This article will demonstrate how to gain a foothold on your target by adding your SSH public key to the target host which would allow you to authenticate to the target via your personal SSH private key
Overview
some situations where you may find this useful in getting a foothold on your target
- You have file upload rights to the .ssh folder of a user in your target machine
- This file upload vector does not allow for execution of scripts/code (making reverse shell execution out of the question)
- Example: a file manager web application program which allows for file upload, but not file execution
lets proceed to go through the steps of this exploitation technique
Generating the SSH key pair
On your main machine, execute the following the generate your ssh public:private key pair
ssh-keygen
Your Public key will be saved as id_rsa.pub and your private key will be saved as id_rsa.
After you have gotten your keys, copy the content of id_rsa.pub
Adding Public Key to Authorized Keys
On your target machine, paste the content of your public key (id_rsa.pub) to the authorized_keys file of the user you wish to authenticate as:
/home/user/.ssh/authorized_keys
root authorized_keys is in:
/root/.ssh/authorized_keys
Note: if the authorized_keys file does not exist, create one
Authenticating with Private key
Now on your main machine, set the appropriate permissions to your private key:
chmod 600 id_rsa
SSH in with your private key:
ssh -i id_rsa user@host