VissJun 6
so i dunno if you knew you could do this, but its helpful in a lot of hilarious/dumb scenarios
Show threadda_667Jun 6
@Viss what's even more fun is that if you have root on a device, you can pipe it out to local tty terminals and remote pts terminals and effectively DOS the box.
Show threadViss

@da_667 hahahaha dude for a talk i did at securityfest last year, i think i even pointed out that you can change the shell of a user to a bash script instead of /bin/bash or whatever..

you can like
echo "curl parrot.live" > /tmp/fucktardia.sh
chmod +x /tmp/fucktardia.sh
chsh loser
(aim it at /tmp/fucktardia.sh)
user loser now sshes into a box and gets party parrot.

control c? connection drops.
i am currently unaware of a way to bypass that, but if we find one, we should tell @bagder

Jun 6 at 1:07amWeb
Show threadda_667Jun 6

@Viss @bagder command execution on ssh login

ssh [username]@box /bin/sh

[auth to box]

get a a shell with no pty, that doesn't show up in w or who output.

Show threadda_667Jun 6
@Viss @bagder this is also an effective way to bypass appliances that use restricted shells if they are too stupid to leave sh, bash, etc. reachable and don't disable the ssh config option that allows command exec on SSH auth.
Show threadda_667Jun 6
@Viss @bagder fun fact: I used this to solve an over the wire challenge some time ago. I'm not sure it was the right way, but yolo.
Show threadEd "☃️" Marczak “‘;%:.$}])\n\tJun 7

@da_667 @Viss There’s an effective way to combat that if you’re using keys for auth:

https://dan.langille.org/2025/04/17/using-ssh-authorized-keys-to-decide-what-the-incoming-connection-can-do/

Show threadVissJun 7
@marczak @da_667 is this example setup using a shellscript as the users shell?
Show threadEd "☃️" Marczak “‘;%:.$}])\n\t6d ago
@Viss I will test that during this week. (But my best guess is yes, it will still work in that case.)
Show threadEd "☃️" Marczak “‘;%:.$}])\n\t6d ago
@Viss tested, and the specified shell still runs first. So, your method is useful for keeping people out/screwing around. The authorized_keys command is useful if you’re actually trying to restrict a valid user. @da_667