قالب وردپرس درنا توس
Home / Tips and Tricks / How to Escape Restricted Shell Environments on Linux «Null Byte :: WonderHowTo

How to Escape Restricted Shell Environments on Linux «Null Byte :: WonderHowTo



The moment comes when you finally put a shell on the web server you were working on. Only you are in a strange environment with limited functionality. Restricted grenades are often used as an extra line of defense and can be frustrating for an attacker when encountered. However, with enough patience and perseverance, it is possible to escape these restricted environments.

What are restricted clams?

Restricted shells are simply shells with restricted permissions, functions, or commands. They are primarily used to ensure that users can perform the minimum operations necessary for daily function in a safe, enclosed environment. Administrators can also use them to make sure they don̵

7;t accidentally enter dangerous commands. Sometimes these restricted grenades are even used to dissuade hackers.

The most common types of restricted shells are just normal shells with certain restrictions, such as: B. rbash, rksh and rzsh. Other types can be better configured to meet specific needs and tighten restrictions, such as: B. lshell and rssh.

Environmental education

The first step in escaping restricted clams is to gather information about the area. Some of the most basic commands to try first are: ls, CD, pwd, and echo. Most of the time, when these commands are restricted, you will get an error with the type of restricted shell we are in (most of the time this is rbash).

Next, try to get a list of the available commands by clickingtab press twice. We can also try listing binaries in /Container, / usr / bin, and / usr / local / bin if ls is available. Alternatively, we can use globbing to list directory contents when echo is available like:

echo /usr/bin/*

It’s also important to look for operators and escape characters like the following:

> >> < | & ; : ' " `

Shell version too:

$(whoami)
${whoami}

We can look for files with SUID permissions and commands to run us with sudo This allows us to escalate the permissions. All programming languages ​​present on the system also have a good chance of removing restrictions.

If we can copy files into our path, we can work around limitations by using binary files with well-known escapes or by writing our own script. For more information about the environment we are in, try commands like env or printenv.

Method 1: text editors

The first technique we'll look at for escaping restricted shells is with text editors. Most text editors like vim, vi, nano, pico, ed etc. can execute commands and scripts in it. The following commands can be used to possibly generate a shell:

:!/bin/sh
:shell
:set shell=/bin/sh

Also, try different shells - sh or bash might be blocked, but zsh might not. This is often defended, but it is worth a try as it is such a simple method of exploitation.

Method 2: pager

Similar to text editors, pagers can also be used to execute commands. Pagers are simply utilities that control output that is too long to fit on the screen. The most popular of these are fewer and More. Just open a file that is too long to fit on a page and run the following commands in the utility:

!/bin/sh
!/bin/bash
!bash

The Linux man Command is also prone to this type of escape as it is used fewer or More as a standard pager.

Method 3: programming languages

The next method we can use to break out of restricted shells is to abuse all programming languages ​​present on the system. Sometimes when certain operators are blocked this technique doesn't work very well, but usually it can be very effective for escapes. Here are some common ways to create a shell.

Python:

import os; os.system("/bin/sh")

PHP:

exec("sh -i");

Pearl:

exec "/bin/sh";

Ruby:

exec "/bin/sh"

Contact:

os.execute("/bin/sh")

Of course, other programming languages ​​can have their own ways of executing local commands and creating shells.

Method 4: miscellaneous

There are a variety of other methods for escaping restricted clams, but we'll examine some of the most popular ones here.

If the awk Command can be executed, a shell can be generated with the following:

awk 'BEGIN {system("/bin/sh")}'

The Find The command can try to generate a shell with the following command:

find / -name foobar -exec /bin/sh ;

The expect Command can create a shell with its own spawn function. First, let yourself drop into anticipation by typing expect in the terminal. Then enter Spawn sh, and finally Sch. If this is successful, we are now in an interactive shell.

By using teawe can create a script in scenarios where no text editors are available and redirect characters are blocked:

echo "bash -i" | tee script.sh

Older versions of nmap had an interesting feature called interactive mode. It is rare to find this these days, but when you come across it it's easy to open an interactive shell with the following features:

nmap --interactive
nmap> !sh

If SSH access is available but you are placed in a restricted shell, you can connect using the following options to escape:

ssh user@IP -t "bash --noprofile"
ssh user@IP -t "/bin/sh"

Wrap up

In this tutorial, we became familiar with restricted shells and how they can be used to secure environments. We then learned how to list the environment to see what we are doing and what we do not have access to. Next, we covered various techniques to break out of these constrained environments using text editors, pagers, programming languages, and more. Pretty easy overall, isn't it?

Would you like to make money as a hacker with a white hat? Start your white hat hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and receive over 60 hours of training from ethical hacking professionals.

Buy now (90% discount)>

Cover photo by Jimmy Chan / Pexels; Screenshots of drd_ / Null Byte

Source link