I'm doing online challenges to improve my skills. However, my latest one is stumping me.

They give you a username/password to login with ssh and then it puts you in a restricted shell. all commands are disabled except for 'tee' and 'ls'. I am able to run things like 'set IFS=/' and have it accept that, but anything like 'set PATH=/bin/sh' will fail because they are read only. I have managed to break out of the shell a few times by pasting arbitrary code in there, but it doesn't seem to work with any regularity. I have been Googling for what seems like days to try to find something that will work 100% of the time, but I haven't found anything yet.

I can't run 'man' and then try to break out because that's disabled. I can't run 'vi', 'scp', etc, etc.

Does anyone know a better way to make it out of a restricted shell? I'm stumped here.

Hey, thanks for responding.

sudo and awk give me the same: restricted: cannot specify `/' in command names
I can use the echo statements but I can't redirect them to a file because it will give me the "cannot redirect output" error. I have found a few things where it will accept commands like:
umask 0
IFS=/;export IFS

However, trying to set the PATH or SHELL variables fails, because they are read-only. I'm really new to this kind of thing so there is a limit to my knowledge.

I did a scan with OpenVAS and it found:

OpenSSH CBC Mode Information Disclosure Vulnerability, but when I looked for any exploit I couldn't find anything that would allow me to take advantage of that either.

yeah, those are the ones I'm doing. I was looking at the /bin folder underneath the restricted1 folder and there was only the ping, ls, and tee. Like I said, I've broken out a couple of times (probably from blind luck) but usually I'm wasting so much time breaking out that I don't have a way of elevating to root after that. Then if I try again the same sets of things that worked previously don't work. I even ran a script to try to brute-force the SSH login for root because I was grasping at straws but after I got through about 500 passwords of my file they cut me off.

I got through the level 2 decryption one pretty easily, but these ones I'm finding are quite hard even though they're level 1. I'm trying to get better at this stuff with the trial and error but this one seems a lot harder without any experience to go on.

Many people attempt these boxes all day (they get reset on the hour) so just try again and see if you can do exactly the same again

Privilege escalation can be one of the most challenging and exciting parts, so good luck

Hey,I have a doubt.I started doing this lab work today and one thing that I couldn't figure out was, the ~/bin/ping is an executable and if we do 
                                           tee -a ~/bin/ping with /bin/sh
the /bin/sh is appended to ~/bin/ping as plain text rite.So it wont execute.Same thing happened to me.It didn't get executed.I am just a beginner.Did I miss anything obvious  ?

Hope this helps:

for 7002 Got Wurzel?:
______________________

# tee ping
/bin/bash
[ctrl-c] -or- [ctrl-d]

# ping


for 7002 Got Root:
______________________

# tee .bashrc
PATH=/usr/bin
export PATH
[ctrl-d]

[logout/log back in]

# vi

[esc] :set shell=/bin/bash
[esc] :shell


have fun

The whole reason that I use Hacking-Lab is because of a lack of spoilers (no taking the easy way out) and actually learning something.

I'm sure many others here will agree that spoilers ruin the challenge and I personally do not agree with spoilers being given here.