Bypassing Linux Command Restrictions

Hello, fellow Red Teamers, and Penetration Testers hope you guys are finding and exploiting interesting vulnerabilities. This is my first ever writeup so if you find any mistakes in my writing then please let me know in the comments. Ok now lets get started.

Often as a penetration tester or red teamer, you may come across situations where you encounter restrictions in the Linux shell. These restrictions can limit your ability to perform tasks or execute certain commands. However, with the right techniques, you can bypass these restrictions and gain the access you need. In this article, we will discuss various novel techniques that can help you bypass Linux shell restrictions.

Question Mark Binary Substitution:

One way to bypass Linux shell restrictions is by using question mark binary substitution. This technique involves using the question mark (?) as a wildcard to substitute for a single character in the command but you can use question marks for multiple characters. For example, if the whoami command is restricted, you can use /usr/bin/whoam? , /usr/bin/whoa?? , /usr/bin/who??? instead.

Wildcard (*) Binary Substitution:

Another technique is wildcard () binary substitution. This technique involves using the wildcard () to substitute for any number of characters in the command. For example, if the whoami command is restricted, you can use /usr/bin/who*mi , /usr/bin/whoam* , /usr/bin/whoa** , /usr/bin/who**ami instead.

[chars]:

The [chars] technique involves using a character set to bypass shell restrictions. For example, if the firewall is restricting to cat the /etc/passwd file then you can use /usr/bin/cat /e[t]c/[p]assw[d] instead to get the output.

Quotes:

Using quotes can also help bypass shell restrictions. This technique involves using quotes to surround each character in the command. For example, 'p'i'n'g will execute the ping command.

Backslashes:

Backslashes can be used to bypass shell restrictions as well. This technique involves using backslashes to escape characters in the command. For example, \u\n\a\m\e -\a will execute the uname -a command.

$ and @:

Using $@ can also be helpful in bypassing shell restrictions. This technique involves using $@ to execute a command with arguments. For example, who$@ami will execute the whoami command.

Transformations (case, reverse, base64):

Transformations can also be used to bypass shell restrictions. This technique involves transforming the command using various methods such as changing the case or reversing the order of the characters. For example, $(tr "[A-Z]" "[a-z]"<<<"WhOaMi") will execute the whoami command by changing the case of the characters.

Execution Through echo and $0:

Another technique for bypassing shell restrictions is executing commands through echo and $0. This technique involves piping the command into $0. For example, echo whoami | $0 will execute the whoami command.

Using Fake Commands:

Another technique to bypass shell restrictions is to use fake commands. For example, using "p$(u)i$(u)n$(u)g" or "wuhuouaumui" instead of "ping" or "whoami" will give you errors trying to execute "u" but the intended command will still be executed.

Conclusion:

As a penetration tester or red teamer, there may be times when you encounter Linux shell restrictions that limit your ability to execute commands or access sensitive information. However, techniques mentioned above in this article, can help you bypass these restrictions. It's important to remember that these techniques may not work in all situations and should be used responsibly and ethically.

References:

[1]. https://book.hacktricks.xyz/linux-hardening/bypass-bash-restrictions

[2]. https://www.hackingarticles.in/multiple-methods-to-bypass-restricted-shell/

[3]. https://www.dhirubhai.net/redir/general-malware-page?url=https%3A%2F%2Fwww%2eexploit-db%2ecom%2Fdocs%2Fenglish%2F44592-linux-restricted-shell-bypass-guide%2epdf

THE END