🔍 Day 22: SMB Enumeration (Continued)
The hunt continues. From a simple file share to a full system compromise, this session demonstrates the power of persistence and lateral movement. 🚩
🔑 3. The SSH Key Discovery
Inside the share, I found a text file mentioning that John Cactus has office timings on SSH. I found a hidden directory called .ssh.
- The Vulnerability: Most directories kicked me out when I tried to
cdinto them, but.sshallowed me in! - The Prize: Inside, I found a public key (
id_rsa.pub) and a private key (id_rsa). I downloaded both.
💻 4. Connecting via SSH
After exiting the SMB client, I had to prepare the private key for the connection.
Step A: Changing Permissions
I ran chmod 600 id_rsa.
- Why? SSH is very strict. It will not allow you to use a private key if it is "shared openly" (meaning other users on your computer can read it).
600makes it private to only you.
Step B: The Connection
I used the -i flag to tell SSH to use my downloaded private key instead of a password.
Command:
ssh -i id_rsa cactus@[TARGET_IP]Note: We always use the private key for the connection. The username
cactuswas found inside the public key file earlier.
🚩 The Final Result
Boom! The connection was successful. Once inside the server, I found the file, used the cat command to read it, and obtained the FLAG 🚩.