Hey,
I can’t figure out what am I supposed to do with ssh keys. I understand that we need to have the user+pass+ssh_publickey to be able to ssh in. The thing is that I don’t understand how to get the good key and how to log with it.
I tried ssh_audit on the target, and i got this :
Then I looked in the cheat sheet and tried the > ssh -i [key] user@host
I also tried to add them in the .ssh_id file but nothing good came out.
So if someone could show me the way to go it would be nice. Thx.
I need more information about all the things that you did over this lab. To know how I could help you.
Do you found the ssh key over the server? Do you actually enumerate the server and identified the services that it run? Or what you have done so far?
With nmap I see that there is 2 FTP servers running on 21 and 2121. I log in with ceil’s creds but I can’t really do anything (same on both):
So is use this, so maybe it will work but I get an empty folder.
There is also DNS on 53 and a ssh server running on 22 :
I tried to log in with ceil’s creds but the server tells me that I need a key.
And i’m stuck here, I use ssh_audit on it but I don’t really know to proceed with the informations I obtain. I don’t see what specific permissions the hint relate to.
Ok, I see. Well you still didn’t got ssh key for now. Don’t worry about of the ssh service for now, only focus now over the 21 and 2121 port.
The key that you need to ssh on the server is locate in the ftp server. As you can see the server seems that it has 2 ftp servers, but no. The 21 port is the port of the real ftp server, and the 2121 port is only a proxy for ftp server. Try to research about this proxy and how it works. That’s the hint, the ssh key is in the ftp server, don’t worry if the commands don’t work in the ftp server and don’t see any output on the commands that you issue in the ftp server. Try found the way to download all the files that’s stored in the the ftp server and you will get it.
And as I said, research about over this ftp proxy or 2121 port.
That’s all. Again forget for now the ssh service and only focus on the ftp server. If you still stuck telling me.
Do you got it?
Yes I got the key and now i’m in !
Your tips helped me.
Thanks for your time 
hi I’m trying with metasploit with proftpd I continue like this?
Mmmm idk, when I solved this lab never I used metasploit. I suggest for you, don’t use metasploit, at least over these labs. Because you need understand how to exploit manually these labs. Is only a suggest, if you want solve this labs with metasploit it’s fine. But if you exploit these labs manually, you will gain more knowledge and experience.
If you need/want more hints let me know it. 
yes ho quasi risolto sono vicino alla soluzione
I am stucked at this point, at this moment, by researching for proxy or 2121 I have to brute force ceil’s password.
I see that I can interact with the service, but every command that I try, ask me to login 
Try to reread the FTP section. And try to found something useful that help you to found the ssh key in the FTP server. A hint for you is that you don’t need to bruteforcing nothing.
HI I’ve downloaded all the FTP server with the wget command but the directory is empty, i don’t know what to do. Please help me
I tried to search information on the 2121 port but i couldn’t find anything that could help me
have you tried all the commands from the cheat sheet under ftp?? 
I used the hint given by HTB Academy which is the password of the user “ceil”. I also did a dictionary attack using the “rockyou.txt” and also got the password, but I don’t know if there is another way to get the password of “ceil”. Does anyone know another way?
As another user on the forum said, the “id_rsa” is inside one of the two FTP servers that you will get if you use a HTB cheatsheet command to download all the files (hidden and non-hidden) from the FTP.
You will then use that key to connect via SSH… Note that the hint says something about the “id_rsa” needs specific permissions to work.
Hey! I need help I got the public and private key from FTP but this is what I got when I tried to transfer the key to the remote server and ssh: identity_sign: private key /home/kali/.ssh/id_rsa contents do not match public
ceil@10.129.23.7: Permission denied (public key).
Thank you
When i use wget -m ...etc the folder is empty. Can you give me a hint?
Hey guys, for some reason I can’t find the shh keys stored in the FTP server. I understand we are suppose to download all files from the proxy ftp server (2121) but I’m not seeing any keys when after I wget, then ls -la on my machine. I may be missing something simple here.
Did you ever get an answer to this question? I finished the lab, but I needed to use the hint. I made attempts at brute forcing but couldn’t find anything. Not sure how this is done. It’d be great to know.