Friday, 12 July 2019

Escaping restricted Linux shells like a boss


Good day to all, In this blog post we will discuss some/all methods of Bypassing/Escaping a Restricted Linux shell (rbash) but before that here comes the basics.

What is a Restricted Shell?
It is just a shell which imposes some restrictions on a users ability to run commands and only allows them to run some specific commands.

A Restricted shell may include these restrictions as follows 

  1. It may block commands like cd/ls/echo/cp e.t.c
  2. It may block redirecting outputs like >, >> or commands starting with slash ( / )
  3. It may set or unset certain environment variables as well.

But why Restricted shells are used?
Restricted shells are used mainly to limit the access for a worker or either to prevent hackers or just for increasing security.

Enumeration is the key
Our first step while dealing with Restricted shells is to enumerate the environment. This will be the key step since this is going to help us in bypassing it. Here are the steps you should follow while enumerating


  1. Check for basic commands like cd/ls/echo and note the one which are working.
  2. Check if redirecting operators are working or not ( >, >> ) 
  3. Must check sudo -l for all steps
  4. Check what programming languages are available ( python/perl/ruby ) e.t.c
  5. Run the env command for basic details like your path, current shell, user e.t.c
Here is a practical demonstration of the steps involved in enumeration and since it is a CTF challenge and the user is probhited from posting solutions online so I will hide the necessary details.


In the above screenshot you can see that I tried for the commands like ls, echo and cd out of which echo was found to be working. For those who don't know - echo can be used as an alternate to ls by using it like - echo *  , so I found that it has three directories ( hidden by blue line ) so I started looking for the directory contents and found that I can only see the content of one directory only. Luckily we found vim here.

Basic Exploitation 
In half way of our enumeration we found echo to be working and a directory containing VIM. However in your case it might get different. Here are the basic techniques that you should try right after enumerating based on what you enumerated.

  1. If slashes ( / ) are working for you then you can bang your head on wall because you can directly run /bin/bash or /bin/sh and escape the rbash immediately.
  2. If cp works then Copy the /bin/sh or /bin/bash right away in your directory.
  3. If you find editors like vi or vim, then you can spawn a shell directly from within it. Just open it and type :! /bin/bash or :set shell=/bin/bash followed by :shell, here's a demo from our target : 
  4. If you are able to run awk on your target then you can get a shell from it by running this on target - awk 'BEGIN {system("/bin/sh or /bin/bash")}'
  5. If you are able to run commands like more, man or less then you can use them too. Just open a file with more/man/less and then type any of these - !/bin/bash or !/bin/sh
  6. The above step 5 can be also applied for ftp and gdb as well.
Exploitation Using Programming Languages

Let's get back to our target, since we got a shell using vim, we can now check for sudo -l for further enumeration.

Here's what our target yield when I run the command /usr/bin/sudo -l on the target.
With this we can conclude that sudo allows you to run python. Here's how you can use python to escape -  /use/bin/sudo -u user /usr/bin/python

And you'll get in interpreter, type these two commands there

import os
os.system('/bin/bash')

And it'll get you a bash shell. You can also directly run this

/usr/bin/sudo -u user /usr/bin/python -c 'import os; os.system("/bin/sh")'

Here's how you can escape with other programming languages as well :


  1. Php : php -a and then exec("sh -I")
  2. Perl : perl -e 'exec "/bin/sh";'
  3. Ruby : exec "/bin/sh"
So this is where we call it a day folks, make sure to share this post if you learnt something from it.  I'll meet you guys in the next post, until then have a safe hack.

7 comments:

  1. Bro great topic python -c is just like a magic wand in many places.

    Thanks for this great article

    ReplyDelete
    Replies
    1. You're welcome man. Thanks for appreciation it keeps me pushing.

      Delete
  2. Nice Article bhaiya! KrugerSnipesHard

    ReplyDelete
  3. I don't know much but I want to ask. Can we this as privilage escalation?

    ReplyDelete