EH-Net

I'm doing online challenges to improve my skills. However, my latest one is stumping me.

They give you a username/password to login with ssh and then it puts you in a restricted shell. all commands are disabled except for 'tee' and 'ls'. I am able to run things like 'set IFS=/' and have it accept that, but anything like 'set PATH=/bin/sh' will fail because they are read only. I have managed to break out of the shell a few times by pasting arbitrary code in there, but it doesn't seem to work with any regularity. I have been Googling for what seems like days to try to find something that will work 100% of the time, but I haven't found anything yet.

I can't run 'man' and then try to break out because that's disabled. I can't run 'vi', 'scp', etc, etc.

Does anyone know a better way to make it out of a restricted shell? I'm stumped here.

How about


Not sure if you can use awk or not. If not, you could try using echo statements into a file to build a script to invoke /bin/sh with exec statements in Perl, Ruby, etc.

Another option is using less and more shell escapes using the !

Can you run sudo commands?

Hey, thanks for responding.

sudo and awk give me the same: restricted: cannot specify `/' in command names
I can use the echo statements but I can't redirect them to a file because it will give me the "cannot redirect output" error. I have found a few things where it will accept commands like:
umask 0
IFS=/;export IFS

However, trying to set the PATH or SHELL variables fails, because they are read-only. I'm really new to this kind of thing so there is a limit to my knowledge.

I did a scan with OpenVAS and it found:

OpenSSH CBC Mode Information Disclosure Vulnerability, but when I looked for any exploit I couldn't find anything that would allow me to take advantage of that either.

wlandymore are you doing a hacking-lab.com challenge, ie 'got wurzel' or 'got root'?

These challenges I found quite hard (not complete 'got root' yet) but being able to break out of rbash is not something I have come across before.

Focus on what you can execute (in ~/bin) and and you should be able to break out of it fairly quickly :)

yeah, those are the ones I'm doing. I was looking at the /bin folder underneath the restricted1 folder and there was only the ping, ls, and tee. Like I said, I've broken out a couple of times (probably from blind luck) but usually I'm wasting so much time breaking out that I don't have a way of elevating to root after that. Then if I try again the same sets of things that worked previously don't work. I even ran a script to try to brute-force the SSH login for root because I was grasping at straws but after I got through about 500 passwords of my file they cut me off. :)

I got through the level 2 decryption one pretty easily, but these ones I'm finding are quite hard even though they're level 1. I'm trying to get better at this stuff with the trial and error but this one seems a lot harder without any experience to go on.

Oh my gosh...that was easy. I totally didn't think of using the ~/bin. I was trying to edit the commands before with 'tee' but I was using the whole path like: /home/user/bin instead so it would always complain that I had a / in the path.

Thanks.

Many people attempt these boxes all day (they get reset on the hour) so just try again and see if you can do exactly the same again :)

yeah, it was only about 10 minutes before it bumped me off and when I went back in it was back to default. I just ran the same thing editing the ping command with tee and it worked like a charm.

Now I can actually focus on exploiting the system instead of wasting all that time breaking out of the shell.

Thanks for the hint. :)

Privilege escalation can be one of the most challenging and exciting parts, so good luck :)

thanks. :)

I've been compiling a lot of c exploits but I haven't been successful yet.

Hey,I have a doubt.I started doing this lab work today and one thing that I couldn't figure out was, the ~/bin/ping is an executable and if we do 
                                           tee -a ~/bin/ping with /bin/sh
the /bin/sh is appended to ~/bin/ping as plain text rite.So it wont execute.Same thing happened to me.It didn't get executed.I am just a beginner.Did I miss anything obvious  ?

yeah, you don't want to have the -a in there because that will just append it to what's already there.

However, if you run: tee ~/bin/ping
 
and then /bin/sh (then Ctrl+C to exit)
and then run: ping

You will pop out of the shell.

Hope this helps:

for 7002 Got Wurzel?:
______________________

# tee ping
/bin/bash
[ctrl-c] -or- [ctrl-d]

# ping


for 7002 Got Root:
______________________

# tee .bashrc
PATH=/usr/bin
export PATH
[ctrl-d]

[logout/log back in]

# vi

[esc] :set shell=/bin/bash
[esc] :shell


have fun ;)

Hey thanks. I finally found the answer to the first one and it's not actually an exploit that was required at all.

Now I'm trying to break the 'got root' one but not having the same luck. :)

The whole reason that I use Hacking-Lab is because of a lack of spoilers (no taking the easy way out) and actually learning something.

I'm sure many others here will agree that spoilers ruin the challenge and I personally do not agree with spoilers being given here.

Hey, sorry about that. I edited the post and removed the information basically.

The only reason I ask for help on any of these is because I've worked at it for hours, sometimes days, and I feel like I'm not making any progress at all. Then the learning stops because I'm not really going anywhere. It helps to have a 'mentor' in this case because it provides someone else's perspective and can get you past the block....especially for a new guy like me. :)

However, I agree that I probably shouldn't leave most of the solution there like that. Thanks.

http://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells

made me think of this thread. Great article btw if you want to learn more about the topic.