# sudo su

{% hint style="info" %}
This is another easy one. The pcap contains a single ssh session.

The user authenticated with a public key. The user was then provided a pseudo-terminal on the server. The user entered the "sudo su" command. The user then typed their passowrd and successfully elevated to root. The user then pressed CTL+D twice which exited first the root and then the user's ssh session.

All we want to know is the length of the user's password. It's a number. YOU ONLY GET 2 ATTEMPTS. DON'T WASTE THEM.
{% endhint %}

So the talk about ssh introspection planted the idea that it must be possible. So on the hunt for more info.

{% embed url="<https://corelight.blog/2019/11/19/corelight-ssh-inference-package/>" %}

![https://corelight.blog/2019/05/07/how-zeek-can-provide-insights-despite-encrypted-communications/](/files/-MJgw8Sdgi9K35SteOOZ)

{% embed url="<https://security.stackexchange.com/questions/47192/how-does-ssh-defend-against-keystroke-timing-attacks>" %}

![](/files/-MJgwOIYQe20G7MvTmJF)

And then found a demo example.

![](/files/-MJgx982-ZPR27t6yVXd)

hmm encrypted packet counting function, interesting

```
@load base/protocols/rdp
@load base/protocols/ssh
@load base/protocols/ssl
@load base/frameworks/notice

redef exit_only_after_terminate = F;

redef SSH::disable_analyzer_after_detection = F;

event ssh_encrypted_packet (c: connection, orig: bool, len: count) {
    print orig ? len : len * -1;
}

event zeek_init() {

}
```

```
44
-44
68
-52
372
-332
652
-28
112
-500
-44
460
-108
-100
-36
-36
-76
-36
-84
-36
-84
-36
-36
-108
-36
-108
-36
-36
-60
-36
-36
-92
-36
-108
-36
-68
-36
-36
-68
-36
-68
-36
-36
-92
-36
-100


s       36
       -36
u       36
       -36
d       36
       -36
o       36
       -36
space   36
       -36
s       36
       -36
u       36
       -36
enter   36
       -36
       -68

?       36
       -36
?       36
       -36
?       36
       -36
?       36
       -36
?       36
       -36
?       36
       -36
enter   36

-36
-92



^d      36
       -100
^d      36
       -44
       -36
       -176
        36
        60
```

{% hint style="success" %}
The solution!

```
6
```

{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://eephillip.gitbook.io/zw2020-ctf-writeup/writeup/sudo-su.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.