peace-maker · 2025-01-30T10:41:01Z

Use a netcat process on the remote to connect to the specified host:port and tunnel the traffic using normal ssh.process I/O.

This was inspired by the "Circumventing Disabled SSH Port-Forwarding with a Multiplexer" article by @guysv in the Paged Out! zine no. 5.

from pwn import *
io_ssh = ssh('hacker', 'pwn.college', keyfile=os.path.expanduser('~/.ssh/id_ed25519'), raw=True)
io = gdb.debug('/challenge/some_challenge', ssh=io_ssh)
io.interactive()

Debugging works now instead of throwing a paramiko.ssh_exception.ChannelException: ChannelException(1, 'Administratively prohibited') exception on pwn.college.

@guysv

…ding` is disabled Use a netcat process on the remote to connect to the specified host:port and tunnel the traffic using normal `ssh.process` I/O. This was inspired by the "Circumventing Disabled SSH Port-Forwarding with a Multiplexer" article by @guysv in the Paged Out! zine no. 5. It allows to use `gdb.debug(arg, ssh=ssh)` to debug processes on pwn.college.

pwnlib/tubes/ssh.py

Co-authored-by: Xeonacid <h.dwwwwww@gmail.com>

guysv · 2025-02-14T01:49:44Z

pwnlib/tubes/ssh.py

+                if parent.which('nc'):
+                    ncat = 'nc'
+                elif parent.which('ncat'):
+                    ncat = 'ncat'


maybe add a fallback to bash's /dev/tcp? might be worth checking out.

chatgpt crafted

bash -c 'exec 3<>/dev/tcp/localhost/1337; cat <&3 & cat >&3; kill $!'

to connect to localhost:1337 (tying stdin & stdout)

peace-maker force-pushed the ssh_connector_netcat branch 2 times, most recently from dc0ec3c to 1323dc5 Compare January 30, 2025 10:53

peace-maker added 2 commits January 30, 2025 11:57

Update CHANGELOG

306a859

peace-maker force-pushed the ssh_connector_netcat branch from 1323dc5 to 306a859 Compare January 30, 2025 10:57

Xeonacid reviewed Jan 31, 2025

View reviewed changes

pwnlib/tubes/ssh.py Outdated Show resolved Hide resolved

Lookup netcat command too

6f25755

Co-authored-by: Xeonacid <h.dwwwwww@gmail.com>

guysv reviewed Feb 14, 2025

View reviewed changes

peace-maker added 2 commits March 30, 2025 12:25

Merge branch 'dev' into ssh_connector_netcat

d0aa1ab

Try connecting using bash /dev/tcp too

75e0af3

peace-maker merged commit 6954b03 into Gallopsled:dev Mar 30, 2025
12 of 13 checks passed

peace-maker deleted the ssh_connector_netcat branch March 30, 2025 11:01

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add `ssh -L` / `ssh.connect_remote()` workaround when `AllowTcpForwarding` is disabled#2538

Add `ssh -L` / `ssh.connect_remote()` workaround when `AllowTcpForwarding` is disabled#2538
peace-maker merged 5 commits intoGallopsled:devfrom
peace-maker:ssh_connector_netcat

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants