> For the complete documentation index, see [llms.txt](https://eephillip.gitbook.io/zw2020-ctf-writeup/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://eephillip.gitbook.io/zw2020-ctf-writeup/writeup/sudo-su.md).

# sudo su

{% hint style="info" %}
This is another easy one. The pcap contains a single ssh session.

The user authenticated with a public key. The user was then provided a pseudo-terminal on the server. The user entered the "sudo su" command. The user then typed their passowrd and successfully elevated to root. The user then pressed CTL+D twice which exited first the root and then the user's ssh session.

All we want to know is the length of the user's password. It's a number. YOU ONLY GET 2 ATTEMPTS. DON'T WASTE THEM.
{% endhint %}

So the talk about ssh introspection planted the idea that it must be possible. So on the hunt for more info.

{% embed url="<https://corelight.blog/2019/11/19/corelight-ssh-inference-package/>" %}

![https://corelight.blog/2019/05/07/how-zeek-can-provide-insights-despite-encrypted-communications/](/files/-MJgw8Sdgi9K35SteOOZ)

{% embed url="<https://security.stackexchange.com/questions/47192/how-does-ssh-defend-against-keystroke-timing-attacks>" %}

![](/files/-MJgwOIYQe20G7MvTmJF)

And then found a demo example.

![](/files/-MJgx982-ZPR27t6yVXd)

hmm encrypted packet counting function, interesting

```
@load base/protocols/rdp
@load base/protocols/ssh
@load base/protocols/ssl
@load base/frameworks/notice

redef exit_only_after_terminate = F;

redef SSH::disable_analyzer_after_detection = F;

event ssh_encrypted_packet (c: connection, orig: bool, len: count) {
    print orig ? len : len * -1;
}

event zeek_init() {

}
```

```
44
-44
68
-52
372
-332
652
-28
112
-500
-44
460
-108
-100
-36
-36
-76
-36
-84
-36
-84
-36
-36
-108
-36
-108
-36
-36
-60
-36
-36
-92
-36
-108
-36
-68
-36
-36
-68
-36
-68
-36
-36
-92
-36
-100


s       36
       -36
u       36
       -36
d       36
       -36
o       36
       -36
space   36
       -36
s       36
       -36
u       36
       -36
enter   36
       -36
       -68

?       36
       -36
?       36
       -36
?       36
       -36
?       36
       -36
?       36
       -36
?       36
       -36
enter   36

-36
-92



^d      36
       -100
^d      36
       -44
       -36
       -176
        36
        60
```

{% hint style="success" %}
The solution!

```
6
```

{% endhint %}
