Multiple Methods to Bypass Restricted Shell

We all know the Security Analyst-Hacker relationship is like “Tom & Jerry” where one person takes measures to step-up the security layer and another person tries to circumvent it. The same situation that I slowly resolved while solving CTF challenges where always a new type of configuration error help me learn more about poor implementation of protection.

In this post, we will talk about “restricted shell or bash,” which is used in many CTF challenges and learn to bypass rbash by multiple methods.

Following CTF Challenges using rbash:

Table of Content

  • Restricted shell
  • Restrictions with in rbash
  • Pros of a restricted shell
  • Cons of a restricted shell
  • Multiple methods to bypass rbash

Restricted Shell: rbash

A restricted shell is used to set up an environment more controlled than the standard shell which means If bash is started with the name rbash, or the -r option is supplied at invocation, the shell becomes restricted. 

Restrictions with in rbash

It behaves identically to bash with the exception that the following are disallowed or not performed:

  • cd command (Change Directory)
  • cd command (Change Directory)
  • PATH (setting/ unsetting)
  • ENV aka BASH_ENV (Environment Setting/ unsetting)
  • Importing Function
  • Specifying file name containing argument ‘/’
  • Specifying file name containing argument ‘-‘
  • Redirecting output using ‘>‘, ‘>>‘, ‘>|‘, ‘<>‘, ‘>&‘, ‘&>‘
  • turning off restriction using ‘set +r‘ or ‘set +o‘

Pros of Restricted Shell

  • Rbash is often used in combination with a chroot jail in an additional attempt to restrict access to the entire process.

Cons of Restricted Shell

  • When a shell script command is executed, rbash cuts off any constraints in the spawned shell to execute the code.
  • Inadequate to allow fully untrusted code to be executed.

Enable restricted shell for a user

As said above the rbash will control the access of bash shell for a user and allow to execute the trusted command only which means the login user can run some selected command only. In order to control the user bash command, execute or enable the restricted shell for any user to follow the below steps:

  1. Create a local user “ignite”
  2. Set password
  3. Set usermod to enable rbash for a local user.
  4. Ensure accessible shell for the user with the help of /etc/passwd.

Method to Bypass rbash

  1. Bypass rbash using Editors
  • Vi-editors
  • Ed-editors
  1. Bypass rbash using One liner
  • Python
  • Perl
  • Awk
  1. Bypass rbash through Reverse Shell
  2. Bypass rbash using System binaries
  • More
  • Less
  • Man
  1. Bypass rbash using Expect
  2. Bypass rbash through SSH

Bypass rbash using Editors

Now suppose you have accessed the host machine as a local user and found the logged user is part of rbash shell thus you are unable to run some system commands, such as: cd (change directory) because due to rbash it is restricted.

Now the question is: Then what will you do in such a situation? 🤔

And the answer is: Use “Editors Programs” to bypass the restricted mode. 😇

1st method – VI Editor

So you can use the VI editor and this will be in the edit mode where you need to run the following command to open the “sh: Bourne shell” instead of rbash.

Now if you will try to access /etc directory then you will saw that you are able to run cd & pwd command as shown below.

2nd method- ed-Editor

You can also go with ed-editor which very easy to use as this is same as cat program that will provide inline edit mode where you can use the following command to call “sh: Bourne shell”

Now again if you will try to access /etc directory then you will saw that you are able to run cd & pwd command as shown below.

There many more editors such as pico or nano which you should by yourself to bypass rbash environment.

Bypass rbash using One liner

1st Method Python

You can also choose python following command as a one-liner to import “sh: Bourne shell” and spawn the proper sh shell instead of rbash as shown below where we are able to access the /etc directory without any restriction.

2st Method Perl

Similarly, you can also choose Perl following command as a one-liner to import “sh: Bourne shell” and spawn the proper sh shell instead of rbash as shown below where we are able to access the /etc directory without any restriction.

3rd Method- Awk

Similarly, you can also choose awk following command as a one-liner to import “sh: Bourne shell” and spawn the proper sh shell instead of rbash as shown below where we are able to access the /etc directory without any restriction.

Bypass rbash through Reverse Shell

1st-Method Python

You can also choose reverse shellcode to bypass rbash, here we have use python reverse shellcode (penetestmokey) and this will throw the “sh: Bourne shell” to the listen to machine (Kali Linux in our case) on the netcat which is listening over our Kali Linux.

After running the listener we will be running the following command.

Now if you will try to access /etc directory then you will saw that you are able to run cd & pwd command as shown below.

2nd Method – PHP

Similarly, you can use PHP reverse shellcode which need to be executed on the host machine and reverse connection will be accessible on Listening IP.

Now if you will try to access /etc directory then you will saw that you are able to run cd & pwd command as shown below.

Bypass rbash using System binaries

Very few people know this, that some system binaries program (such as less, more, head, tail, man and many more) are very useful to bypass restricted environment.

Consider a situation where you a log file named ignite.txt inside the current directory and you allow to only a few commands such as more or less to read the logs.

1stMethod-/bin/more

Take the privilege of /bin/more program to bypass the restricted environment by executing following command on the rbash shell

more ignite.txt

Now if you will try to access /etc directory then you will saw that you are able to run cd & pwd command as shown below.

2nd Method-/bin/less

Take the privilege of /bin/less program to bypass the restricted environment by executing following command on the rbash shell

Now if you will try to access /etc directory then you will saw that you are able to run cd & pwd command as shown below.

3rd Method-/bin/man

Take the privilege of /bin/less program to bypass the restricted environment by executing following command on the rbash shell

Now if you will try to access /etc directory then you will saw that you are able to run cd & pwd command as shown below.

Bypass rbash using Expect

Expect is a Unix program that “talks” to other interactive programs according to a script. Following the script, Expect knows what can be expected from a program and what the correct response should be.

Take the privilege of /bin/usr/expect the program to bypass the restricted environment by executing the following command on the rbash shell.

Now if you will try to access /etc directory once again then you will saw that you are able to run cd & pwd command as shown below.

Bypass rbash through SSH 

If you know the ssh credential of the user who is part of rbash shell, then you can use the following command along ssh to break the jail and bypass the rbash by accessing proper bash shell.

Now if you will try to access /etc directory once again then you will saw that you are able to run cd & pwd command as shown below.

Reference: http://manpages.ubuntu.com/manpages/cosmic/man1/rbash.1.html

Author: Kavish Tyagi is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

Docker Privilege Escalation

In our previous article we have discussed “Docker Installation & Configuration”but today you will learn how to escalate the root shell if docker is running on the hots machine or I should say docker privilege escalation to spawn root shell.

While we know that there is an issue with the docker that all the commands in docker require sudo as docker needs root to run. The Docker daemon works in such a way that it is allowed access to the root user or any other user in the particular docker group. This shows that access to the docker group is the same as to give constant root access without any password. 🧐

Quick Lab setup

Execute the below command to install docker in your localhost machine. I have used ubutnu 18.04 here as target machine.

Create a local user, say Ignite is the username with least privileges add new group “docker” for “ignite”.

To proceed for privilege escalation, you should have local access of the host machine, therefore here we choose ssh to access the machine as ignite who is a local user on this machine. 

Since we have access to the user which is a part of the docker group and said above if the user is part of the docker group then it is the same as to give constant root access without any password. 😈

We ran the command shown below, this command obtains the alpine image from the Docker Hub Registry and runs it. The –v parameter specifies that we want to create a volume in the Docker instance. The –it parameters put the Docker into the shell mode rather than starting a daemon process. The instance is set up to mount the root filesystem of the target machine to the instance volume, so when the instance starts it immediately loads a chroot into that volume. This gives us the root of the machine. After running the command, we traverse into the /mnt directory and found out flag.txt.

Similarly, an intruder can mount other system files to escalate the privilege for the local user such as he can mount the passwd or shadow or ssh-key.

As you can see here, we try to mount/etc directory to obtain shadow file and similarly one can access passwd file and add his own privilege user. 🤔

So, if you have access shadow file then you can try to crack passwd hashes and if you have access passwd file you can add you own privilege user by generating password salt as shown here.

Now a new record inside the passwd file for your user.

From the given below image you can observe that now we have user raj as member of root. Thus, we switch to as raj and access the root shell.

Thus, in this way we can escalated the permission of a host machine, hope you will enjoy this little and powerful post. 😊

Author: Kavish Tyagi is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

Multiple Ways to Setup Cloud Pentest Lab using OwnCloud

This article is all about setting up a Private Cloud on your local machine on ubuntu, docker and VM. But before it is installed and configured, you should know what the cloud is and why it is a very important part of IT organizations.

Table of Content

  • Cloud Computing
  • Benefits of Cloud Computing
  • Types of Cloud Computing
  • Cloud Computing Deployment Models
  • How cloud computing works
  • Installation of Own cloud in Ubuntu
  • Installation of OwnCloud using Docker
  • Bitnami Owncloud Stack Virtual Machines

Cloud Computing

Cloud computing is the on-demand delivery of compute power, database, storage, applications, and other IT resources via the internet with pay-as-you-go pricing. Whether you are using it to run applications that share photos to millions of mobile users or to support business-critical operations, a cloud services platform provides rapid access to flexible and low-cost IT resources.

In other words, cloud computing means, storing and accessing information and programs over the internet instead of the hard drive of your computer. You can access as many resources as you need, almost instantly, and only pay for what you use.

References: https://aws.amazon.com/what-is-cloud-computing/

Benefits of Cloud Computing

  • Cost Saving – Pay for what you use.
  • Agile deployment – Easy and fast access a broad range technology (database, storage, compute etc.) on as per the requirement.
  • Location Independent –Deploy your application in multiple physical locations around the world with just a click.
  • Disaster Recovery – No environmental disruption, no natural calamity effect.
  • Elasticity– Instantly scale up or down the amount of resources that actually need.

Types of Cloud Computing

There are three main types of models of cloud computing. Each type of cloud service and deployment method provides you with different levels of control, flexibility, and management.

  • Infrastructure as a Service (IaaS) -It is a cloud computing offering in which a vendor provides users access to computing resources such as servers, storage and networking. Organizations use their own platforms and applications within a service provider’s infrastructure.

Example: Linode, Rackspace, Amazon Web Services (AWS), Cisco Metapod, Microsoft Azure, Google Compute Engine (GCE)

  • Platform as a service (PaaS)– It is a cloud computing offering that provides users with a cloud environment in which they can develop manage and deliver applications. In addition to storage and other computing resources, users are able to use a suite of prebuilt tools to develop, customize and test their own application also can providers manage security, operating systems, server software and backups.

Example: AWS Elastic Beanstalk, Windows Azure, Force.com, Google App Engine, Apache Stratos.

  • Software as a service (SaaS)-It is a cloud computing offering that provides users with access to a vendor’s cloud-based software. Users do not install applications on their local devices. Instead, the applications reside on a remote cloud network accessed through the web or an API. Through the application, users can store and analyse data and collaborate on projects.

Example: Google Apps, Dropbox, Salesforce, Cisco WebEx,

Cloud Computing Deployment Models

  • Cloud (Public) – A cloud-based application is fully deployed in the cloud and all parts of the application run in the cloud. Applications in the cloud have either been created in the cloud or have been migrated from an existing infrastructure to take advantage of the benefits of cloud computing.
  • Hybrid- A hybrid deployment is a way to connect infrastructure and applications between cloud-based resources and existing resources that are not located in the cloud. The most common method of hybrid deployment is between the cloud and existing on-premises infrastructure to extend, and grow, an organization’s infrastructure into the cloud while connecting cloud resources to the internal system.
  • On-premises (Private) – Private Cloud refers to the cloud solution dedicated for use by a single organization. The data centre resources may be located on-premise or operated by a third-party vendor off-site. The computing resources are isolated and delivered via a secure private network, and not shared with other customers.

How cloud computing works

Cloud computing gives you access to servers, storage, databases, and a broad set of application services over the Internet. A cloud services provider owns and maintains the network-connected hardware required for these application services, while you provision and use what you need via a web application.

Hope, now you have a basic understanding of cloud computing. Let’s start the installation of Owncloud in multiple ways.

Installation of Own cloud in Ubuntu

OwnCloud is the market-leading open-source software for cloud-based collaboration platforms. As an alternative to Dropbox, OneDrive and Google Drive, ownCloud offers real data security and privacy for you and your data. Store your files in one central location – protected from unauthorized access. Many features designed for absolute data security help you to work productively and securely.

Before starting the installation, I want to confirm that you should already have Ubuntu in PC or you can install ubuntu. As I already have Ubuntu 18.04 LTS.

Let’s start the journey together with below steps:

Install Apache2

OwnCloud requires a webserver to function. So, we install Apache2 on Ubuntu.

Install the MariaDB Server

After apache2 installation, run the commands to disable the directory listing and also to Restart the Apache2 services.

MariaDB is the database server. It is an enhanced, drop-in replacement for MySQL. MariaDB is used because it is fast, scalable and robust, with a rich ecosystem of storage engines, plugins and many other tools make it very versatile for a wide variety of use cases.

After installation of MariaDB , restart the service and enable MariaDB service to always start up when the server boots.

Install PHP and its modules

Run the commands to add a third-party repository and upgrade to PHP 7.1

Now,  update and upgrade

Next, we  install PHP7.1  and related modules

After installation of PHP 7.1, open FPM PHP default file.

Create OwnCloud  Database

After the installation of all the necessary LAMP packages, we will continue to configure the servers. First, we create the OwnCloud Database. Below are the steps:

  1. Run the MySQL command to logon to the database server. In the next prompt, type the root password.
  2. Create a database called Owncloud.
  3. Create a  database user g nisha with the new password e.g 123(you Should put the strong password for security purpose).
  4. Then, we grant the user full access to the database.
  5. Finally, save your changes and exit.

Note: In the database, the command should be ended by a sign ; otherwise you will get an error.

Download Latest Owncloud Release

Visit  https://owncloud.com/download/ for download and extract OwnCloud Files into the /var/www/html directory.

Then set the correct permissions for OwnCloud to function, change the ownership and mod e.g as we grant (Read Write Execute i.e 777) permission.

Configure Apache2

Configure Apahce2 site configuration file for OwnCloud. This file will control how users access OwnCloud content. Create a new configuration file called owncloud.conf as shown.

Then copy and paste the content below into the file and save it. Replace the highlighted in yellow lines with your own domain name and directory root location and then save the file.

Enable the OwnCloud and Rewrite Module

After configuring the VirtualHost above, enable it by running the commands below and at last restart the Apache2 service.

Open the browser and put localhost(local IP ) e.g http://localhost/owncloud

You’ll be prompted to create an admin account and password. Connect to the database using the information you created and then click on finish setup.

            

Put the admin Credentials and continue.

Happy to see the final Picture of OwnCloud, now you can upload and store your data safely on Owncloud.

Installation of OwnCloud using Docker

Docker is a tool designed to make it easier to create, deploy, and run applications by using containers. Containers allow a developer to package up an application with all of the parts it needs, such as libraries and other dependencies, and ship it all out as one package.

Let’s start the installation with the below steps :

Install Docker

To install docker, simply open the terminal of Linux and type the following command:

Once the docker is up and running, you can run or pull any image in your docker. As per the requirement, we are going to search owncloud image. When you run the following command, it will first check your local repository; if the image is not available there then it will pull it from docker hub.

Once you find your image, you can pull it into your container and download the Owncloud image.

The docker attaches command permits you to attach to a running container using the container ID or name you can use one instance of shell only though attach command or you can directly run the container with container id. ownCloud is accessible via port 8080 on the host machine. But if you crave to open a new terminal with a new instance of container’s shell, we just need run docker exec.

To log in to the ownCloud UI, open http://localhost:8080 in your browser of choice, where you see the standard ownCloud login screen, as in the image below.

Finally welcome to your owncloud platform to perform your services (upload, safety storage of data etc.)

Bitnami Owncloud Stack Virtual Machines

Bitnami Virtual Machines contain a minimal Linux operating system with ownCloud installed and configured. Using the Bitnami Virtual Machine image requires hypervisor software such as VMware Player or VirtualBox. Both of these hypervisors are available free of charge.

You can download from here

Login with default credential

It very simple, only just navigate to the web browser and explore VM IP as shown below.

Author: Nisha Sharma is trained in Certified Ethical hacking and Bug Bounty Hunter. She is currently working at Ignite Technologies as a Security Analyst. Connect with her here

EVM: 1 Vulnhub Walkthrough

In this article, we will solve EVM lab. This lab is designed by Ic0de and it is an easy lab as the author has intended it, beginners. You can download the lab from here.

Penetration Methodologies:

  • Network Scanning
    • Netdiscover
    • Nmap Scan
  • Enumeration
    • Browsing HTTP Service
    • Directory Bruteforce using dirb
    • Enumeration Using WPScan
    • Password Bruteforce using WPScan
    • Getting Login Credentials
  • Exploitation
    • Exploiting using Metasploit
    • Getting a reverse connection
    • Spawning a TTY Shell
    • Enumeration for Root Credentials
  • Privilege Escalation
    • Getting Login Credentials
    • Logging in as root
    • Reading the Final Flag

Walkthrough

Network Scanning

First, we will find the IP address of our target machine and for that please use the following command as it helps to see all the IP’s in an internal network:

As you can see from the above image, our target IP is 192.168.1.103. Now that we know target IP, we can move on to scanning our target so that step by step we can attack further and gain control of the machine and scanning will help us to find an opening. We will scan with the help of nmap and for that use the following command:

With the help of nmap, we observed that port number 22, 53, 80, 110, 139, 143, 445 are open with the services of SSH, DNS, HTTP, POP3, NETBIOS, IMAP and NETBIOS respectively.

Enumeration

As port 80 is open, let us try and open the IP in the browser as shown in the image below:

The apache webpage opens which is normal except for the fact that there was a comment saying “you can find me at /wordpress/ im vulnerable 😊

Now according to this comment, it means there is a vulnerable directory called ‘WordPress’. So to confirm we used dirb command which is:

And to no surprise, there is a directory called ‘WordPress’. Now, this is wordpress, as the name suggests, we can use wpscan to find more about it. And for this, type:

With this command, we are telling the wpscan to enumerate(-e) all themes(at), all plugins(ap) installed on the wordpress site. And finally, all the users(u) that might be logged in on the WordPress Site.

As you can see in the image below, there is a vulnerable plugin c0rrupt3d_brain where we can attack via bruteforce and get a password to log in.

So, for our bruteforce, we will use rockyou wordlist and to put it in action type:

And when the bruteforce is successful, it will give you the password i.e. 24992499; which is shown in the image below too:

Exploitation

Now that we know username and password, we can use an inbuilt wordpress exploit from Metasploit. Firstly, start Metasploit by typing ‘msfconsole’ and the type the following command:

So, once the exploit is running and attack is successful, you can have your meterpreter session. When you have the meterpreter session, go home by typing cd /home and checklist of things home has to offer by using ls command. There was only on folder there named root3r and when you navigate yourself to that folder and check the list of files with the same command you used before. Here, you will find .root_password_ssh.txt file; upon reading this text file with a cat you will find the password of the root user just its shown in the image below:

Privilege Escalation

Now, we know that the password of the root user is willy26. We can now switch our user to root and for this type:

Now you are logged in as root along with its privileges too. As you can see in the image below:

Once you are logged in as a root user, navigate yourself around and go to the root folder by typing cd /root. And there when you will use ls command, you find a proof.txt document. Upon reading it with cat command, it will show you that you have successfully pwned the machine. YAY!!!!!!

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here