ssh-forward-agent-exploitation.md

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

{% endhint %} {% endhint %} {% endhint %}

Summary

What can you do if you discover inside the /etc/ssh_config or inside $HOME/.ssh/config configuration this:

ForwardAgent yes

If you are root inside the machine you can probably access any ssh connection made by any agent that you can find in the /tmp directory

Impersonate Bob using one of Bob's ssh-agent:

SSH_AUTH_SOCK=/tmp/ssh-haqzR16816/agent.16816 ssh bob@boston

Why does this work?

When you set the variable SSH_AUTH_SOCK you are accessing the keys of Bob that have been used in Bobs ssh connection. Then, if his private key is still there (normally it will be), you will be able to access any host using it.

As the private key is saved in the memory of the agent uncrypted, I suppose that if you are Bob but you don't know the password of the private key, you can still access the agent and use it.

Another option, is that the user owner of the agent and root may be able to access the memory of the agent and extract the private key.

Long explanation and exploitation

Check the original research here {% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

{% endhint %} {% endhint %} {% endhint %}