☑️Interactive Shells

Sometimes when we establish a connection with the target we will get a limited shell (also called a jail shell) and we have to spawn an interactive shell lets say with Python TTY Bourne shell.

If Python isn't installed then there are several other ways to spawn a shell.

With most Linux systems, we will likely come across Bourne shell (/bin/sh) and Bourne again shell (/bin/bash) present on the system natively.

bin/sh -i

This command will execute the shell interpreter specified in the path in interactive mode (-i).

Perl

If the programming language Perl is present on the system, these commands will execute the shell interpreter specified.

perl —e 'exec "/bin/sh";'

or from a script,

perl: exec "/bin/sh";

Ruby

f the programming language Ruby is present on the system, this command will execute the shell interpreter specified, run it from a script:

ruby: exec "/bin/sh"

Lua

If the programming language Lua is present on the system, we can use the os.execute method to execute the shell interpreter specified using the full command below, run it from a script:

lua: os.execute('/bin/sh')

AWK

AWK is a C-like pattern scanning and processing language present on most UNIX/Linux-based systems, widely used by developers and sysadmins to generate reports. It can also be used to spawn an interactive shell. This is shown in the short awk script below

awk 'BEGIN {system("/bin/sh")}'

Find

Find is a command present on most Unix/Linux systems widely used to search for & through files and directories using various criteria. It can also be used to execute applications and invoke a shell interpreter.

find / -name nameoffile -exec /bin/awk 'BEGIN {system("/bin/sh")}' \;

This use of the find command is searching for any file listed after the -name option, then it executes awk (/bin/awk) and runs the same script we discussed in the awk section to execute a shell interpreter.

We can also use exec to launch a shell:

find . -exec /bin/sh \; -quit

This use of the find command uses the execute option (-exec) to initiate the shell interpreter directly. If find can't find the specified file, then no shell will be attained.

VIM

We can also spawn a shell with vim, intersting to know:

vim -c ':!/bin/sh'

Vim Escape:

vim
:set shell=/bin/sh
:shell

Checking Permissions

In addition to knowing about all the options listed above, we should be mindful of the permissions we have with the shell session's account. We can always attempt to run this command to list the file properties and permissions our account has over any given file or binary:

ls -la <path/to/fileorbinary>

We can also attempt to run this command to check what sudo permissions the account we landed on has:

sudo -l
Matching Defaults entries for apache on ILF-WebSrv:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User apache may run the following commands on ILF-WebSrv:
    (ALL : ALL) NOPASSWD: ALL

Note: Not only will considering permissions allow us to see what commands we can execute, but it may also start to give us an idea of potential vectors that will allow us to escalate privileges.

PreviousLinux/Unix Shells NextWeb Shells

Last updated 1 year ago