Hiding Shell using PrependMigrate -Metasploit

In this article, you will get to know about the strength of mfsvenom along with PrependMigrate. You will also learn how to migrate the created payload into processes currently running on the targeted machine so, the victim unable to find the malicious file. It is very important to migrate your backdoor payload because if the target is alerted and decides to take measures to kill the process then, your session will also get killed. Therefore, an attacker must do this as soon as the session opens.

Table of Content

  • Basic Terminologies
    • Metasploit Framework
    • MSFvenom
    • PrependMigrate
  • Hiding shell with PrependMigrate
    • With MSFvenom.
    • Without MSFvenom.

Basic Terminologies

Metasploit Framework

Metasploit Framework, an open-source tool for developing and executing exploit code against a remote target machine.

Steps for exploiting a system using the Framework include:

  • Choosing and configuring an exploit
  • Checking whether the intended target system is susceptible to the chosen exploit
  • Choosing and configuring a payload
  • Choosing the encoding technique
  • Executing the exploit.

This modular approach – allowing the combination of any exploit with any payload – is the major advantage of the Framework. It facilitates the tasks of attackers, exploits writers, and payload writers. 

Msfvenom

MSFvenom is a combination of Msfpayload and Msfencode, putting both of these tools into a single Framework instance. It is used to generate and encode various types of payload that are available in the Metasploit Framework. The advantages of msfvenom are:

  • One single tool
  • Standardized command-line options
  • Increased speed

PrependMigrate

PrependMigrate is an option that allows us to link our session with an ongoing process on the target system. It can also transfer a session by linking it from one process to another. It comes handy as it is difficult for the target to find the malicious process so it becomes paramount for the attacker to cover their tracks.

Configurations used in Practical

Attacker:

    OS: Kali Linux

    IP: 192.168.1.107

Target:

      OS: Windows 10

      IP: 192.168.1.104

First Method

Let’s start the game of conceal and seek. You have to conceal to save yourself and let the target try to find you.

Starting with MSFvenom we will be creating a malicious executable named raj.exe and conceal the generated executable behind a process named explorer.exe (you can choose any process running on task manager) by PrependMigrate process.

Next, we will be loading the Metasploit framework on Kali Linux by using the msfconsole keyword. Then set the following options to enable our handler:

Now, we will send the payload to the target machine and run the executable on the Target Machine. This will generate a meterpreter session which will be captured by the listener we created earlier. You can access the target system but if the target acknowledges that the system is compromised; then they can take security measures to end your session. To escape from this situation, the attacker’s first responsibility is to conceal the executable payload behind the process so the victim cannot identify it in any way possible.

Use the following ps command to check the processes that are running presently and filter with the raj.exe

 The process ID (PID) of raj.exe i.e. 4848 as shown in the process list and if the victim kills the raj.exe i.e. 4848 PID then the running process will end. Thus, ending our session with a simple command:

But you do not need to worry as PrependMigrate saves the day by letting us conceal raj.exe behind the explorer.exe and you will be at an advantage as your meterpreter session is still running. 

Second Method

The Second way of hiding shells using the PrependMigrate but without using msfvenom. Here, the objective is the same as the earlier. We will start by opening the Metasploit Framework.

Then use the following set of commands to create your payload:

After the creation of malicious executable i.e. nisha.exe, we will create listener multi/handler using the following commands:

Using the ps command along with grep command we will get the PID of nisha .exe i.e.4128

(Note: PID stands for process id, which means the identification number for currently running process in memory. PPID stands for Parent Process Id, which means the parent process is responsible for creating the child (current) process. Through parent Process, the child process will be created.)

Now we try ourselves to kill the nisha.exe process to get conceal from the victim with the following command:

But still, you have a victim’s session which means nisha.exe migrates into new process id of explorer.exe. And you can use the sysinfo command to confirm that the session is still up and running.

Conclusion

This is how one conceals themselves. The purpose of this article is to serve both the blue team and the red team as one should be aware of how to locate and eliminate the attacker as well as how to conceal yourself when you are on the other side of the line.

Author: Nisha Sharma is trained in Certified Ethical hacking and Bug Bounty Hunter. Connect with her here

Multiple Ways to Install Kali

In this article, we will learn how to open the magic box of ethical hacking. Can you guess the name of that box? Ok, I tell you the name is KALI the magic box of ethical hacking. Through this article, you will learn the installation of Kali  Linux on different platforms along with the features.

Table of Content

  • Introduction of kali Linux
  • Features of kali Linux
  • Prerequsities for kali Linux installtion
  • Kali installation on VM (Virtual machine)
  • Kali installation on Virtual Box
  • Kali installation on AWS
  • Kali installation on Respberry pi

Introduction of Kali Linux

“The quieter you become, the more can to hear”—Kali Linux

As per my definition, Kali Linux is a magic box that contains multiple magic tools to play the magic. In technical terms, Kali Linux is an open-source, Debian based Linux distribution mainly for penetration testing, security auditing, computer Forensic, Security research, etc. it contains over 600 tools of information gathering(Amap, arp-scan, APT2, etc.), vulnerability analysis (Nmap, sqlmap, BBQSQL, etc., ), wireless attack( Airbase-ng, Air crack-ng, airplay-ng, etc.), web applications(BrupSuite, zaproxy, Web Scarab), exploitation (Metasploit, Armitage, crackle), forensics (DFF, Capstone, Binwalk, etc.), etc.
It is developed, maintained and funded by Offensive Security, a leading information security training company.

Features of Kali Linux

Free of cost –it is completely free of cost, you will never have to pay for it. All the development source code are freely available to you.

Over 600 tools available for different functionality e.g computer forensics, penetration testing, etc

Completely customizable – it is easy to customize based on your needs and preferences.

Usable on a wide range of ARM devices.

Prerequisites for Kali Linux Installation

Kali OS software package required a minimum of 10 GB hard disk space for installation.

  •        Minimum 512MB Ram is required for i386 and amd64 architectures.
  •        A bootable CD-DVD Drive or a USB stick.

Give me six hours to chop down a tree and I will spend the first for four sharpening the axe.—Abraham Lincoln

Installation of Kali on Vmware

Vmware Workstation enables users to set up virtual machines on a single physical machine and use them simultaneously along with the actual machine. A Virtual machine can be downloaded from www.vmware.com.

Download kali from  http://kali.org/downloads/ 64 bit or 32 bit as per your computer capability.

Click on create a new virtual machine by selecting the Installer disc image file (ISO), and review the configured virtual machine and then powered on the created kali virtual machine.

 At the boot menu, many options are available so I am going to describe all boot menu options briefly:

Live (amd64)

Probably the one you’re searching for. This one will boot you into Kali, but only in the Live mode. That means, that when you terminate/shutdown your laptop everything you’ve saved/edited in Kali is lost. So if you make a file on your desktop, that file will be lost when you restart.

This is possible because Kali only writes to RAM and not your HDD.

Live (forensic mode)
This is a special and interesting mode. In this mode, the internal HDD is never touched, and the auto-mounting of devices is disabled. You’ll use this when performing forensics on a device (e.g. recovering sensitive files, getting evidence in crime scenes.)

Live USB Persistence
Use this if you want to install Kali on the USB you booted from, this way you can save what you’ve done, etc. If you now place a file on your desktop, it’s saved on your USB and is again accessible when you boot from it.

Live USB Encrypted Persistence
Same as above. Alone with this option, your USB is also encrypted with LUKS. If you choose USB Persistence, choose this one!

(Graphical) Install                                                                                        
If you want to install it on your HDD.

Install with speech synthesis
Install it, the text from the installation-menu is read out to you

But through the down arrow key, you can select Graphical install.

After selection of Graphical install, you will get the multiple next windows of

Preferred language selection- English (select as per your choice) then click continue

Location – United States (select as per your choice) click continue

Standard keymap –  American English (select as per your choice) click on continue

On the next screen you will ask to configure the network, select Do not configure the network at this time and hit the continue.

Now in a single word, you can provide the hostname e.g. Kali (any name as per your choice). Then click on continue.

Set the password for the root account. Don’t forget the password you have set for the root account otherwise you have to install kali again.

On the next screen, select the time zone and click continue.

 

Kali detects the disk partitions. Select guided-use entire disk then click continue.

 

Installer confirms that partition you are going to use. Click continue.

 

Select the All files in one partition and click on continue.

Selection of disk partition has been done, you can see the overview of partition disk you currently configured, and select the Finish partitioning and write changes to disk. After that click on continue.

Click on yes to make the changes to disk as per the selected partition changes. Then click on continue.

After partition, now Kali will start installing, you have to around 30 minutes for installation.

After Kali installation, on the next screen, you will get the network mirror option. You need to select No and click on continue.

You get the option to install the GRUB boot loader as it should be safe to install it to the master boot record of your first hard drive. Select yes and click on continue.

Select the boot loader device for GRUB installation. Select /dev/sda and click Continue.

Now you will see the installation complete dialog box. Click to continue to finalize the installation and wait for the VM to reboot. After reboot, you will see the login screen. Log in with your username or root user and provide your password. You will then see the Kali Linux desktop.

Once the VM reboots, you will see the Kali Linux login screen.

Login with username: root, Password: toor, what you entered during the installation process earlier.

 

Successfully, Kali installation has been done, now you can start working on Kali Linux.

Installation of Kali Linux on Virtual Box

VirtualBox is a software system for virtualizing the x86 computing design. It acts as a hypervisor, making a VM (virtual machine) within which the user will run another OS (operating system).

The OS within which VirtualBox runs is named the “host” OS. The OS running within the VM is named the “guest” OS. VirtualBox supports Windows, Linux, or macOS as its host OS.

 If you have already got put in VirtualBox then well smart otherwise install the newest version and install it from https://www.virtualbox.org/wiki/Downloads.

Prerequisites

  • VirtualBox installed in your Linux system
  • the image of Kali Linux present in your system
  • at least 4GB of RAM
  • at least 20-30GB of free disk space
  • network to have a system updated
  • a processor with the virtualization features enabled (often activated by default)

In virtualization, the guest OS is the virtualized system (so our Kali Linux) and the host OS is our Linux system. You can summarize the configuration that was created by you. Then launch the installation  click on the green arrow button to start .

On the next screen, you will see the installer options, select Graphical install.

After the selection of Graphical install, you have to follow all the steps the same as you have done at the time of installation of Kali Linux on VMware.

Installation of Kali Linux On AWS

Amazon Web Services (AWS) is a subsidiary of Amazon that provides on-demand cloud computing platforms and APIs to individuals, companies, and governments, on a metered pay-as-you-go basis. In aggregate, these cloud computing web services provide a set of primitive abstract technical infrastructure and distributed computing building blocks and tools. One of these services is Amazon Elastic Compute Cloud, which allows users to have at their disposal a virtual cluster of computers, available all the time, through the Internet.

For more detail description refer https://en.wikipedia.org/wiki/Amazon_Web_Services.

Prerequisites

  • An Aws account
  • Minimum 2 GB RAM (to run Metasploit)

Login to  https://aws.amazon.com/console/ to navigate web services. From the compute services, select EC2 (Elastic Compute Cloud) and click on Launch Instance.

Click on AWS Marketplace, to search  the AMI (Machine Image of Kali Linux)

In the search, tab writes Kali Linux, to the Kali AMI  and then click on select.

After selection, you can see the summary of all the instances types, software, amount available for Kali Linux. (As per your requirement you can choose, also free tier instance is also available).Then click on continue.

Now you can choose instance type as per your budget, you can select t2micro along with vcpu 1,2.5GHz, Intel Xeon Family,1GiB memory, EBS only). But to run the Metasploit to need minimum of 2 GB RAM, you can opt t2 small or t2 medium.

Review the selected instance and click on the launch.

Here, you need to create a new key pair and give a name to the key . Click on download key pair as you will not be able to download the file again after it’s created. Then click on Launch Instances.

Save the Downloaded .pem file.

Click on Launch Instances

After Launch instance, you can see the instance is running even you can provide the name to your created instance. Click on connect to get access to SSH with other information on public DNS.

For a Linux user:

You can access the Kali AWS from a linux machine. Set the permissions and connect the SSH server:

Login with username ec2-user.

For Window Users:

Open the puttygen and load the previously downloaded private key to convert it into a putty supported format.

Save the private key and close the Puttygen program. Open the Putty program to connect it with Kali Linux, in hostname put the public DNS details and load the private key in the Auth tab under the SSh navigation.

Then click on open

Login with username ec2-user and your kali Linux from the cloud is ready. As this is minimal installation, to get all the tools run the command apt-get install kali-linux-full

Note: You should not go over the usage limit otherwise you will be charged and need to pay the bill.

Installation of Kali on Raspberry Pi

The Raspberry Pi is a low-cost, credit-card-sized ARM computer. Despite being a good bit less powerful than a laptop or desktop PC, its affordability makes it an excellent option for a tiny Linux system and it can do far more than act as a media hub.

The Raspberry Pi provides an SD card slot for mass storage and will attempt to boot off that device when the board is powered on.

By default, the Kali Linux Raspberry Pi image has been streamlined with the minimum tools, similar to all the other ARM images. If you wish to upgrade the installation to a standard desktop installation, you can include the extra tools by installing the kali-Linux-full meta-package.

For more details please refer https://github.com/thehackingsage/HackPi.

Prerequisites

  • Kali Linux Raspberry 2,3, 4 ARM images.
  • SD card (minimum size 8 GB but can use 16GB 0r even 32 Gb)
  • Bootable Kali

First, download the Kali Linux 2 or more image file for a raspberry file from the https://www.offensive-security.com/kali-linux-arm-images/#1493408272250-e17e9049-9ce8.

I need to write it to the SD card. Choose the Kali Linux ISO file to be imaged with “select image” and verify that the USB drive to be overwritten is the correct one. Click the “Flash!” button once ready.

Once Etcher alerts you that the image has been flashed, you can safely remove the USB drive and proceed to boot into Kali with it.

Now, you can have a plugged raspberry pi device with the bootable SD card into the monitor. After powering up the raspberry pi 3 b, it will go through a bootup process and the screen will go blank for a few seconds.

For the final step, a login prompt will appear asking for a username and a password. The default should be ‘root’ and ‘toor’ respectively.

Thank you

Author: Nisha Sharma is trained in Certified Ethical hacking and Bug Bounty Hunter. Connect with her here

Web Application Pentest Lab Setup on AWS

Isn’t it going to be nice if you can reach your pen-testing lab from all over the world? As we all know, this is a digital age that makes life easier than our expectations, thus anyone can access their information/data from the cloud. Similarly, a Pentester can design its pen-testing environment for the vulnerable machine on the cloud that can be accessed from anywhere. AWS is probably the most popular cloud service available in today’s date, with most companies taking a cloud or hybrid approach towards their infrastructure.

This article is about setting up a vulnerable lab for web penetration in Amazon Web Services (AWS) to perform pen-testing on.

Table of Content

  • Prerequisite
  • Setup & Configuration of AWS Instance
  • Deployment & Connectivity
  • Install Dependencies
    • Apache
    • MySql – server
    • PHP
    • Configuring MySql
    • Phpmyadmin
  • Lab Setup
    • DVWA
    • SQL Injection – Dhakkan
    • OWASP Mutillidae II

Prerequisite

To set up your own pen-testing environment, you must have AWS account or if not then create an AWS account and login your account.

Setup & Configuration of AWS Instance

Let’s walk through the process of setting up the lab, we will be making an EC2 instance with Ubuntu Server 18.04 LTS on it. An EC2 instance is referred to as a virtual server in Amazon’s Elastic Compute Cloud (EC2) for running applications on the AWS infrastructure. The good thing is that this will not cost you anything to build as AWS has options to setup instances within a certain computing level that are not charged for.

  1. Open the EC2 console in AWS.

     2. Navigate to “Launch Instance” and click on “Launch Instance”.

  1. Choose the Amazon machine image (AMI), this is basically similar to finding the iso file of the OS that you want on your instance. AWS has you covered with most of the popular OS’s available in its inventory.
  2. Here we looked for ubuntu.
  3. Now that we see the OS that we want running on our instance, we need to choose the “64-bit (x86)”.

  1. We now need to choose our instance type, to basically define the amount of hardware this instance will have, we choose the “t2.micro”. This gives us I virtual CPU and 1 GB of RAM.

For most general-purpose workloads, T2 Unlimited instances will provide ample performance without any additional charges.

Features:

  • High-frequency Intel Xeon processors
  • Burstable CPU, governed by CPU Credits, and consistent baseline performance
  • Lowest-cost general purpose instance type, and Free Tier eligible*
  • Balance of compute, memory, and network resources

Read more from here

  1. Once we click on “Review and Launch”, the rest of the options are left as they are, and we click on “launch”.

8. Now let’s launch the instance which will create a key pair to your instance and complete the launch process.

This is a very important step, this is what makes it possible for you to connect to your instance over SSH, the key pair.

  1. Choose “Create a new key pair”, give it a name, them download and save the .pem file somewhere where you can keep it safe.

AWS gives you the launch status, tells you about the launch process and shows you that your instance is now launching.

  1. Now click on “View Instances” to see what’s happing with our Ubuntu server. Note that it takes a few minutes for the server to be fully deployed, so be patient. Now we see under “Status check” that we have our 2/2 checks, this essentially means that our instance is fully deployed and ready for us to connect to.

Deployment & Connectivity

This is the good part, where we get to deploy and connect to our instance in AWS.

  1. We choose our instance and click on “Connect”, this takes us to a page with options that defines how we want to connect to our instance, and we choose to connect using a standalone SSH client.

  1. Enter the name for your Instance ID, so that you can easily identify the instance ID from its name.

AWS is very helpful in giving us the particulars for our connection, like the commands to use.

There are many applications you can choose from to connect to the instance, we are connecting to it from Kali Linux.

  1. We first make sure that the .pem file that we saved has the right permissions assigned to it, in this case, it needs to be only ‘read’. Once that is done, we put in the SSH particulars provided by AWS.

  1. The .pem file is defined so that the SSH operation knows where the keys are located and that’s it, we are in!!. We connect and get to root.

Install Dependencies required for Pentest-lab

Ubuntu is up and running now, let’s start it for our pentest purposes, in order to do that we need to have the basic dependencies installed so that we can access web application like DVWA, etc.

Apache

First, we will install the Apache. Apache is the most commonly used Web server on Linux Systems. Web servers are used to serve web pages requested by the client computers.

  1. So, let’s first install Apache in the ubuntu by the following command.

We have successfully installed apache2, by default apache runs on port 80

 

For Apache to function properly we need to open port 80, so let’s get to it. We need to edit the security group in order for the Apache service to work. Ports are closed by default in AWS, so we can define what we want open.

  1. Go to your instance and launch the security groups wizard-1.
  2. Edit the inbound rules and add HTTP, using TCP protocol over port 80.

  1. The rule has been added, now click on save.

  1. Now to validate that Apache is running on our Ubuntu server, we access the IP of the instance in a browser.

MySQL – Server

The next step is to install MySql-server. This is fairly simple, just type in the command and let Ubuntu do the rest.

PHP

Installing PHP 7.2, simply type the following command.

Configuring MySQL

Let’s configure MySQL so we have the right kind of credentials for our setup. After it gets logged in you will grant all the privileges to the user of Ubuntu as in our case we have given all the privileges to user raj which will be identified with the password of ubuntu which is 123 in our case and after which we will reset all the previous privileges so that it can start the service with the new changes. For this, the commands are the following.

PHPMyAdmin

We need to install phpMyAdmin as well, here is how you do it.

Phpmyadmin needs to be configured, it needs to know that we want to use apache2 as our web server.

Next, we need to give it the password that we kept while setting up MySQL.

Lab Setup

We are done with installing all the dependencies for our setup and are now ready to install our pentest labs.

DVWA

let’s navigate to the “html” folder to download and install DVWA. Once that is done, we need to move the config.inc.php.dist file for further configurations.

Open the config.inc.php file in a text editor and put in the database credentials that we had set up earlier. We only need to modify 2 fields: db_user and db_password.

Now we open DVWA in our web browser and click on “Create/Reset Database”.

Time, to login to our DVWA!

SQL Injection – Dhakkan

Our vulnerable web app is up and running, now we want to install a lab for SQL injections, we will be using the Dhakkan sqli lab.

Here’s how to set it up. We download it into the html folder to host it, next we move the “sqlilabs” folder to the “sqli”. Next, we need to edit the database credentials so that the lab can function properly. Open the db-creds.inc file in a text editor.

Now that the file is open, we put in the username and password.

Now browse this web application from through this Public-DNS/sqli and click on Setup/reset Databases for labs. Now the sqli lab is ready to use.

Success! Sqli is up and running.

OWASP Mutillidae II

Last but not least, we will install OWASP Mutillidae II and that will conclude our setup for now.

So, let’s start by navigating to the “html” folder and downloading Mutillidae. Once downloaded, we navigate to the “includes” folder.

Once in, modify the database access file to prove the credentials we had set up earlier.

Now we will open this our local browser by the following URL: Public-DNS/mutillidae where we will find an option of reset database. Just click on it to reset the database. Let’s launch Mutillidae using our browser.

Voila!! Your Ubuntu instance is ready for you to start your AWS pentest journey. You have your connectivity, dependencies and labs all configured and ready to go.

We at Hacking Articles always try to bring you the most industry-relevant content. Since the cloud is now the thing most companies are moving towards and raising curiosity about ways to keep the cloud secure, this is article is just to get you ready for our new articles on cloud penetration testing, so stay tuned.

Have fun and stay ethical.

About The Author

Abhimanyu Dev is a Certified Ethical Hacker, penetration tester, information security analyst and researcher. Connect with him here

Multiple Methods to Bypass Restricted Shell

We all know the Security Analyst-Hacker relationship is like “Tom & Jerry” where one person takes measures to step-up the security layer and another person tries to circumvent it. The same situation that I slowly resolved while solving CTF challenges where always a new type of configuration error help me learn more about poor implementation of protection.

In this post, we will talk about “restricted shell or bash,” which is used in many CTF challenges and learn to bypass rbash by multiple methods.

Following CTF Challenges using rbash:

Table of Content

  • Restricted shell
  • Restrictions with in rbash
  • Pros of a restricted shell
  • Cons of a restricted shell
  • Multiple methods to bypass rbash

Restricted Shell: rbash

A restricted shell is used to set up an environment more controlled than the standard shell which means If bash is started with the name rbash, or the -r option is supplied at invocation, the shell becomes restricted. 

Restrictions with in rbash

It behaves identically to bash with the exception that the following are disallowed or not performed:

  • cd command (Change Directory)
  • cd command (Change Directory)
  • PATH (setting/ unsetting)
  • ENV aka BASH_ENV (Environment Setting/ unsetting)
  • Importing Function
  • Specifying file name containing argument ‘/’
  • Specifying file name containing argument ‘-‘
  • Redirecting output using ‘>‘, ‘>>‘, ‘>|‘, ‘<>‘, ‘>&‘, ‘&>‘
  • turning off restriction using ‘set +r‘ or ‘set +o‘

Pros of Restricted Shell

  • Rbash is often used in combination with a chroot jail in an additional attempt to restrict access to the entire process.

Cons of Restricted Shell

  • When a shell script command is executed, rbash cuts off any constraints in the spawned shell to execute the code.
  • Inadequate to allow fully untrusted code to be executed.

Enable restricted shell for a user

As said above the rbash will control the access of bash shell for a user and allow to execute the trusted command only which means the login user can run some selected command only. In order to control the user bash command, execute or enable the restricted shell for any user to follow the below steps:

  1. Create a local user “ignite”
  2. Set password
  3. Set usermod to enable rbash for a local user.
  4. Ensure accessible shell for the user with the help of /etc/passwd.

Method to Bypass rbash

  1. Bypass rbash using Editors
  • Vi-editors
  • Ed-editors
  1. Bypass rbash using One liner
  • Python
  • Perl
  • Awk
  1. Bypass rbash through Reverse Shell
  2. Bypass rbash using System binaries
  • More
  • Less
  • Man
  1. Bypass rbash using Expect
  2. Bypass rbash through SSH

Bypass rbash using Editors

Now suppose you have accessed the host machine as a local user and found the logged user is part of rbash shell thus you are unable to run some system commands, such as: cd (change directory) because due to rbash it is restricted.

Now the question is: Then what will you do in such a situation? 🤔

And the answer is: Use “Editors Programs” to bypass the restricted mode. 😇

1st method – VI Editor

So you can use the VI editor and this will be in the edit mode where you need to run the following command to open the “sh: Bourne shell” instead of rbash.

Now if you will try to access /etc directory then you will saw that you are able to run cd & pwd command as shown below.

2nd method- ed-Editor

You can also go with ed-editor which very easy to use as this is same as cat program that will provide inline edit mode where you can use the following command to call “sh: Bourne shell”

Now again if you will try to access /etc directory then you will saw that you are able to run cd & pwd command as shown below.

There many more editors such as pico or nano which you should by yourself to bypass rbash environment.

Bypass rbash using One liner

1st Method Python

You can also choose python following command as a one-liner to import “sh: Bourne shell” and spawn the proper sh shell instead of rbash as shown below where we are able to access the /etc directory without any restriction.

2st Method Perl

Similarly, you can also choose Perl following command as a one-liner to import “sh: Bourne shell” and spawn the proper sh shell instead of rbash as shown below where we are able to access the /etc directory without any restriction.

3rd Method- Awk

Similarly, you can also choose awk following command as a one-liner to import “sh: Bourne shell” and spawn the proper sh shell instead of rbash as shown below where we are able to access the /etc directory without any restriction.

Bypass rbash through Reverse Shell

1st-Method Python

You can also choose reverse shellcode to bypass rbash, here we have use python reverse shellcode (penetestmokey) and this will throw the “sh: Bourne shell” to the listen to machine (Kali Linux in our case) on the netcat which is listening over our Kali Linux.

After running the listener we will be running the following command.

Now if you will try to access /etc directory then you will saw that you are able to run cd & pwd command as shown below.

2nd Method – PHP

Similarly, you can use PHP reverse shellcode which need to be executed on the host machine and reverse connection will be accessible on Listening IP.

Now if you will try to access /etc directory then you will saw that you are able to run cd & pwd command as shown below.

Bypass rbash using System binaries

Very few people know this, that some system binaries program (such as less, more, head, tail, man and many more) are very useful to bypass restricted environment.

Consider a situation where you a log file named ignite.txt inside the current directory and you allow to only a few commands such as more or less to read the logs.

1stMethod-/bin/more

Take the privilege of /bin/more program to bypass the restricted environment by executing following command on the rbash shell

more ignite.txt

Now if you will try to access /etc directory then you will saw that you are able to run cd & pwd command as shown below.

2nd Method-/bin/less

Take the privilege of /bin/less program to bypass the restricted environment by executing following command on the rbash shell

Now if you will try to access /etc directory then you will saw that you are able to run cd & pwd command as shown below.

3rd Method-/bin/man

Take the privilege of /bin/less program to bypass the restricted environment by executing following command on the rbash shell

Now if you will try to access /etc directory then you will saw that you are able to run cd & pwd command as shown below.

Bypass rbash using Expect

Expect is a Unix program that “talks” to other interactive programs according to a script. Following the script, Expect knows what can be expected from a program and what the correct response should be.

Take the privilege of /bin/usr/expect the program to bypass the restricted environment by executing the following command on the rbash shell.

Now if you will try to access /etc directory once again then you will saw that you are able to run cd & pwd command as shown below.

Bypass rbash through SSH 

If you know the ssh credential of the user who is part of rbash shell, then you can use the following command along ssh to break the jail and bypass the rbash by accessing proper bash shell.

Now if you will try to access /etc directory once again then you will saw that you are able to run cd & pwd command as shown below.

Reference: http://manpages.ubuntu.com/manpages/cosmic/man1/rbash.1.html

Author: Kavish Tyagi is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here