Advanced Command Obfuscation

Find the output of the following command using one of the techniques you learned in this section: find /usr/share/ | grep root | grep mysql | tail -n 1.

For this question I have encoded this command with base64 and included the decoding line within my payload but it just wont work, I do not get an invalid input but the output is just the result of the ping.

image737×32 4.04 KB

Any idea why my output is not showing? I have tried using $@ to seperate bash and base64 but I believe I do not need to as I am not getting an ‘invalid input’ shown.

I just found the answer, I was going wrong with what the question was asking. I did not understand that when it says “find /usr/share/ | grep root | grep mysql | tail -n 1” it meant that find was also within this set of commands and not just meaning find.

Remember to include find when encoding this otherwise you will end up like me looking stupid here haha, I hope this helps anyone in the future who has the same problem I have had.

thanks so much!!!

Hi there, just tried a few ways… once with reverse commands but without succeed now encoeded as per your post (with find) but without succeed:

ip=127.0.0.1%0abash<<<${base64%09-d<<<ZmluZCAvdXNyL3NoYXJlIHwgZ3JlcCByb290IHwgZ3JlcCBteXNxbCB8IHRhaWwgLW4gMQ==}

Decoded: find /usr/share | grep root | grep mysql | tail -n 1

What am I doing wrong? do you have a hint for me?

Tente simplifiicar/reduzir o input. Fiz isso e consegui. Acho que o comando completo esta gerando algum erro.

Anyone having problems with the next section Evasion Tools? When I install bashfuscator and supply command it does not work?

image1523×331 92.1 KB

I have problem with the same module but not in the last question. I cannot figure out how to do the exercise:

$(a="WhOaMi";printf %s "${a,,}")
Exercise: Can you test the above command to see if it works on your Linux VM, and then try to avoid using filtered characters to get it working on the web application?

I cannot figure out how to solve it with a semicolon, I however did manage with a newline. I tried
ip=127.0.0.1%0a$(bash<<<"a='WhOami'{LS_COLORS:10:1}"'printf%09%25s%09"${a}"')
It works on my computer, but the server just returns the output of the ping command

I am having this issue as well. So far, I haven’t been able to get anything to run properly when created with bashfuscator.

Edit: the trick is to switch to bash before running bashfuscator.
It seems the tool assumes you’re already in bash (I spend most of my time in zsh)

After switching to bash before running it, I now have… probably 50% success with the generated payloads? Not too bad; definitely test them locally before trying them on a target!

One thing I see is that you are missing the $ character for your {LS_COLORS:10:1} parameter expansion.

Também não estou conseguindo fazer esse, to usando esse codigo

ip=127.0.0.1%0abash<<<${base64%09-d<<<ZmluZCAvdXNyL3NoYXJlLyB8IGdyZXAgcm9vdCB8IGdyZXAgbXlzcWwgfCB0YWlsIC1uIDE=}

Something seems to be wrong with this section. The following injection works to print the last 5 lines:

127.0.0.1%0a"t’ai’l"%09-n5%09$(“g’re’p”%09mysql<<<$(“g’re’p”%09root<<<$(“f’i’n’d’”%09${PATH:0:4}${PATH:0:1}share)))

If I set the tail command to just print the last line (per the lab’s instructions), only a newline is printed. This is apparent when printing the last N lines as well, however trying to give an answer of “new-line”, “\r”, “\n”, or “\r\n” is not considered the correct answer. The second-to-last line (which actually has text) is also not considered the correct answer.

Not sure if I am doing something incorrectly or if there is something wrong with the lab.

NVM, I thought I had to print the last line of the file. The answer is the file name, not the last line in the file.

There are 3 workarounds for this. You either | rev | the commands or obfuscate the entire ‘find /usr/share/ | grep root | grep mysql | tail -n 1’ and read it with bash. Or obsfuscate ‘ls /usr/share’ at a time while you cd into the directories till you are at the last. cheers