Starting point: Markup, ssh key invalid? Stuck trying to get user.txt

I am trying to get the user flag on Markup. The premise is, you do an XXE and get the contents of the id_rsa file. In the walkthrough the response came back in BurpSuite, for me, for some reason it didn’t.

Instead I got the file contents in a popup window on the website itself, that usually notifies the user that their order is successful.

Popup window on the website with the key screenshot: Imgur: The magic of the Internet

I got my SSH key in the same popup window and pasted it into a new file, titled id_rsa. Then I have followed the walkthrough, ran the chmod and tried to ssh with the private key (commands, copied verbatim from the tutorial):

chmod 400 id_rsa
ssh -i id_rsa daniel@10.10.10.49

But the response I got from trying to ssh was:

Load key "id_rsa": invalid format

Error message screenshot: Imgur: The magic of the Internet

My question is, what is the valid format here? I seem to have mine in the following:

-----BEGIN OPENSSH PRIVATE KEY-----
<36 lines of the key itself, ending with '=='>
-----END OPENSSH PRIVATE KEY-----

I tried generating my own id_rsa to see if the format differs anyhow. It didn’t really, except that there were around 50 lines in the file in total and instead of “OPENSSH” it had “RSA”, which I have tried changing in the key I copied to no avail.

Should there be a new line anywhere? This is definitely the key, why is SSH unhappy?

An update, still no solution.

Firstly, the file command recognises it as an SSH key, while ssh-keygen doesn’t.
Screenshot: Imgur: The magic of the Internet

Secondly, I have tried to follow the steps outlined here:

The output of running these commands was not successful:
Openssl commands: Imgur: The magic of the Internet
Trying to convert to pkcs8: Imgur: The magic of the Internet

ssh and ssh-add are in the same directory: Imgur: The magic of the Internet
ldd does link to libcrypto.so: Imgur: The magic of the Internet

In the comments it was suggested that it’s a Windows vs Linux line endings problem. I haven’t used Windows for this lab, I’ve been on Kali the entire time, but decided to give it a go anyway.

Both sed and dos2unix didn’t yield the desired result.

Running puttygen “would perform no useful action”: Imgur: The magic of the Internet

Another command has been suggested due to the key being invalid:

chmod 600 id_rsa
ssh-keygen -p -N "" -m pem -f id_rsa

Output: Imgur: The magic of the Internet
(mine is with key.txt because I tried to copy it again and save it into a different file)

Update: I SOLVED IT!

Hey, internet stranger :slight_smile: If you got this far without a solution, here is what has worked for me (may need to install puttygen first with sudo apt-get install puttygen):

chmod 600 id_rsa
puttygen id_rsa -O private-openssh -o id_rsa.conv

This will convert a key into private Openssh format (even though it already should have been one). Source: https://www.ssh.com/ssh/putty/linux/puttygen

This command will generate an id_rsa.conv and the generated file will already have the correct permissions (chmod 600). Ssh-ing with id_rsa.conv got me into Daniel’s desktop.

I don’t know if it’s a combination of things I’ve done previously, but id_rsa was a freshly copied and pasted key into a new file, I’ve nuked all my previous attempts and started over. I’ve also noticed that previously the very same command didn’t work, so it must be the fact it’s a new file.

Happy hacking!

5 Likes

Glad you got to the bottom of it and thanks for posting your solution for others (sorry I couldn’t help, Linux and SSH keys are not my strong suit lol). Too many people just say “nvm I fixed it” and don’t explain what they did for other people with the same issue

No worries, thank you for posting! I realise this is a very niche problem, but this is the beauty of the forums - there is a very high chance that someone might have struggled with the exact same issue. And if I am the only one - may as well fill this gap and ease the unnecessary struggles for others :slight_smile:

Here is a little addition, that has just occurred to me today to address the problem of copying and pasting from the popup window on the website. I have watched John Hammond’s Youtube video on BurpSuite and have noticed the walkthrough seems to completely glance past it, but the missing steps to get the response and the request appearing side-by-side in BurpSuite are:

  • right click on the Intercept form and selecting “Send to Repeater”
  • click the Repeater tab and you will be able to re-use the same request multiple times instead of intercepting and tweaking a new one every time

The screenshots on the walkthrough just seem to have the top tabs trimmed off, assuming that it’s common knowledge, but for a BurpSuite newbie it’s still important little details.

1 Like

When encountering ssh issues try to use -v option in order to look at what’s working and what’s not.

In order to avoid future issues in htb lab boxes etc I’d advise to either create or edit your .ssh/config file to look like this:

kali@kali:~$ cat .ssh/config
Host *
PubkeyAcceptedKeyTypes=+ssh-dss
PubkeyAcceptedKeyTypes=+ssh-rsa
HostkeyAlgorithms +ssh-dss,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519

Or you can edit the system-wide config file /etc/ssh/ssh_config so that sudo ssh works for tunneling purposes to accept multiple hostkey types by adding the same line:

HostkeyAlgorithms +ssh-dss,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519

1 Like

@ffolstag Welcome to the forums :slight_smile: I was not aware of the -v flag’s existence in ssh! Thank you for bringing it to my attention. I am also constantly seeking to add new things to my configs! This one will definitely be exciting to try out :slight_smile:

@tasidonya cheers for sharing, this just saved me a lot of pain XD

wasted an hour and a half trying to troubleshoot this. HTB, please at least add a section in the walkthrough to avoid wasting people’s time over little stuff like this

@tasidonya thanks for sharing this

Hello, I’m a noob and I’m hitting a wall here on the ssh. I copied the Openssh private key i got from burp. “chmod 600 id_rsa” I ran the command " ssh -i id_rsa daniel@10.10.10.49" i still keep getting Load key “id_rsa”: invalid format. I followed all the instructions on here. even restarting the machine to no luck.

When i run puttygen i get this
puttygen: unable to load file `id_rsa’: not a recognised key file format

any input would be greatly appreciated.

So i got it to work. So after chmod 400 on id_rsa. I sudo nano id_rsa and removed any spaces

To anybody else still banging their head aginat a brick wall with this, the key has to be in this format:

My Burpsuite didn’t capture the -----END OPENSSH PRIVATE KEY----- bit! Add this at the end of your key file and it might work!

I am stuck in privilege escalation. Modified the job and tried my best. But still, I don’t get connected and the job file automatically changes to default. Can someone help?

I wish I could hug you. I’ve been stuck on this for DAYS trying to figure out how to move forward. THANK YOU so much for going out if your way to post your process and solutions. I tried each of these (except the last one THAT WORKED) before I starting searching for others who ran into this issue. The solution that worked for you, worked for me. Thank you again for your genius.

Thanks!

Thanks @tasidonya for the help! Even though I solved it, I found an easier way. No need to download puttygen and making an id_rsa.conv file. I tested it myself and no Load key “id_rsa”: invalid format popped up. Without giving much away, look over the Readable Private Keys section. Hope this helps someone!

Thanks for working this out. I was having the same issue for a different box.