For many years, I have been using SSH to connect to network and UC equipment. I never had a need to look beyond the basic connectivity and really review the power of SSH. However, this has recently changed for me.
During my testing and training with several Machines and Challenges on Hack The Box, I had an interesting chat with one of my cohorts about the SSH Identity File flag. During that discussion, he showed me how to use the flag as well as different scenarios that he implemented its usage.
For those not familiar with the SSH Identity File flag, it uses a public and private key to establish authentication. Thus, the target, username, and private key would be all that is needed to establish SSH connectivity to the target.
I was amazed that I could establish a SSH connection and not be prompt for a password. From a pentesting perspective, this would be another way to upgrade an unstable TTY connected shell to a possibly more stable PTY connection. In addition, this could possibly help strengthen the foothold on a target system. Although, it would leave behind a footprint.
Assuming that an established foothold has occurred, I used my attacking system to create a private and public key using ssh-keygen.
Note: when creating the public and private keys, do not overwrite the keys stored in /etc/ssh.
With the keys created, I copied the entire contents of the id_rsa.pub file and appended it to the target users authorized_keys file; located within the hidden user’s ~/.ssh folder.
With the keys created and copied, all that was left to do was to establish a SSH connection to the target and use the Identity File flag with the private key.
No password needed.
Disclaimer:
This article is made available for educational purposes only!!! In addition, this article provides general information on cyber security topics used for “Ethical Hacking”.
Persons accessing this information assume full responsibility for the use and agree to not use this content for any illegal purpose. Furthermore, the author is not liable for any direct or indirect damages or expense incurred which may result from the use of the information covered within this article.
Information within this article is “as is”, without warranty of any sort.
