Friday, 12 July 2019

Escaping restricted Linux shells like a boss

Good day to all, In this blog post we will discuss some/all methods of Bypassing/Escaping a Restricted Linux shell (rbash) but before that here comes the basics.

What is a Restricted Shell?
It is just a shell which imposes some restrictions on a users ability to run commands and only allows them to run some specific commands.

A Restricted shell may include these restrictions as follows 

  1. It may block commands like cd/ls/echo/cp e.t.c
  2. It may block redirecting outputs like >, >> or commands starting with slash ( / )
  3. It may set or unset certain environment variables as well.

But why Restricted shells are used?
Restricted shells are used mainly to limit the access for a worker or either to prevent hackers or just for increasing security.

Enumeration is the key
Our first step while dealing with Restricted shells is to enumerate the environment. This will be the key step since this is going to help us in bypassing it. Here are the steps you should follow while enumerating

  1. Check for basic commands like cd/ls/echo and note the one which are working.
  2. Check if redirecting operators are working or not ( >, >> ) 
  3. Must check sudo -l for all steps
  4. Check what programming languages are available ( python/perl/ruby ) e.t.c
  5. Run the env command for basic details like your path, current shell, user e.t.c
Here is a practical demonstration of the steps involved in enumeration and since it is a CTF challenge and the user is probhited from posting solutions online so I will hide the necessary details.

In the above screenshot you can see that I tried for the commands like ls, echo and cd out of which echo was found to be working. For those who don't know - echo can be used as an alternate to ls by using it like - echo *  , so I found that it has three directories ( hidden by blue line ) so I started looking for the directory contents and found that I can only see the content of one directory only. Luckily we found vim here.

Basic Exploitation 
In half way of our enumeration we found echo to be working and a directory containing VIM. However in your case it might get different. Here are the basic techniques that you should try right after enumerating based on what you enumerated.

  1. If slashes ( / ) are working for you then you can bang your head on wall because you can directly run /bin/bash or /bin/sh and escape the rbash immediately.
  2. If cp works then Copy the /bin/sh or /bin/bash right away in your directory.
  3. If you find editors like vi or vim, then you can spawn a shell directly from within it. Just open it and type :! /bin/bash or :set shell=/bin/bash followed by :shell, here's a demo from our target : 
  4. If you are able to run awk on your target then you can get a shell from it by running this on target - awk 'BEGIN {system("/bin/sh or /bin/bash")}'
  5. If you are able to run commands like more, man or less then you can use them too. Just open a file with more/man/less and then type any of these - !/bin/bash or !/bin/sh
  6. The above step 5 can be also applied for ftp and gdb as well.
Exploitation Using Programming Languages

Let's get back to our target, since we got a shell using vim, we can now check for sudo -l for further enumeration.

Here's what our target yield when I run the command /usr/bin/sudo -l on the target.
With this we can conclude that sudo allows you to run python. Here's how you can use python to escape -  /use/bin/sudo -u user /usr/bin/python

And you'll get in interpreter, type these two commands there

import os

And it'll get you a bash shell. You can also directly run this

/usr/bin/sudo -u user /usr/bin/python -c 'import os; os.system("/bin/sh")'

Here's how you can escape with other programming languages as well :

  1. Php : php -a and then exec("sh -I")
  2. Perl : perl -e 'exec "/bin/sh";'
  3. Ruby : exec "/bin/sh"
So this is where we call it a day folks, make sure to share this post if you learnt something from it.  I'll meet you guys in the next post, until then have a safe hack.


  1. Bro great topic python -c is just like a magic wand in many places.

    Thanks for this great article

    1. You're welcome man. Thanks for appreciation it keeps me pushing.

    2. Hello all
      am looking few years that some guys comes into the market
      they called themselves hacker, carder or spammer they rip the
      peoples with different ways and it’s a badly impact to real hacker
      now situation is that peoples doesn’t believe that real hackers and carder scammer exists.
      Anyone want to make deal with me any type am available but first
      I‘ll show the proof that am real then make a deal like

      Available Services

      ..Wire Bank Transfer all over the world

      ..Western Union Transfer all over the world

      ..Credit Cards (USA, UK, AUS, CAN, NZ)

      ..School Grade upgrade / remove Records

      ..Spamming Tool

      ..keyloggers / rats

      ..Social Media recovery

      .. Teaching Hacking / spamming / carding (1/2 hours course)

      discount for re-seller

      Contact: 24/7

  2. Nice Article bhaiya! KrugerSnipesHard

  3. I don't know much but I want to ask. Can we this as privilage escalation?

  4. I really enjoy reading of your article. I wanted to inform you that you have people like me who appreciate your work. sms bomber apk editor no wifi games

  5. Hey Guys !

    USA Fresh & Verified SSN Leads with DL Number AVAILABLE with 99.9% connectivity
    All Leads have genuine & valid information

    First Name | Last Name | SSN | Dob | DL Number | Address | City | State | Zip | Phone Number | Account Number | Bank Name | Employee Details | IP Address

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If anyone buy in bulk, we can negotiate
    *Sampling is just for serious buyers

    ->$5 PER EACH

    ->Hope for the long term deal
    ->Interested buyers will be welcome

    **Contact 24/7**
    Whatsapp > +923172721122
    Email >
    Telegram > @leadsupplier
    ICQ > 752822040

  6. I have been searching for a useful post like this on salesforce course details, it is highly helpful for me and I have a great experience with this Salesforce Training who are providing certification and job assistance. Salesforce admin training in Gurgaon