Unauthorized SSH login to an Apache server

Due to the misconfiguration and open exposure of sensitive data. I was able to get access to the server.

I started off with my basic recon of this host using nmap.

I have 2 open ports. 22 and 80.

Let's look at what is being hosted on 80

A simple Apache server. No hints here unless we dig deeper into this page. (page source!)

Perfect, we have a username—Jessie who appears to be an admin of some kind.

We will keep that in our back pocket.

Also, you should have updated your webpage, Jessie…

 I continued my enumeration with a scan using Dirbuster and Gobuster. Gobuster is shown below giving us a more detailed list of domains hosted on this server. Let's dig deeper.

Hmmmmm. Something called a sitemap is being hosted. Let's dig into that and check the subdomains

Nice! Some kind of SSH information? Let's see

And we see an id_rsa file!!! This is commonly associated with an SSH private key. And further exam shows that it is!

So, we now have a username (Jessie) and a private ssh key. Let's try logging in via Secure Shell

I just made another file with this key and used it paired with the name

And we are in !!!

From here, we have full access to anything Jessie can access and eventually after some recon and persistence, get a Netcat connection and exfiltrate sensitive information via a post request to my own attacker machine.

How to prevent this??

Several easy ways.

1. Hide your sensitive data
2. Code review as we got a username from the server source code
3. Implement a firewall to prevent our NMAP scans or at least attempt to
4. Having an IDS/IPS system in place could have warned the Security admin or even stopped the attack
5. An approved IP list for SSH connections
6. OS updates as this Apache server is running version 2.4.18 and the current version is Apache 2.4.57
7. And many others