> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-6/credentials/filesystem-search/trick-0342.md).

# Discover Ssh Key In Accessible Home Directory

***

After gaining initial shell access as one user (e.g., `jan`), check if you have read/execute access to other user directories within `/home`. If permissions allow, navigate to another user's directory (e.g., `kay`) and list files, paying close attention to permissions (`ls -la`). Often, the `.ssh` directory or its contents (`id_rsa`) might be world-readable or readable by a group you belong to, allowing you to access private SSH keys.

```bash
jan@basic2:/home$ cd kay/
jan@basic2:/home/kay$ ls -la
jan@basic2:/home/kay$ cd .ssh/
jan@basic2:/home/kay/.ssh$ ls -la
jan@basic2:/home/kay/.ssh$ cat id_rsa
```

When examining the `.ssh` directory and the private key file (commonly `id_rsa`), it is crucial to check their specific permissions. The SSH daemon is very particular about file permissions for security reasons. You can use `ls -ld` to check the permissions of the directory itself and `ls -la` for the file.

```bash
jan@basic2:/home/kay/.ssh$ ls -ld .ssh
jan@basic2:/home/kay/.ssh$ ls -la id_rsa
```

For SSH to accept a private key, the `.ssh` directory typically needs permissions of `700` (read, write, execute only for the owner, represented as `drwx------`). The private key file (`id_rsa` or other private key files) needs permissions of `600` (read, write only for the owner, represented as `-rw-------`) or `400` (read only for the owner, represented as `-r--------`). Permissions are critical because SSH keys, even if encrypted, can have their passphrases brute-forced if an attacker gains access to the private key file. If the permissions are set insecurely, for example, if the private key is world-readable (`-rw-r--r--` or `644`), the SSH daemon might ignore the key and refuse authentication, often displaying a warning:

```
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/home/user/.ssh/id_rsa' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
Bad permissions.
```

However, an attacker with access to the file system can simply copy the key regardless of whether SSH uses it. If the permissions allow your current user to read the `id_rsa` file, you can extract its contents.

Once the private key is obtained, you can attempt to use it to authenticate as the target user on the same machine or potentially other machines they connect to via SSH. You can use the `ssh` command with the `-i` flag to specify the identity file (the private key).

```bash
jan@basic2:/home/kay/.ssh$ ssh -i id_rsa kay@localhost
```

Replace `localhost` with the target host if trying to connect elsewhere. If the key is not password-protected, or if you can crack the passphrase, you will gain SSH access as the user `kay`.
