hacktricks/linux-hardening/privilege-escalation/ssh-forward-agent-exploitation.md
Carlos Polop 245b50b5a0 a
2024-02-08 22:36:35 +01:00

3.3 KiB

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Summary

What can you do if you discover inside the /etc/ssh_config or inside $HOME/.ssh/config configuration this:

ForwardAgent yes

If you are root inside the machine you can probably access any ssh connection made by any agent that you can find in the /tmp directory

Impersonate Bob using one of Bob's ssh-agent:

SSH_AUTH_SOCK=/tmp/ssh-haqzR16816/agent.16816 ssh bob@boston

Why does this work?

When you set the variable SSH_AUTH_SOCK you are accessing the keys of Bob that have been used in Bobs ssh connection. Then, if his private key is still there (normally it will be), you will be able to access any host using it.

As the private key is saved in the memory of the agent uncrypted, I suppose that if you are Bob but you don't know the password of the private key, you can still access the agent and use it.

Another option, is that the user owner of the agent and root may be able to access the memory of the agent and extract the private key.

Long explanation and exploitation

Check the original research here

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: