Starting point: Markup, ssh key invalid? Stuck trying to get user.txt

I am trying to get the user flag on Markup. The premise is, you do an XXE and get the contents of the id_rsa file. In the walkthrough the response came back in BurpSuite, for me, for some reason it didn't.

Instead I got the file contents in a popup window on the website itself, that usually notifies the user that their order is successful.

Popup window on the website with the key screenshot: https://imgur.com/TvamJrt

I got my SSH key in the same popup window and pasted it into a new file, titled id_rsa. Then I have followed the walkthrough, ran the chmod and tried to ssh with the private key (commands, copied verbatim from the tutorial):

chmod 400 id_rsa
ssh -i id_rsa [email protected]

But the response I got from trying to ssh was:

Load key "id_rsa": invalid format

Error message screenshot: https://imgur.com/rLhtpMW

My question is, what is the valid format here? I seem to have mine in the following:

-----BEGIN OPENSSH PRIVATE KEY-----
<36 lines of the key itself, ending with '=='>
-----END OPENSSH PRIVATE KEY-----

I tried generating my own id_rsa to see if the format differs anyhow. It didn't really, except that there were around 50 lines in the file in total and instead of "OPENSSH" it had "RSA", which I have tried changing in the key I copied to no avail.

Should there be a new line anywhere? This is definitely the key, why is SSH unhappy?

tasidonya

Comments

  • edited May 2020

    An update, still no solution.

    Firstly, the file command recognises it as an SSH key, while ssh-keygen doesn't.
    Screenshot: https://imgur.com/7uq1rXX

    Secondly, I have tried to follow the steps outlined here:
    https://superuser.com/questions/1370877/ssh-error-loading-key-id-rsa-invalid-format

    The output of running these commands was not successful:
    Openssl commands: https://imgur.com/bt72iap
    Trying to convert to pkcs8: https://imgur.com/bWcDrMy

    ssh and ssh-add are in the same directory: https://imgur.com/7RWMlHn
    ldd does link to libcrypto.so: https://imgur.com/WvLF0Wm

    In the comments it was suggested that it's a Windows vs Linux line endings problem. I haven't used Windows for this lab, I've been on Kali the entire time, but decided to give it a go anyway.
    https://stackoverflow.com/questions/2613800/how-to-convert-dos-windows-newline-crlf-to-unix-newline-lf-in-a-bash-script
    Both sed and dos2unix didn't yield the desired result.

    Running puttygen "would perform no useful action": https://imgur.com/c2qjOoE

    Another command has been suggested due to the key being invalid:

    chmod 600 id_rsa
    ssh-keygen -p -N "" -m pem -f id_rsa
    

    Output: https://imgur.com/qgdLcXu
    (mine is with key.txt because I tried to copy it again and save it into a different file)

    tasidonya

  • edited May 2020

    Update: I SOLVED IT!

    Hey, internet stranger :) If you got this far without a solution, here is what has worked for me (may need to install puttygen first with sudo apt-get install puttygen):

    chmod 600 id_rsa
    puttygen id_rsa -O private-openssh -o id_rsa.conv
    

    This will convert a key into private Openssh format (even though it already should have been one). Source: https://www.ssh.com/ssh/putty/linux/puttygen

    This command will generate an id_rsa.conv and the generated file will already have the correct permissions (chmod 600). Ssh-ing with id_rsa.conv got me into Daniel's desktop.

    I don't know if it's a combination of things I've done previously, but id_rsa was a freshly copied and pasted key into a new file, I've nuked all my previous attempts and started over. I've also noticed that previously the very same command didn't work, so it must be the fact it's a new file.

    Happy hacking!

    tasidonya

  • Glad you got to the bottom of it and thanks for posting your solution for others (sorry I couldn't help, Linux and SSH keys are not my strong suit lol). Too many people just say "nvm I fixed it" and don't explain what they did for other people with the same issue

  • No worries, thank you for posting! I realise this is a very niche problem, but this is the beauty of the forums - there is a very high chance that someone might have struggled with the exact same issue. And if I am the only one - may as well fill this gap and ease the unnecessary struggles for others :)

    tasidonya

  • edited May 2020

    Here is a little addition, that has just occurred to me today to address the problem of copying and pasting from the popup window on the website. I have watched John Hammond's Youtube video on BurpSuite and have noticed the walkthrough seems to completely glance past it, but the missing steps to get the response and the request appearing side-by-side in BurpSuite are:

    • right click on the Intercept form and selecting "Send to Repeater"
    • click the Repeater tab and you will be able to re-use the same request multiple times instead of intercepting and tweaking a new one every time

    The screenshots on the walkthrough just seem to have the top tabs trimmed off, assuming that it's common knowledge, but for a BurpSuite newbie it's still important little details.

    tasidonya

  • When encountering ssh issues try to use -v option in order to look at what's working and what's not.

    In order to avoid future issues in htb lab boxes etc I'd advise to either create or edit your .ssh/config file to look like this:

    [email protected]:~$ cat .ssh/config
    Host *
    PubkeyAcceptedKeyTypes=+ssh-dss
    PubkeyAcceptedKeyTypes=+ssh-rsa
    HostkeyAlgorithms +ssh-dss,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519

    Or you can edit the system-wide config file /etc/ssh/ssh_config so that sudo ssh works for tunneling purposes to accept multiple hostkey types by adding the same line:

    HostkeyAlgorithms +ssh-dss,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519

  • @ffolstag Welcome to the forums :) I was not aware of the -v flag's existence in ssh! Thank you for bringing it to my attention. I am also constantly seeking to add new things to my configs! This one will definitely be exciting to try out :)

    tasidonya

  • @tasidonya cheers for sharing, this just saved me a lot of pain XD

  • wasted an hour and a half trying to troubleshoot this. HTB, please at least add a section in the walkthrough to avoid wasting people's time over little stuff like this

  • edited July 11

    @tasidonya thanks for sharing this

Sign In to comment.