Recently I was working on one of the vulnhub vulnerable boxes and once I finally got a reverse shell it was a restricted one. What a bummer!
In this post I want to document how did I breakout of it in a simple way.
There many ways to break out of the restricted shell (aka /bin/rbash). One simple way for example is to use perl or python to call /bin/sh:
Perl/Python aren’t the only ways. You can STILL breakout if vim, vi, awk, gdb, more, less, etc. are allowed!
- check out this slide for full list and explanation.
- This SANS article is also detailed and full of examples
What I want to add here is a special case of a restricted
bash, that’s when the
rbash is called with an output redirection.
So might be able to use the earlier tricks to breakout but it’s no good as all the output is being redirected to
Note what happens with this example of a
super-rbash.sh; and how we breakout from it simply by redirecting output to normal
stdout using the
1>&2 at the end
you could also use nc to call a reverse shell; but you’re a hacker and a hacker always seek the smartest solution 😉