Oh my gosh...that was easy. I totally didn't think of using the ~/bin. I was trying to edit the commands before with 'tee' but I was using the whole path like: /home/user/bin instead so it would always complain that I had a / in the path.

Thanks.

yeah, those are the ones I'm doing. I was looking at the /bin folder underneath the restricted1 folder and there was only the ping, ls, and tee. Like I said, I've broken out a couple of times (probably from blind luck) but usually I'm wasting so much time breaking out that I don't have a way of elevating to root after that. Then if I try again the same sets of things that worked previously don't work. I even ran a script to try to brute-force the SSH login for root because I was grasping at straws but after I got through about 500 passwords of my file they cut me off.

I got through the level 2 decryption one pretty easily, but these ones I'm finding are quite hard even though they're level 1. I'm trying to get better at this stuff with the trial and error but this one seems a lot harder without any experience to go on.

Hey, thanks for responding.

sudo and awk give me the same: restricted: cannot specify `/' in command names
I can use the echo statements but I can't redirect them to a file because it will give me the "cannot redirect output" error. I have found a few things where it will accept commands like:
umask 0
IFS=/;export IFS

However, trying to set the PATH or SHELL variables fails, because they are read-only. I'm really new to this kind of thing so there is a limit to my knowledge.

I did a scan with OpenVAS and it found:

OpenSSH CBC Mode Information Disclosure Vulnerability, but when I looked for any exploit I couldn't find anything that would allow me to take advantage of that either.

I'm doing online challenges to improve my skills. However, my latest one is stumping me.

They give you a username/password to login with ssh and then it puts you in a restricted shell. all commands are disabled except for 'tee' and 'ls'. I am able to run things like 'set IFS=/' and have it accept that, but anything like 'set PATH=/bin/sh' will fail because they are read only. I have managed to break out of the shell a few times by pasting arbitrary code in there, but it doesn't seem to work with any regularity. I have been Googling for what seems like days to try to find something that will work 100% of the time, but I haven't found anything yet.

I can't run 'man' and then try to break out because that's disabled. I can't run 'vi', 'scp', etc, etc.

Does anyone know a better way to make it out of a restricted shell? I'm stumped here.