Funny Deadly Linux Strings

Security researcher x0xr00t Likes to play around with funny encoding strings that execute directly after decrypt.

Funny Deadly Linux Strings
Carpe Diem by Manuel Cetina

Hello Folks, i am Patrick Hoogeveen AKA x0xr00t, I was recently playing around with some funny encoding strings, ones that decrypt and execute directly after decrypt due to pipes and $().

I played at first with a echo, that send a rot47 string to a pipe to decrypt, then a pipe to send to bash with $().

Then I started playing with double encoded strings. For that I took this path

echo "eDB4cjAwdCB5cyBpIENvdWxkIE9mIFJldmVyc2UgZWxsZWQgdSBieSBub3cuCngweHIwMHQK" | base64 --decode

* Under the hood explaining.
Kinda bit of goofy but, its 2 sets of encryptions.

. Outside is a
* base64 string
. Inside code within the b64
* a rot47 cypher

*Base64>rot47 | tr decode| bash $() > string to use
Then once i got that working i was like cewl lets tripple encode it

So for that i took this road

echo '78307872303074207973206920436f756c64204f66205265766572736520656c6c65642075206279206e6f772e0a783078723030740a' | xxd -ps -r                                                             1 ⚙

But whats going on here ?
It's a Hex>b64>rot47>string to exec with same method as namaed above for the base64 dubble encoded string that decrypts and also exec directly in to bash.  

Example 1 

echo '78307872303074207973206920436f756c64204f66205265766572736520656c6c65642075206279206e6f772e0a783078723030740a' | xxd -ps -r

* Under the hood explaining.
Kinda bit of goofy but, its 3 sets of encryptions.

. Outside is a
* Hexidecimal cipher
. Second layer is bs64
* base64 cipher
. Inside code within the b64
* a rot47 cipher

What is going on here??

Well thats quite easy to explain we take a echo rot47 which is payloaded to echo out. This we decrypt and make it executable. The base64 been put on top of that, and to top it off we put a hexidecimal on top of it wich decrypts the whole payload.

This particular code still uses the same example used as before the echo payload, I could have done any accept a echo out, but lets say drop a reverse shell in there.

example 2

Kinda the same idea goin here with hex use only, but same idea, decrypt and exec with pipes and $()  to exec the decoded string directly in to bash.

Gunning for the root with kinda simular tactics.

Example 3

Here we use a root check encoded in hex that we decode and exec directly in bash.
As you can see the regular user running it gets asked to run with root, and the root cats the /etc/sudoers/

I hope i inspired you with this read to think more out of the box, and use such methods or improve them to your suitable wishes.

Thanks for the time.