The moment arrives when you finally pop a shell on the web server you've been working on, only you find yourself in a strange environment with limited functionality. Restricted shells are often used as an additional line of defense and can be frustrating for an attacker to stumble upon. But with enough patience and persistence, it is possible to escape these restricted environments.
What Are Restricted Shells?
Restricted shells are simply shells with restricted permissions, features, or commands. They are primarily used to ensure that users can perform the minimum operations necessary for daily function in a secure, contained environment. Administrators might also use them to make sure they don't enter any dangerous commands accidentally. Sometimes, these restricted shells might even be put in place to dissuade hackers.
- Recommended Book on Amazon: The Linux Command Line, 2nd Edition: A Complete Introduction (Illustrated Edition)
The most common types of restricted shells are just normal shells with certain limitations in place, such as rbash, rksh, and rzsh. Other types can be configured more to suit certain needs and tighten restrictions, like lshell and rssh.
Environment Recon
The first step to escaping restricted shells is gathering information about the environment. Some of the most basic commands to initially try out are ls, cd, pwd, and echo. Most of the time, if these commands are restricted, an error will show up with the type of restricted shell we are in (most of the time, this is rbash).
Next, try getting a list of available commands by hitting theTab key twice. We can also try listing binaries in /bin, /usr/bin, and /usr/local/bin if ls is available. Alternatively, we can use globbing to list directory contents if echo is available, like:
echo /usr/bin/*
It is also important to check for operators and escape characters such as the following:
> >> < | & ; : ' " `
Also shell execution:
$(whoami)
${whoami}
We can check for any files with SUID permissions and any commands we can run with sudo that will allow us to escalate privileges. Any programming languages present on the system also have a good chance of letting us break restrictions.
If we can copy files into our path, we can bypass restrictions by using binaries with known escapes or by writing our own script. To get other information about the environment we are in, try commands like env or printenv.
Method 1: Text Editors
The first technique we'll look at to escape restricted shells is through text editors. Most text editors, like vim, vi, nano, pico, ed, etc., can run commands and scripts inside of them. The following commands can be used to potentially spawn a shell:
:!/bin/sh
:shell
:set shell=/bin/sh
Make sure to try different shells, too — sh or bash might be blocked, but zsh might not be. A lot of times this is defended against, but it's worth a try since it is such an easy method of exploitation.
Method 2: Pagers
Similar to text editors, pagers can be used to run commands as well. Pagers are simply utilities that control output that is too long to fit on-screen. The most popular of these are less and more. Simply open a file that is too long to be displayed on one page, and try the following commands inside the utility:
!/bin/sh
!/bin/bash
!bash
The Linux man command is also prone to this type of escape since it uses less or more as default pagers.
Method 3: Programming Languages
The next method we can use to break out of restricted shells is by abusing any programming languages that are present on the system. Sometimes, if certain operators are blocked, this technique won't work very well, but usually, it can be very effective for escapes. Here are some common ways to spawn a shell.
import os; os.system("/bin/sh")
PHP:
exec("sh -i");
Perl:
exec "/bin/sh";
Ruby:
exec "/bin/sh"
Lua:
os.execute("/bin/sh")
Of course, other programming languages can have their own ways to execute local commands and spawn shells.
Method 4: Miscellaneous
There are a variety of other methods to escape from restricted shells, but we'll explore some of the more popular ones here.
If the awk command can be run, a shell can be spawned with the following:
awk 'BEGIN {system("/bin/sh")}'
The find command can attempt to spawn a shell with the following command:
find / -name foobar -exec /bin/sh \;
The expect command can spawn a shell using its own spawn function. First drop into expect by typing expect in the terminal. Then, type spawn sh, and finally sh. If successful, we'll now be in an interactive shell.
By using tee, we can create a script in scenarios where text editors aren't available and redirect characters are blocked:
echo "bash -i" | tee script.sh
Older versions of nmap have an interesting feature called interactive mode. It's rare to find this nowadays, but if you do come across it, it's easy to open an interactive shell with the following:
nmap --interactive
nmap> !sh
Finally, if SSH access is available but drops you into a restricted shell, connecting with the following options can be used to escape:
ssh user@IP -t "bash --noprofile"
ssh user@IP -t "/bin/sh"
Wrapping Up
In this tutorial, we learned about restricted shells and why they are used to secure environments. We then learned how to enumerate the environment to determine what we do and don't have access to. Next, we covered various techniques to break out of these restricted environments utilizing text editors, pagers, programming languages, and more. Overall, pretty easy, right?
Just updated your iPhone to iOS 18? You'll find a ton of hot new features for some of your most-used Apple apps. Dive in and see for yourself:
4 Comments
Thanks for sharing this good and helpful stuff, these are good for privilege escalation
Do you have any method that could help me read a file after symlinking it?
For example a file which has permissions of another user on the same webserver
You could try using certain binaries on the server to read files, among other things - check out gtfobins if you haven't already.
ok, Im going to give it a try .. thanks
Share Your Thoughts