Pivot to the Database: SSH Lateral Movement from a Web Server

Network & Infrastructure Level 5/5 ~10 min 2026-06-26

The challenge

You have a shell on web01, the public web server. The database lives on a separate box you can only reach from inside. Find the way across, pivot to it, and read the secret the database is hiding.

What you'll learn

  • Recognize that a foothold on a public web server is rarely the goal - the real data lives on segmented internal hosts you must pivot toward.
  • Read an SSH client config (~/.ssh/config) to discover the next host, the user to log in as, and the exact private key that authenticates you.
  • Use a discovered private key to authenticate to an internal host without a password, since the key itself replaces the password.
  • Understand why database backups (mysqldump output) are high-value loot that often contain plaintext secrets the live database protects.
  • Map an internal network from artifacts already on the box: /etc/hosts entries, app config files, and known_hosts records.

Skills tested

SSH lateral movement and host-to-host pivotingCredential and private-key discovery on a compromised hostInternal network reconnaissance from local config filesIdentifying sensitive data left in database backups

Prerequisites

  • Comfort moving around a Unix shell (cd, ls, cat) and reading dotfiles in a home directory.
  • Basic familiarity with how SSH key-based authentication works (private key on the client, public key on the server).

How it works

Lateral movement is the step after the first break-in. You rarely land where the valuable data sits. Here you start as www-data on web01, a public-facing web server. The database is deliberately placed on a separate box that only accepts connections from inside the network, so it is invisible from the outside. The whole challenge is finding the bridge that the application's own operators already built between the two machines.

Common mistakes

  • Treating the web server as the destination. The flag is never on web01 - stopping there and grepping the web root for a secret wastes the whole budget.
  • Ignoring the ~/.ssh directory. The client config, the private key, and the known_hosts entry together hand you the host, the user, and the means to log in - skipping them leaves you guessing IPs and usernames.
  • Trying to brute-force a password or supply one to ssh. With a deploy key in place, no password exists - the key is the credential.
  • Forgetting that the database itself can stay locked while its backup leaks everything. After pivoting, the loot is in a plain-text dump file, not behind a live database login.

How to defend against it

The root cause is a private key sitting on a reachable, internet-facing host. A key on web01 is a pivot waiting to happen: anyone who lands there inherits a passwordless route straight onto the database box. Keys used for deployment should never live on the servers attackers reach first - issue them from a controlled deploy pipeline, give each one the narrowest possible scope (a forced command, a single host, no interactive shell), and rotate them on a schedule.

The second failure is treating a database backup as less sensitive than the database. The dump contained secrets in clear text that the running database would have guarded. Backups deserve the same controls as production data.

  • Segment the database so only an application service account - not an interactive admin user - can reach it, and enforce that boundary at the network layer, not just by convention.
  • Scope SSH keys with command= and from= restrictions in authorized_keys; prefer short-lived certificates over long-lived private keys.
  • Encrypt backups at rest, store them off the database host, and restrict who can read them.
  • Never commit or deploy private keys alongside application code or web roots.

Full solution

Pro and Max members unlock the complete step-by-step walkthrough.

Go Pro

Community stats

42 completions
71% success rate
ediopaulo0x6f First blood

Related Daily Hacks

16,000+ Hackers 100+ Labs & Courses Free
Start Hacking Free