> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-6/credentials/filesystem-search/trick-0147.md).

# Exposed SSH Private Key

***

Discover an exposed SSH private key on a web server, often found during directory enumeration. Threat actors often search for exposed SSH private keys on public web servers using automated scanners or by manually browsing directories. These keys are sometimes accidentally left in publicly accessible locations, such as web server roots or misconfigured file shares. If found, download the key, set appropriate permissions (typically 600), and attempt to use it to authenticate via SSH to the target host using a known or found username.

```bash
dirsearch -u http://TARGET_IP/sitemap
```

If a hidden directory called `.ssh` containing a private key `id_rsa` is discovered, like `/sitemap/.ssh/id_rsa`:

Download the private key `id_rsa` to your machine using `wget`.

```bash
wget http://TARGET_IP/sitemap/.ssh/id_rsa
```

Then change the permissions of the private key to `600` using `chmod 600 id_rsa`. For ssh to work as intended, the private key `id_rsa` needs to be only readable by the owner. Permissions on the private key file should be 600 (`rw-------`). This means that only you can read and write the file, but nobody else has any access to it. The SSH protocol requires that the private key file is not readable by others. Ensure that the private key (`id_rsa`) has permissions 600 (`-rw-------`).

```bash
chmod 600 id_rsa
```

Now, you can use the private key to connect to the server using `ssh -i id_rsa jessie@TARGET_IP`. If you don't know the username, you can try common usernames like `root`, `admin`, `user`, etc.

```bash
ssh -i id_rsa jessie@TARGET_IP
```

When a private SSH key file is exposed, an attacker can use it to gain unauthorized access to the server.
