# sudo su

{% hint style="info" %}
This is another easy one. The pcap contains a single ssh session.

The user authenticated with a public key. The user was then provided a pseudo-terminal on the server. The user entered the "sudo su" command. The user then typed their passowrd and successfully elevated to root. The user then pressed CTL+D twice which exited first the root and then the user's ssh session.

All we want to know is the length of the user's password. It's a number. YOU ONLY GET 2 ATTEMPTS. DON'T WASTE THEM.
{% endhint %}

So the talk about ssh introspection planted the idea that it must be possible. So on the hunt for more info.

{% embed url="<https://corelight.blog/2019/11/19/corelight-ssh-inference-package/>" %}

![https://corelight.blog/2019/05/07/how-zeek-can-provide-insights-despite-encrypted-communications/](https://3690043025-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MJeilQajqHV4lFhF_rI%2F-MJgur31UYKbjC0UTc2r%2F-MJgw8Sdgi9K35SteOOZ%2Fimage.png?alt=media\&token=02af1390-9062-4286-b661-f23eb8571264)

{% embed url="<https://security.stackexchange.com/questions/47192/how-does-ssh-defend-against-keystroke-timing-attacks>" %}

![](https://3690043025-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MJeilQajqHV4lFhF_rI%2F-MJgur31UYKbjC0UTc2r%2F-MJgwOIYQe20G7MvTmJF%2Fimage.png?alt=media\&token=78a73c98-088b-432f-8236-c496e4a809c5)

And then found a demo example.

![](https://3690043025-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MJeilQajqHV4lFhF_rI%2F-MJgur31UYKbjC0UTc2r%2F-MJgx982-ZPR27t6yVXd%2Fimage.png?alt=media\&token=b1d8e953-6241-40f2-84e3-d17a8e0f4bcc)

hmm encrypted packet counting function, interesting

```
@load base/protocols/rdp
@load base/protocols/ssh
@load base/protocols/ssl
@load base/frameworks/notice

redef exit_only_after_terminate = F;

redef SSH::disable_analyzer_after_detection = F;

event ssh_encrypted_packet (c: connection, orig: bool, len: count) {
    print orig ? len : len * -1;
}

event zeek_init() {

}
```

```
44
-44
68
-52
372
-332
652
-28
112
-500
-44
460
-108
-100
-36
-36
-76
-36
-84
-36
-84
-36
-36
-108
-36
-108
-36
-36
-60
-36
-36
-92
-36
-108
-36
-68
-36
-36
-68
-36
-68
-36
-36
-92
-36
-100


s       36
       -36
u       36
       -36
d       36
       -36
o       36
       -36
space   36
       -36
s       36
       -36
u       36
       -36
enter   36
       -36
       -68

?       36
       -36
?       36
       -36
?       36
       -36
?       36
       -36
?       36
       -36
?       36
       -36
enter   36

-36
-92



^d      36
       -100
^d      36
       -44
       -36
       -176
        36
        60
```

{% hint style="success" %}
The solution!

```
6
```

{% endhint %}