Recently I was working on one of the vulnhub vulnerable boxes and once I finally got a reverse shell it was a restricted one. What a bummer!
In this post I want to document how did I breakout of it in a simple way.
There many ways to break out of the restricted shell (aka /bin/rbash). One simple way for example is to use perl or python to call /bin/sh:
Perl/Python aren’t the only ways. You can STILL breakout if vim, vi, awk, gdb, more, less, etc. are allowed!
- check out this slide for full list and explanation.
- This SANS article is also detailed and full of examples
What I want to add here is a special case of a restricted bash, that’s when the rbash is called with an output redirection.
So might be able to use the earlier tricks to breakout but it’s no good as all the output is being redirected to /dev/null
Note what happens with this example of a super-rbash.sh; and how we breakout from it simply by redirecting output to normal stdout using the 1>&2 at the end
you could also use nc to call a reverse shell; but you’re a hacker and a hacker always seek the smartest solution 😉
happy hacking!
Leave a reply