.

escaping restricted shell

<<

wlandymore

Newbie
Newbie

Posts: 34

Joined: Thu Mar 15, 2012 9:48 am

Post Thu Mar 15, 2012 9:55 am

escaping restricted shell

I'm doing online challenges to improve my skills. However, my latest one is stumping me.

They give you a username/password to login with ssh and then it puts you in a restricted shell. all commands are disabled except for 'tee' and 'ls'. I am able to run things like 'set IFS=/' and have it accept that, but anything like 'set PATH=/bin/sh' will fail because they are read only. I have managed to break out of the shell a few times by pasting arbitrary code in there, but it doesn't seem to work with any regularity. I have been Googling for what seems like days to try to find something that will work 100% of the time, but I haven't found anything yet.

I can't run 'man' and then try to break out because that's disabled. I can't run 'vi', 'scp', etc, etc.

Does anyone know a better way to make it out of a restricted shell? I'm stumped here.
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Thu Mar 15, 2012 1:55 pm

Re: escaping restricted shell

How about

  Code:
awk 'BEGIN {system("/bin/sh")}'


Not sure if you can use awk or not. If not, you could try using echo statements into a file to build a script to invoke /bin/sh with exec statements in Perl, Ruby, etc.

Another option is using less and more shell escapes using the !

Can you run sudo commands?
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

wlandymore

Newbie
Newbie

Posts: 34

Joined: Thu Mar 15, 2012 9:48 am

Post Thu Mar 15, 2012 8:14 pm

Re: escaping restricted shell

Hey, thanks for responding.

sudo and awk give me the same: restricted: cannot specify `/' in command names
I can use the echo statements but I can't redirect them to a file because it will give me the "cannot redirect output" error. I have found a few things where it will accept commands like:
umask 0
IFS=/;export IFS

However, trying to set the PATH or SHELL variables fails, because they are read-only. I'm really new to this kind of thing so there is a limit to my knowledge.

I did a scan with OpenVAS and it found:

OpenSSH CBC Mode Information Disclosure Vulnerability, but when I looked for any exploit I couldn't find anything that would allow me to take advantage of that either.
<<

TheXero

User avatar

Full Member
Full Member

Posts: 112

Joined: Tue Dec 07, 2010 12:24 pm

Post Fri Mar 16, 2012 4:38 am

Re: escaping restricted shell

wlandymore are you doing a hacking-lab.com challenge, ie 'got wurzel' or 'got root'?

These challenges I found quite hard (not complete 'got root' yet) but being able to break out of rbash is not something I have come across before.

Focus on what you can execute (in ~/bin) and and you should be able to break out of it fairly quickly :)
<<

wlandymore

Newbie
Newbie

Posts: 34

Joined: Thu Mar 15, 2012 9:48 am

Post Fri Mar 16, 2012 8:26 am

Re: escaping restricted shell

yeah, those are the ones I'm doing. I was looking at the /bin folder underneath the restricted1 folder and there was only the ping, ls, and tee. Like I said, I've broken out a couple of times (probably from blind luck) but usually I'm wasting so much time breaking out that I don't have a way of elevating to root after that. Then if I try again the same sets of things that worked previously don't work. I even ran a script to try to brute-force the SSH login for root because I was grasping at straws but after I got through about 500 passwords of my file they cut me off. :)

I got through the level 2 decryption one pretty easily, but these ones I'm finding are quite hard even though they're level 1. I'm trying to get better at this stuff with the trial and error but this one seems a lot harder without any experience to go on.
<<

wlandymore

Newbie
Newbie

Posts: 34

Joined: Thu Mar 15, 2012 9:48 am

Post Fri Mar 16, 2012 8:44 am

Re: escaping restricted shell

Oh my gosh...that was easy. I totally didn't think of using the ~/bin. I was trying to edit the commands before with 'tee' but I was using the whole path like: /home/user/bin instead so it would always complain that I had a / in the path.

Thanks.
Last edited by wlandymore on Fri Mar 16, 2012 8:59 am, edited 1 time in total.
<<

TheXero

User avatar

Full Member
Full Member

Posts: 112

Joined: Tue Dec 07, 2010 12:24 pm

Post Fri Mar 16, 2012 9:29 am

Re: escaping restricted shell

Many people attempt these boxes all day (they get reset on the hour) so just try again and see if you can do exactly the same again :)
<<

wlandymore

Newbie
Newbie

Posts: 34

Joined: Thu Mar 15, 2012 9:48 am

Post Fri Mar 16, 2012 11:01 am

Re: escaping restricted shell

yeah, it was only about 10 minutes before it bumped me off and when I went back in it was back to default. I just ran the same thing editing the ping command with tee and it worked like a charm.

Now I can actually focus on exploiting the system instead of wasting all that time breaking out of the shell.

Thanks for the hint. :)
<<

TheXero

User avatar

Full Member
Full Member

Posts: 112

Joined: Tue Dec 07, 2010 12:24 pm

Post Fri Mar 16, 2012 11:26 am

Re: escaping restricted shell

Privilege escalation can be one of the most challenging and exciting parts, so good luck :)
<<

wlandymore

Newbie
Newbie

Posts: 34

Joined: Thu Mar 15, 2012 9:48 am

Post Fri Mar 16, 2012 9:10 pm

Re: escaping restricted shell

thanks. :)

I've been compiling a lot of c exploits but I haven't been successful yet.
<<

avinashs

Newbie
Newbie

Posts: 2

Joined: Sat Mar 17, 2012 2:03 pm

Post Sat Mar 17, 2012 2:20 pm

Re: escaping restricted shell

Hey,I have a doubt.I started doing this lab work today and one thing that I couldn't figure out was, the ~/bin/ping is an executable and if we do 
                                          tee -a ~/bin/ping with /bin/sh
the /bin/sh is appended to ~/bin/ping as plain text rite.So it wont execute.Same thing happened to me.It didn't get executed.I am just a beginner.Did I miss anything obvious  ?
<<

wlandymore

Newbie
Newbie

Posts: 34

Joined: Thu Mar 15, 2012 9:48 am

Post Mon Mar 19, 2012 2:00 pm

Re: escaping restricted shell

yeah, you don't want to have the -a in there because that will just append it to what's already there.

However, if you run: tee ~/bin/ping

and then /bin/sh (then Ctrl+C to exit)
and then run: ping

You will pop out of the shell.
<<

mulitia

Newbie
Newbie

Posts: 1

Joined: Sat Mar 31, 2012 3:48 am

Post Sat Mar 31, 2012 3:57 am

Re: escaping restricted shell

Hope this helps:

for 7002 Got Wurzel?:
______________________

# tee ping
/bin/bash
[ctrl-c] -or- [ctrl-d]

# ping


for 7002 Got Root:
______________________

# tee .bashrc
PATH=/usr/bin
export PATH
[ctrl-d]

[logout/log back in]

# vi

[esc] :set shell=/bin/bash
[esc] :shell


have fun ;)
<<

wlandymore

Newbie
Newbie

Posts: 34

Joined: Thu Mar 15, 2012 9:48 am

Post Tue Apr 03, 2012 10:22 pm

Re: escaping restricted shell

Hey thanks. I finally found the answer to the first one and it's not actually an exploit that was required at all.

Now I'm trying to break the 'got root' one but not having the same luck. :)
Last edited by wlandymore on Mon Apr 09, 2012 10:14 am, edited 1 time in total.
<<

TheXero

User avatar

Full Member
Full Member

Posts: 112

Joined: Tue Dec 07, 2010 12:24 pm

Post Wed Apr 04, 2012 3:03 am

Re: escaping restricted shell

The whole reason that I use Hacking-Lab is because of a lack of spoilers (no taking the easy way out) and actually learning something.

I'm sure many others here will agree that spoilers ruin the challenge and I personally do not agree with spoilers being given here.
Next

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software