ssh-keygen just like we did for monitor and use Burp Suite proxy to manipulate the request before sending it.
Note: If you need a little intro to Burp, you can find it here.

Intercept the request, add the privileged principal (admin) and send it:

Admin Request

Just as expected, this provides the admin-signed certificate:

Admin Cert

Copy it over and save as admin_cert just like we did for monitor's principal. Now all that's left is login as alabaster (remember he's the user with admin principal), and read his to-do note.

Admin SSH

I mean which one of us did NOT have these kind of items on to-do lists?!?!

Answer

gingerbread

Response⚓︎

Alabaster Snowball @ Rainraster Cliffs

Oh my! I was so focused on the SSH configuration I completely missed the vulnerability in the Azure Function App.
Why would ChatNPT generate code with such a glaring vulnerability? It's almost like it wanted my system to be unsafe. Could ChatNPT be evil?
Thanks for the help, I'll go and update the application code immediately!
While we're on the topic of certificates, did you know Active Directory (AD) uses them as well? Apparently the service used to manage them can have misconfigurations too.
You might be wondering about that SatTrackr tool I've installed on the monitor account?
Here's the thing, on my nightly stargazing adventures I started noticing the same satellite above Geese Islands.
I wrote that satellite tracker tool to collect some additional data and sure enough, it's in a geostationary orbit above us.
No idea what that means yet, but I'm keeping a close eye on that thing!

Alabaster is asking all the right questions. So what is this geostationary orbit all about?!?! Interesting! For now, I think it makes sense to go for the kill on their Azure environment - Active Directory auditing next...