Skip to content

Instantly share code, notes, and snippets.

@PSJoshi

PSJoshi/rbash-escape.md

Last active January 7, 2024 20:40
Show Gist options
  • Star 7 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save PSJoshi/04c0e239ac7b486efb3420db4086e290 to your computer and use it in GitHub Desktop.
Save PSJoshi/04c0e239ac7b486efb3420db4086e290 to your computer and use it in GitHub Desktop.
Download ZIP
Escape from rbash to bash shell
Raw
rbash-escape.md

Change rbash to bash

psj@ubuntu:~$ ssh psj@server_name-t "bash --noprofile"

List available commands:

$ compgen -c

Essentially you need to do the following:

a) start bash without source'ing either ~/.bashrc or ~/.bash_profile 
b) since such a shell wouldn't be a full login shell / have no tty attached, force ssh to attach a tty:

Good presentation on rbash escape

Other interesting links for Rbash hardening

@F-Masood
Copy link

F-Masood commented Nov 2, 2021

nice work !!!

@substing
Copy link

substing commented Jan 4, 2024

Very helpful! The first line should have a space before t, or else ssh will not be able to resolve the remote host.
It should be psj@ubuntu:~$ ssh psj@server_name -t "bash --noprofile"

Forgive me for being the "well actually..." guy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment