Scenario: Suppose we have gained ssh access (not as root user) on a server and we are trying to find a way for privilege escalation. Obviously there are a lot of ways to go and look for vulnerabilities but here I am trying to show how ssh black magic might be useful.
There might be some processes that run on localhost («inside» the server) not visible from the outside world (and this might be really useful for privilege escalation). For instance mysql might be running on its default port 3306 or a Solr server on 8983 or a tomcat server on some port. We can search for the open ports in localhost by typing ss -tunlp (i use this command cause we might not have access to other tools such as netstat, lsof etc) .
Let’s say we get a result 127.0.0.1:5601 which means a process is running on localhost on port 5601. With a simple google search we see that this is the default port of kibana
This is a good start, because if we can access kibana it might be vulnerable to CVE-2018-17246
And this is exactly where ssh black magic helps. It enable us to access a process that is accessible only via (server’s) localhost. If we fire a terminal , write
ssh -L 5601:localhost:5601 <username>@<serversip>
and provide the password for the specific user we can now basically access the process running on the server by typing localhost:5601 on our clients browser.
Basically the command means: when I access localhost:5601 from my computer, please forward to port 5601 of the SSH server