10 - Evasion Tools

# Linux BASH Obfuscation - [Bashfuscator](https://github.com/Bashfuscator/Bashfuscator) can be used to obfuscate BASH commands - Installing `bashfuscator` ```bash git clone https://github.com/Bashfuscator/Bashfuscator cd Bashfuscator pip3 install setuptools==65 python3 setup.py install --user ``` - Using `bashfuscator` ```bash cd ./bashfuscator/bin/ ./bashfuscator -h #shows help menu ./bashfuscator -c 'cat /etc/passwd' #use the -c flag too specify a command to obfuscate [+] Mutators used: Token/ForCode -> Command/Reverse [+] Payload: ${*/+27\[X\(} ...SNIP... ${*~} [+] Payload size: 1664 characters ``` - Running the tool this way will randomly pick an obfuscation technique, which can output a command length ranging from a few hundred characters to over a million characters - So, we can use some of the flags from the help menu to produce a shorter and simpler obfuscated command ```bash ./bashfuscator -c 'cat /etc/passwd' -s 1 -t 1 --no-mangling --layers 1 [+] Mutators used: Token/ForCode [+] Payload: eval "$(W0=(w \ t e c p s a \/ d);for Ll in 4 7 2 1 8 3 2 4 8 5 7 6 6 0 9;{ printf %s "${W0[$Ll]}";};)" [+] Payload size: 104 characters ``` - Test command by using `bash -c '<obfuscated_command>'` # Windows Obfuscation - [DOSfuscation](https://github.com/danielbohannon/Invoke-DOSfuscation) is similar to the above Linux tool; however, it employs an interactive approach to obfuscation - Installing `DOSfuscation` ```powershell PS C:\htb> git clone https://github.com/danielbohannon/Invoke-DOSfuscation.git PS C:\htb> cd Invoke-DOSfuscation PS C:\htb> Import-Module .\Invoke-DOSfuscation.psd1 PS C:\htb> Invoke-DOSfuscation Invoke-DOSfuscation> help HELP MENU :: Available options shown below: [*] Tutorial of how to use this tool TUTORIAL ...SNIP... Choose one of the below options: [*] BINARY Obfuscated binary syntax for cmd.exe & powershell.exe [*] ENCODING Environment variable encoding [*] PAYLOAD Obfuscated payload via DOSfuscation ``` - Try running obfuscated command with `cmd.exe` ```cmd C:\htb> typ%TEMP:~-3,-2% %CommonProgramFiles:~17,-11%:\Users\h%TMP:~-13,-12%b-stu%SystemRoot:~-4,-3%ent%TMP:~-19,-18%%ALLUSERSPROFILE:~-4,-3%esktop\flag.%TMP:~-13,-12%xt test_flag ``` - Note: If we do not have access to a Windows VM, we can run the above code on a Linux VM through `pwsh` - Run `pwsh`, and then follow the exact same command from above