# Intro - Restricted shells limit the user's ability to execute commands - For example, the user is only allowed to execute a specific set of commands or to execute commands in specific directories - Example restricted shells: - [Restricted Bourne shell](https://www.gnu.org/software/bash/manual/html_node/The-Restricted-Shell.html) (`rbash`) - [Restricted Korn shell](https://www.ibm.com/docs/en/aix/7.2?topic=r-rksh-command) (`rksh`) - [Restricted Z shell](https://manpages.debian.org/experimental/zsh/rzsh.1.en.html) (`rzsh`) -  Sysadmins often use restricted shells in enterprise networks to provide a safe and controlled environment for users who may accidentally or intentionally damage the system # Escaping a restricted shell # Command injection - Imagine that we are in a restricted shell that allows us to execute commands by passing them as arguments to the `ls` command - The shell only allows us to execute the `ls` command with a specific set of arguments, such as `ls -l` or `ls -a`, but it does not allow us to execute any other commands - So we can use the below to inject the `pwd` command with backticks ```bash ls -l `pwd` ``` - The above command causes the `ls` command to be executed with the argument `-l`, then followed by the output of the `pwd` command ## Command substitution - This involves using the shell's command substitution syntax to execute a command - For example, imagine the shell allows users to execute commands by enclosing them in backticks ## Command chaining - We would need to use multiple commands in a single command line, separated by a shell metacharacter, such as a semicolon (`;`) or a vertical bar (`|`), to execute a command ## Env vars - Leveraging env vars to escape a restricted shell involves modifying or creating env vars that the shell uses to execute commands that are not restricted by the shell - For example, if the shell uses an env var to specify the directory in which commands are executed, it may be possible to escape from the shell by modifying the value of the environment variable to specify a different directory ## Shell functions - For this flavor of restricted shell escape, we can define and call shell functions that execute commands not restricted by the shell - As an example, if the shell allows users to define and call shell functions, it may be possible to escape from the shell by defining a shell function that executes a command --- # Exercise - `ping` test ![[images/Pasted image 20260203195029.png]] - `nmap` scans ![[images/Pasted image 20260203195049.png]] - `ssh` into box with given creds - `htb-user:HTB_@cademy_us3r!` ![[images/Pasted image 20260203195147.png]] - we are in the `rbash` shell ![[images/Pasted image 20260203195307.png]] - `ls` is restricted but `pwd` is not - command injection doesn't work ![[images/Pasted image 20260203195353.png]] - command substitution doesn't work ![[images/Pasted image 20260203195512.png]] - command chaining doesn't work ![[images/Pasted image 20260203195622.png]] - google `rbash bypass` - attempt another `ssh` connection and use the below ```bash ssh [email protected] -t "bash --noprofile" ``` - this seems to work ![[images/Pasted image 20260203200122.png]] - NOTE: I thought it failed and issued a [Crtl+c], but that was what finally dropped me into the shell - Can tell by the `^C` before the first terminal prompt at `htb-user`