Linux Previlige Escalation-->Escaping Restricted shells

hi

in this module im unable to escape the shell.only command working is pwd and all other commands are disabled.
tried to change path variable but got restricted
tried different operators like `` | ;with different commands but non of them are working
any hints would be appreciated

You can start remote shell with ____ profile.

hint : you can use echo command

1 Like

yes but how can we escape a restricted shell with pwd and echo?any deeper hints

search how you can use echo command to print file’s content, use pwd to know where you are

yes it was a bit tricky but managed to solve it after googling.

follow above link for better understanding ad bypassing.

1 Like

This one is a bit tricky. I managed to get the flag by using command substitution with the echo command. Here’s how:

[spoiler]
The command I used was

echo $(<flag.txt)

The < symbol will read the contents of the file flag.txt.

The $(...) syntax essentially says to substitute the content of the file (that was read by <) into the command.

The echo command will then do what it’s told and echo back the contents of the file instead of the name of the file.

  • Emdeh
6 Likes

If you just want to read the flag.txt file then using the aforementioned technique with echo is enough, if you really want to escape the restricted shell then try starting a remote shell with an unrestricted profile

1 Like

Kindly share some help on how to go about this. Ive tried ssh htb-user@10.129.205.109 but that doesnt seem to work

edit: this worked - ssh htb-user@10.129.205.109

This is the major problem I have with some of these modules. This particular technique is not mentioned in the tutorial…why? Why do I have to go off and search on google for the exact information I am paying to get on the HTB learning material???

Well, I think my way of getting the flag is a bit unconventional, but also seems like the intended way, idk.

  1. Use echo to list files in the current directory, notice bin/ and flag.txt.
  2. Listing bin/ using the same technique revealed man.
  3. man is allowed. Look closely to the help manual, notice-C swtich. Use that to reveal the flag

I always recommend to use this resource whenever you are stuck : Escaping from Jails - HackTricks.

You can ssh directly into unrestricted shell.

hint: ssh __ htb-user@IP_address ____ . Fill in the blanks.

then you get shell and can execute any command no problem . Just type cat flag.txt.

Hello, I’m in the final step, and it seems that the -C option requires a configuration file, which I can’t obtain.

For everyone struggling with this module:

  • try to find what binaries can you use
  • check the parameters accepted by those binaries
  • try to inject some commands in the parameters

Reading the flag (or executing any other commands) is pretty easy, but getting into the interactive non-restricted shell is a bit harder

echo “$(</home/htb-user/flag.txt)” paste this cmd to get answer

Care to explain I bit more? I have been trying to figure out how to use this method but just can’t wrap my head around it :frowning:

idk if what i did should be the right way or not but it worked with me so you can connect to ssh with interactive bash using -t bash and it will work

another way is to see how to can read a file with “echo”

the way i’ve solved that one:

  1. check $PATH, export
  2. seeing that there’s a bin folder in the home, type bin/ and a couple of tabs to see what’s in there. there’s only man
  3. try to execute a few things by passing man as an argument, including the flag.txt. it doesn’t work but i get an error message that there's no entry for blah blah blah.
  4. pass the content of flag.txt to man through command substitution with man < flag.txt`
  5. read the error message from man that contains the flag. read, like, from the screen lol