SSH Forward Agent exploitation

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Muhtasari

Je, unaweza kufanya nini ikiwa utagundua ndani ya /etc/ssh_config au ndani ya $HOME/.ssh/config usanidi huu:

ForwardAgent yes

Ikiwa wewe ni root ndani ya mashine unaweza pengine kupata ufikiaji wa muunganisho wowote wa ssh uliofanywa na wakala yeyote ambao unaweza kupata katika /tmp directory

Jitambulisha kama Bob ukitumia mmoja wa wakala wa ssh wa Bob:

SSH_AUTH_SOCK=/tmp/ssh-haqzR16816/agent.16816 ssh bob@boston

Kwa nini hii inafanya kazi?

Unapoweka variable SSH_AUTH_SOCK unapata funguo za Bob ambazo zimetumika katika muunganisho wa ssh wa Bob. Kisha, ikiwa funguo yake ya faragha bado ipo (kawaida itakuwa), utaweza kufikia mwenyeji yeyote kwa kutumia hiyo.

Kwa kuwa funguo ya faragha imehifadhiwa katika kumbukumbu ya wakala bila usimbaji, nadhani kwamba ikiwa wewe ni Bob lakini hujui nenosiri la funguo ya faragha, bado unaweza kufikia wakala na kuitumia.

Chaguo lingine, ni kwamba mtumiaji mwenye wakala na root wanaweza kuwa na uwezo wa kufikia kumbukumbu ya wakala na kutoa funguo ya faragha.

Maelezo marefu na unyakuzi

Angalia utafiti wa asili hapa

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousSplunk LPE and Persistence NextWildcards Spare tricks

Last updated 7 days ago