Persistence ssh_public key

 PERSISTENCE SSH_PUBLIC KEY 


First of all we have to execute this command because we must update the packets as you can see below.
  •  sudo apt update -y
┌──(luis㉿kali)-[~]
└─$ sudo apt update -y               
Des:1 http://kali.download/kali kali-rolling InRelease [41,5 kB]
Des:2 http://kali.download/kali kali-rolling/main amd64 Packages [21,0 MB]
Des:3 http://kali.download/kali kali-rolling/main amd64 Contents (deb) [51,4 MB]
Des:4 http://kali.download/kali kali-rolling/contrib amd64 Packages [117 kB]                               
Des:5 http://kali.download/kali kali-rolling/contrib amd64 Contents (deb) [327 kB]                         
Des:6 http://kali.download/kali kali-rolling/non-free amd64 Packages [198 kB]                              
Des:7 http://kali.download/kali kali-rolling/non-free amd64 Contents (deb) [911 kB]                        
Des:8 http://kali.download/kali kali-rolling/non-free-firmware amd64 Packages [10,8 kB]                    
Des:9 http://kali.download/kali kali-rolling/non-free-firmware amd64 Contents (deb) [26,7 kB]              
Descargados 74,0 MB en 16s (4.686 kB/s)                                                                    
Se pueden actualizar 263 paquetes. Ejecute «apt list --upgradable» para verlos. 

 Now we have to install docker to preparation our laboratory with this command which is:
  • sudo apt install docker.io -y
┌──(luis㉿kali)-[~]
└─$ sudo apt install docker.io -y 
Los paquetes indicados a continuación se instalaron de forma automática y ya no son necesarios.
  kde-style-oxygen-qt6  liboxygenstyleconfig6-6  python3-pyinstaller-hooks-contrib
  liboxygenstyle6-6     python3-packaging-whl    python3-wheel-whl
Utilice «sudo apt autoremove» para eliminarlos.

Upgrading:
  docker-cli  docker.io

Summary:
  Upgrading: 2, Installing: 0, Removing: 0, Not Upgrading: 261
  Download size: 30,4 MB
  Space needed: 0 B / 49,8 GB available

Des:1 http://http.kali.org/kali kali-rolling/main amd64 docker-cli amd64 26.1.5+dfsg1-9+b9 [7.334 kB]
Des:2 http://http.kali.org/kali kali-rolling/main amd64 docker.io amd64 26.1.5+dfsg1-9+b9 [23,0 MB]
Descargados 30,4 MB en 5s (6.390 kB/s)
(Leyendo la base de datos ... 564796 ficheros o directorios instalados actualmente.)
Preparando para desempaquetar .../docker-cli_26.1.5+dfsg1-9+b9_amd64.deb ...
Desempaquetando docker-cli (26.1.5+dfsg1-9+b9) sobre (26.1.5+dfsg1-9+b7) ...
Preparando para desempaquetar .../docker.io_26.1.5+dfsg1-9+b9_amd64.deb ...
Desempaquetando docker.io (26.1.5+dfsg1-9+b9) sobre (26.1.5+dfsg1-9+b7) ...
Configurando docker-cli (26.1.5+dfsg1-9+b9) ...
Configurando docker.io (26.1.5+dfsg1-9+b9) ...
Procesando disparadores para kali-menu (2025.3.0) ...
Procesando disparadores para man-db (2.13.1-1) ...
Scanning processes...                                                                                       
Scanning candidates...                                                                                      
Scanning linux images...                                                                                    

Running kernel seems to be up-to-date.

Restarting services...
 systemctl restart docker.service

No containers need to be restarted.

No user sessions are running outdated binaries.

No VM guests are running outdated hypervisor (qemu) binaries on this host.
In addition, we have to execute this command to create the vulnerable machine.
You can see below sudo docker run -it debian:latest.
┌──(luis㉿kali)-[~]
└─$ sudo docker run -it debian:latest
root@e2f53feb356c:/#
root@c7e25821b57a:/# apt update
Get:1 http://deb.debian.org/debian bookworm InRelease [151 kB]
Get:2 http://deb.debian.org/debian bookworm-updates InRelease [55.4 kB]
Get:3 http://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Get:4 http://deb.debian.org/debian bookworm/main amd64 Packages [8793 kB]
Get:5 http://deb.debian.org/debian bookworm-updates/main amd64 Packages [6916 B]
Get:6 http://deb.debian.org/debian-security bookworm-security/main amd64 Packages [272 kB]
Fetched 9327 kB in 3s (2878 kB/s)                        
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
Now, we have to install ssh service with this commands which you can see below: 
  •  apt install openssh-server (To install ssh service)
  •  service ssh start (To start ssh service)
root@c7e25821b57a:/# apt install openssh-server
root@c7e25821b57a:/# service ssh start
Starting OpenBSD Secure Shell server: sshd.
In addition, we have to execute nmap to see if the port 22(ssh)is alive as you can see below:
  • nmap -n -Pn -p- --min-rate 5000 -sC 172.17.0.2 -vvv 
┌──(root㉿kali)-[~/.ssh]
└─# nmap -n -Pn -p- --min-rate 5000 -sC 172.17.0.2 -vvv
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-06 18:31 CEST
NSE: Loaded 126 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 18:31
Completed NSE at 18:31, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 18:31
Completed NSE at 18:31, 0.00s elapsed
Initiating ARP Ping Scan at 18:31
Scanning 172.17.0.2 [1 port]
Completed ARP Ping Scan at 18:31, 0.07s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 18:31
Scanning 172.17.0.2 [65535 ports]
Discovered open port 22/tcp on 172.17.0.2
Completed SYN Stealth Scan at 18:31, 0.86s elapsed (65535 total ports)
NSE: Script scanning 172.17.0.2.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 18:31
Completed NSE at 18:31, 0.16s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 18:31
Completed NSE at 18:31, 0.00s elapsed
Nmap scan report for 172.17.0.2
Host is up, received arp-response (0.0000060s latency).
Scanned at 2025-08-06 18:31:30 CEST for 1s
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
| ssh-hostkey: 
|   256 d8:5a:18:be:2c:3f:68:ce:d4:69:97:1a:0d:59:c4:e5 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC7is+CWlIXdJZUakWTbJhUSPv1xVzU1oeq84jQTMPfNR20DDE6GxQHd4VK6Trjcs4BWT2XZHoOyXOlxpH1Ilns=
|   256 b5:9b:32:9c:de:cb:e3:37:b8:07:5f:49:3a:59:89:34 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGnKkLE7rwmvnyh99S8eZDcrxsMai+8TTHJuf4CzFFzn
MAC Address: 02:42:AC:11:00:02 (Unknown)

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 18:31
Completed NSE at 18:31, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 18:31
Completed NSE at 18:31, 0.00s elapsed
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.38 seconds
           Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB) 
 In addition, we have to create an user to do the persistence in Linux which command is:
  • adduser luis 
root@e6bf06553728:/home# adduser luis
Adding user `luis' ...
Adding new group `luis' (1000) ...
Adding new user `luis' (1000) with group `luis (1000)' ...
Creating home directory `/home/luis' ...
Copying files from `/etc/skel' ...
New password: 
Retype new password: 
Sorry, passwords do not match.
passwd: Authentication token manipulation error
passwd: password unchanged
Try again? [y/N] y
New password: 
Retype new password: 
passwd: password updated successfully
Changing the user information for luis
Enter the new value, or press ENTER for the default
	Full Name []: 
	Room Number []: 
	Work Phone []: 
	Home Phone []: 
	Other []: 
Is the information correct? [Y/n] y
Adding new user `luis' to supplemental / extra groups `users' ...
Adding user `luis' to group `users' ... 
 However, we have to generate ssh public_key with this command with you can see below.
  • ssh-keygen 
┌──(luis㉿kali)-[~/.ssh]
└─$ ssh-keygen         
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/luis/.ssh/id_ed25519): 
/home/luis/.ssh/id_ed25519 already exists.
Overwrite (y/n)? y
Enter passphrase for "/home/luis/.ssh/id_ed25519" (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/luis/.ssh/id_ed25519
Your public key has been saved in /home/luis/.ssh/id_ed25519.pub
The key fingerprint is:
SHA256:eNjubcq0viBFbklmEnmgm2t67AbIsUO+GaKUMhcQlqc luis@kali
The key's randomart image is:
+--[ED25519 256]--+
|.o. oo           |
|o. o...          |
| .+ ..=          |
| E.o B =         |
|= *.  B S        |
|*O.. o o         |
|==B . . o        |
|.=+  . = o.      |
|.+.    .B+.      |
+----[SHA256]-----+
 To sum up, we have to do the next commands which you can see below:
  •  ls (To listing the files)
  • mv  id_ed25519.pub authorized_keys (To rename the public_key whose name is 
    authorized_keys)
┌──(luis㉿kali)-[~/.ssh]
└─$ ls
id_ed25519  id_ed25519.pub  known_hosts  known_hosts.old

┌──(luis㉿kali)-[~/.ssh]
└─$ mv id_ed25519.pub authorized_keys
┌──(luis㉿kali)-[~/.ssh]
└─$ ls
authorized_keys  id_ed25519  known_hosts  known_hosts.old 
Now in the docker machine we must execute this commands which are: 
  1. cd luis/ (To change directory)
  2. ls (To listing the files)
  3. mkdir -p ~/.ssh (To create ssh directory)
  4. chmod 700 ~/.ssh (To modify the public key perms)
root@e6bf06553728:/home#
root@e6bf06553728:/home# cd luis/
root@e6bf06553728:/home/luis# ls  
root@e6bf06553728:/home/luis# mkdir -p ~/.ssh
root@e6bf06553728:/home/luis# chmod 700 ~/.ssh
root@e6bf06553728:/home/luis# ls 
In addition, we letś go to execute this command to send public key to victim,
but we can see below the key has failed.
┌──(luis㉿kali)-[~/.ssh]
└─$ scp authorized_keys luis@172.17.0.2:/tmp
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:zsAOR3i4ewKV0mgYzy5kn62Yjmjq343bDEdPO7W5yJg.
Please contact your system administrator.
Add correct host key in /home/luis/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/luis/.ssh/known_hosts:3
  remove with:
  ssh-keygen -f '/home/luis/.ssh/known_hosts' -R '172.17.0.2'
Host key for 172.17.0.2 has changed and you have requested strict checking.
Host key verification failed.
scp: Connection closed 
In addition, we have to execute this command and then we willl be able to obtain the access:
  • ssh-keygen -f '/home/luis/.ssh/known_hosts' -R '172.17.0.2' 
┌──(luis㉿kali)-[~/.ssh]
└─$ ssh-keygen -f '/home/luis/.ssh/known_hosts' -R '172.17.0.2'
# Host 172.17.0.2 found: line 1
# Host 172.17.0.2 found: line 2
# Host 172.17.0.2 found: line 3
/home/luis/.ssh/known_hosts updated.
Original contents retained as /home/luis/.ssh/known_hosts.old 
Finally, we have to the command before as you can see below and we should be able to obtain 
the file. 
┌──(luis㉿kali)-[~/.ssh]
└─$ scp authorized_keys luis@172.17.0.2:/tmp                   
The authenticity of host '172.17.0.2 (172.17.0.2)' can't be established.
ED25519 key fingerprint is SHA256:zsAOR3i4ewKV0mgYzy5kn62Yjmjq343bDEdPO7W5yJg.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.17.0.2' (ED25519) to the list of known hosts.
luis@172.17.0.2's password: 
authorized_keys                                                           100%   91    99.7KB/s   00:00    
                                                                                                        
Now, we have to execute the next steps which are:
  1. ls (To listing the files)
  2. mv /tmp/authorized_keys .(To move the file to current directory)
  3. ls(To listing the files)
luis@e6bf06553728:~/.ssh$ ls
luis@e6bf06553728:~/.ssh$ mv /tmp/authorized_keys .
luis@e6bf06553728:~/.ssh$ ls
authorized_keys 
Finally we should be able to obtain the shell as you can see below.
┌──(luis㉿kali)-[~/.ssh]
└─$ ssh luis@172.17.0.2                                        
Linux e6bf06553728 6.12.33+kali-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.12.33-1kali1 (2025-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
luis@e6bf06553728:~$ 
Thank you very much for reading this article

I hope you liked and learned something new

This article has been done with ethical proposes

Good Hack

  

Comments

Post a Comment

Entradas Populares

INTERNAL

Image
 INTERNAL(TRYHACKME) First of all, let's go execute nmap command to identify alives ports and version with this host 192.168.88.6 as you can see below. Key open ports and services include: Web Servers: Port 80 (HTTP):  Running  Apache2 Ubuntu Default Page . It supports  OPTIONS ,  TRACE  (flagged as potentially risky),  GET ,  HEAD , and  POST  methods. The webpage title is " INTERNAL ". SSH Protocol Port 22 (SSH): Running Linux . ┌──(root㉿kali)-[/home/luis/Descargas] └─# nmap -n -Pn -p- --min-rate 5000 -sC 10.10.216.78 -vvv Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-07 12:06 CEST NSE: Loaded 126 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed Initiating SYN Stealth Scan at 12:06 Scanning 10.10.216.78 [65535 ports] Discove...
Read more »

TOR WEB BROWSER

Image
  TOR WEB BROWSER TOR INSTALLATION First of all; we're going to this link from the oficial webpage: https://www.torproject.org/es/download/   where we have to download this version our laptop, Windows and Linux but in my case I've had to download for Windows 10. When the program is installed we will press execute and we'll follow step by step:   We'll open and we'll see this image where you have to select the language and select ok to continue the instal l ation. In addition, we'll select the location wherever you want install the program, but in my case I prefer the default location and you'll able to select wherever you want. Now, we will be started the installation process and when it finished you will be able to see the picture below: TOR CONNECT If the process has been successful, you will be able to connect with the connect button which you can observe in both pictures below: ADD A BRIDGE ...
Read more »

activedirectory

Image
ACTIVEDIRECTORY (TRYHACKME) First of all, let’s go to execute nmap toolkit and we'll be able to start the enumeration of the ports as you can see below with this command: sudo nmap -n -Pn -p- --min-rate 5000 10.10.135.154 -vvv -sC -sV This revealed several open TCP ports with associated services, including: DNS (53),  HTTP  (80),  Kerberos (88),  RPC (135),  NetBIOS-SSN (139),  SMB (445),  RDP (3389),  WS-Management (5985)  LDAP (389, 636, 3268, 3269) Moreover, service and NSE script detection provided valuable information about the services running on these ports, such as IIS 10.0, Microsoft Windows Kerberos , Active Directory LDAP , and Microsoft Terminal Services . The SSL/TLS certificate information on port 3389 indicated the common name AttacktiveDirectory.spookysec.local, reinforcing the target as an Active Directory server. rdp-ntlm-info also provided details about the domain (THM-AD) and computer name (ATTACKTIVEDIREC) as you can se...
Read more »

PICKLE RICK

Image
  PICKLE RICK I'm going to realize the resolution of the machine Level Easy from Tryhackme called  Pickle Rick  which is a machine so easy to realize. First of all,  we can observe that in the picture bellow we have some inforamtion and I'm going to execute control +u  and we can see in the second picture below that we've obtained a  Username. I'm going to gathering information about machine and I have to enter in the Linux terminal and I must introduce this command which you canobserve in the picture below:   gobuster dir -u(url) http://10.10.99.188/ -w(password dictionary)  /usr/share/wordlist/dirb/common.txt -x (formato que quereos que busque) .txt*, .php, .login,  In this case, we can observe that scan has discovered this 4 webpages: /assests /denied.php /index.html /login.php /robots.txt Now, we can see such as the web page from /robots.txt   it seems the password in the picture below. Now, we've discovered this login web page...
Read more »

Metasploit Framework

Image
 METASPLOIT FRAMEWORK USE TO  AUXILIARY MODULE FROM METASPLOIT First of all, I have used the auxiliary modules from Metasploit-Framework which could allow me Scanning, see ports, SO version, vulnerability in applications etc, where you can see at the bottom of the picture if  I use this module whose name is: auxiliary/scanner/discovery/arp_sweep  (To verify the IPs listening in the network) Now, we can observe that when I have selected in the auxiliary module I have had to do this set up  that we can observe in the second page below: INTERFACE : This I've set up the network interface that in my case is the eth0 interface. RHOSTS :This I've set up the IP Address which I am finding out that in my case is 192.168.100.0/24 (all the IP Address from network that could be possible which I am analyzing). THREADS : Are the threads; it's the fast  that I want to analyze the IP Addresses but in my case there are 15 threads because I want to analize as fast as possible...
Read more »

HOSTING

Image
HOSTING First of all, let's go to hosting machine from active directory, for it  using arp-scan to discover active hosts on the local network, identifying 192.168.88.8 as you can see in below. ┌──(kali㉿kali)-[~] └─$ sudo arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:43:73:bc, IPv4: 192.168.88.5 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.8 08:00:27:98:d4:bf PCS Systemtechnik GmbH 192.168.88.9 00:e0:4c:69:66:4a REALTEK SEMICONDUCTOR CORP. 3 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 2.075 seconds (123.37 hosts/sec). 3 responded ┌──(kali㉿kali)-[~] └─$ ping -c1 192.168.88.8 PING 192.168.88.8 (192.168.88.8) 56(84) bytes of data. 64 bytes from 192.168.88.8: icmp_seq=1 ttl=128...
Read more »

LOVE

Image
BUSCALOVE First of all, I am going to do this machine from cybersecurity labs called BuscaLove which is easy Level. For it, let’s go to open Linux terminal and we have to write the command when we can see in the picture below. cd Descargas In addition, we have to depress the unzip file whose name’s buscalove.zip you can see in the picture below. Now we have to deploy the vulnerability machine whose command is sudo bash auto_deploy.sh buscalove.tar we can see in the picture below. On the other hand, to start the attack at virtual machine, we must verify if the attacker machine is in the same range of IP Address and we have to introduce this command which is ping -c 3 172.18.0.2 we can see in the picture below. As I,ve just seen the IP Address it’s in the same range of my IP Address we have to introduce the command with nmap tool which is nmap -n -Pn 172.18.0.2 -p- - -min-rate 4000 -vvv( here you can see in this picture the scanner) but I’ve got it 2 ports: 22: open ssh 80: open http No...
Read more »

CHANGE MACHINE

Image
CHANGE  First of all, let's go to hosting machine from active directory, for it  using  arp-scan  to discover active hosts on the local network, identifying  192.168.88.8   as you can see in below . ┌──(root㉿kali)-[/home/luis] └─# arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:4d:8a:0f, IPv4: 192.168.88.6 WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.4 00:e0:4c:97:01:a7 (Unknown) 192.168.88.5 00:d8:61:fa:c0:4a (Unknown) 192.168.88.7 08:00:27:b1:ae:9f (Unknown) 4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.848 seconds (138.53 hosts/sec). 4 responded Now, let's go execute nmap command to identify alives ports and version with this host  192.168.88...
Read more »