Escape Restricted Shell Environment in Linux ! Hacking With Linux


The time comes when you finally open the shell on the web server you were working on, only to find yourself in an unfamiliar environment with limited functionality. Blocked shells are often used as an additional line of defense and can cause the attacker to stumble upon them. But with enough patience and persistence, it is possible to escape these restricted areas.

What Are Restricted Shells?

Four blocked shells are shells with restricted permissions, features, or commands. They are mainly used to ensure that users can perform the minimum tasks required for daily operation in a safe, content environment. Managers can also use them to ensure that they do not impose any dangerous orders by accident. In some cases, these restricted shells may be placed in a buffer zone.

The most common types of restricted shells are just ordinary shells with a limited range in place, such as rbash, rksh, and rzsh. Some types can be further customized to fit specific needs and tighten restrictions, such as lshell and rssh.

Environment Recon

The first step toward escaping the forbidden shell is to collect information about the environment. Some of the first basic commands to try are ls, cd, pwd, and echo. Most of the time, if these commands are blocked, an error will appear with the type of restricted Shell we are in (most of the time, this is rbash).

Next, try finding the list of available commands by double tapping the Tab key. We can also try to list the binaries in /bin, /usr/bin, and /usr/local/bin if ls exists. Alternatively, we can use globbing to list directory content when an echo is available, such as:

echo /usr/bin/*
It is also important to check for operators and escape characters such as the following:

> >> < | & ; : ' " `
We may view any files with SUID permissions and any instructions we may use with Sudo that will allow us to increase rights. Any programming languages ​​available in the system have a good chance of allowing us to break the boundaries.
Don't Miss: How to Hack Online Passwords Using THC Hydra and Temper Data

If we can copy the files on our way, we can exceed the limits by using well-known escape binaries or by writing our text. For more information on our environment, try commands such as env or printenv.

Method 1: Text editors
The first step we will look at is to avoid the shells that are limited by the use of text editors. Many text editors, such as vim, vi, nano, pico, ed, etc., can run commands and texts within them. The following instructions can be used to produce the shell:

:set shell=/bin/sh
Make sure you try different shells, too - sh or bash may be blocked, but zsh may not be. Most of the time this is protected, but you should try because it is an easy way to be exploited.

Method 2: Pagers
Like text editors, pagers can be used to create commands as well. PageER is a device that controls the output of the longest output on screen. The most famous of these is very small. Just open a file too long to display on one page, and try the following commands within the app:

The Linux man command is also prone to this type of escape since it uses less or more as default pagers.

Method 3 : Programming Languages
The next method we can use to break out of restricted shells is by abusing any programming languages that are present on the system. Sometimes, if certain operators are blocked, this technique won't work very well, but usually, it can be very effective for escapes. Here are some common ways to spawn a shell.


import os; os.system("/bin/sh")

exec("sh -i");
Perl :

exec "/bin/sh";
Ruby :

exec "/bin/sh"
Lua :

Of course, other programming languages can have their own ways to execute local commands and spawn shells.

Method 4 : Miscellaneous
There are a variety of other methods to escape from restricted shells, but we'll explore some of the more popular ones here.

If the awk command can be run, a shell can be spawned with the following:

awk 'BEGIN {system("/bin/sh")}'
The find command can attempt to spawn a shell with the following command:

find / -name foobar -exec /bin/sh \;
The expect command can spawn a shell using its own spawn function. First drop into expect by typing expect in the terminal. Then, type spawn sh, and finally sh. If successful, we'll now be in an interactive shell.

By using tee, we can create a script in scenarios where text editors aren't available and redirect characters are blocked:

echo "bash -i" | tee script.sh
Older versions of nmap have an interesting feature called interactive mode. It's rare to find this nowadays, but if you do come across it, it's easy to open an interactive shell with the following:

nmap --interactive
nmap> !sh
Finally, if SSH access is available but drops you into a restricted shell, connecting with the following options can be used to escape:

ssh user@IP -t "bash --noprofile"
ssh user@IP -t "/bin/sh"
Wrapping Up
In this tutorial, we learned about restricted shells and why they are used to secure environments. We then learned how to enumerate the environment to determine what we do and don't have access to. Next, we covered various techniques to break out of these restricted environments utilizing text editors, pagers, programming languages, and more. Overall, pretty easy, right?

Post a comment