SSH
aka OpenSSH
Secure shell on 22. Rarely the direct vuln; the wins come from reused/looted private keys, weak passphrases, and writing to authorized_keys for a stable foothold.
Ports
| Port | Proto | Notes |
|---|---|---|
22 | tcp | SSH |
Fingerprint
- Banner reveals the OpenSSH version and OS flavour
- Auth methods (publickey/password) hint at what to try
Key files
| Path | Holds | Sensitive |
|---|---|---|
~/.ssh/id_rsa | private key, often the foothold when found via LFI/file-read | sensitive |
~/.ssh/authorized_keys | write target for a persistent login | |
/etc/ssh/sshd_config | auth policy (PermitRootLogin, AllowUsers) | |
~/.ssh/known_hosts | lateral-movement targets |
Default / weak creds
reused passwords / key passphrases (often the same as a cracked hash)
Known CVEs
| CVE | Impact |
|---|---|
| CVE-2024-6387 | regreSSHion, OpenSSH unauthenticated RCE (race) |
| CVE-2018-15473 | username enumeration |
Exploitation primitives
- Found id_rsa: chmod 600 and log in; crack an encrypted key passphrase with ssh2john + John
- Write your key into ~/.ssh/authorized_keys (e.g. via a file-write primitive) for stable access
- Password spray with hydra/nxc; pivot using known_hosts and agent forwarding
Overview
SSH on 22 is your stable foothold once you have a key or password. Most boxes give it up through a looted private key or a passphrase that matches a hash you already cracked, not a service exploit.
Enumeration
Banner / version:
nc <TARGET> 22Offered auth methods:
ssh -v user@<TARGET>Using a found key
Fix key permissions:
chmod 600 id_rsaCrack the passphrase if the key is encrypted:
ssh2john id_rsa > h && john h --wordlist=rockyou.txtLog in with the key:
ssh -i id_rsa user@<TARGET>Hardening
Disable password auth and root login, and keep OpenSSH patched.
Seen on these machines 10
