how to hack rbash --?

Question

I'm solving CTF challenge, and have to escalate the privilege from user1 to user2, $HOME is read-only, so i can't change $HOME/.bashrc.
sudo -l shows (user2) NOPASSOWRD: /usr/rbash -- i can't write any commands before or after --, it doesn't escalate.

I must get user2 privilege to read a file owned by it, any idea how to get through this?

while $HOME is user1 home, sudo -u user2 rbash -- will cd me to my home $HOME/jail. in a restricted shell, and PATH is set to $HOME/jail, i have tested all possible commands that i can use to escape jail, i almost left nothing, so i can tell that $HOME/jail is empty directory!

Is `rbash` the real `rbash`, or is it custom/modified for the CTF? What commands are allowed? — multithr3at3d, Nov 08 '20 at 15:21
yes i guess, it conforms to the man page description, hell of a jail! — Error, Nov 08 '20 at 15:28
the challenge starts with rbash shell, then you need to go escalate through 14 layers to get your target, in first layer PATH is set to $HOME/jail1 which has vim, and i can break through it, in layer 14, once again PATH is set to $HOME/jail2, which is user2 home, and i can't use ls, or even echo *, and i tested all possible commands i can used to escalate my privilege but nothing works! so the solution around the commands rbash -- itself, — Error, Nov 08 '20 at 15:33
You still haven't said which commands are available at layer 14, if any. — multithr3at3d, Nov 08 '20 at 15:36
i skimmed sl source code, i can't find way to drop a shell through it, or read a file! — Error, Nov 08 '20 at 16:34
Did you try `*` by itself? Because it would execute the command if that's all there is in that folder and otherwise it gives you an error with the list of files? — Alexis Wilke, Nov 09 '20 at 01:50
echo * lists sl (steam locomotive animation)! i checked the source code, i doesn't think it's possible to command-inject sl — Error, Nov 09 '20 at 11:58

how to hack rbash --?

0 Answers0