Bypass Restricted Shells
A restricted shell limits a user’s ability to interact with the system:
- No directory changes:
cdis disabled. - No environment variable changes: Cannot modify
$PATHeasily. - No command aliases: Prevents using custom aliases.
- No redirection: Disallows
>,>>,<<, etc. - No
exec: Blocks execution of external programs.
In such environments, we must first identify bypass techniques to execute commands or escape the restricted shell.
Command Enumeration:
Check what commands are available in the restricted shell environment:
bash
cat
cd
cp
declare
echo
echo $PATH
echo $SHELL
echo /usr/bin/*
echo /home/<username>/bin/*
echo "bash -i" | tee rbypass.sh
env
export
find
find / -name foobar -exec /bin/sh \;
ftp
git
less
ls
nano
nmap
printenv
printf
# List all files in current directory
printf '%s\n' *(D)
pwd
set
sudo
sudo -l
tar
touch
vi
vim
whereis
which
whoami
zip
# Programming languages
perl
php
python
python2
python3
python3.x
ruby
# Commands with absolute path
/bin/bash
/bin/sh
/usr/bin/cat
/usr/bin/ls
# Special characters
>
>>
<
|
&
$
$(whoami)
;
:
'
"
`
More
- https://exploit-notes.hdks.org/exploit/network/protocol/restricted-shell-bypass/ (Reference for this note) :arrow_left:this also contains exploit techniques
- https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf