kali-mx
commented
7 months ago This RCE is possible under a certain set of conditions. The PoC provided by THM's lab with creds was simply for convenience of setup. Think “assumed breach”. The attacker must have local or remote access to the server running the ssh-agent. Cases like an inside job, disgruntled employee, or even an attacker who has established a foothold and is looking for a privesc attack vector.
scotch123
One question . How is this a RCE if I still need credentials such as username/password to access the vulnerable server? I mean let say i've have an IP with vulnerable openssh version for this exploit. How do I access the server if I don't have any username/password ?