Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Malwrologist Profile picture
Malwrologist
@DissectMalware
Cybersecurity researcher DM is always open xlmdeobfuscator: https://t.co/zlbtaqE1YS
Aug 4, 2018 5 tweets 7 min read
#linux #bash #path #obfuscation
goal: obfuscate /etc/passwd
1) #directorytraversal: /mnt/././../etc/././passwd
2) escape characher: /etc/.\/\/\/\/\/passwd /etc/.\/.\/.\/.\/passwd /\e\t\c/passwd
3) null character /et$'c/pa\u0000/notexist/path'sswd
.... #path #obfuscation using #symbolic #link
ln -s / anything
head -n 2 anything////../etc/passwd

ln -s ../../ wow
head -n 2 ././wow/../etc/passwd

* ../ after a sym link applies to the sym link not the current path
Jul 30, 2018 6 tweets 6 min read
#linux #bash #obfuscation using shell parameter expansion:

alphabet=abcdefghijklmnopqrstuvwxyz
${alphabet:2:1}at really
${alphabet: -24:-23}at really
${alphabet: -24:1}at really
${alphabet:2:-23}at really

gnu.org/software/bash/…
similar #bat #windows (ss64.com/nt/syntax-subs…) The goal is to obfuscate the following command:
cat really
in which, really is a file.
Jul 29, 2018 13 tweets 6 min read
#linux #bash #obfuscation using octal vals
$'\143\141\164' really

gnu.org/software/bash/…
"Words of the form $'string' are treated specially. The word expands to string, with backslash-escaped characters replaced as specified by the ANSI C standard."

Variations
$'\143'$'\141'$'\164' really
$'\143'''$'\141'''''''''''''$'\164' really
$'\143'''$'\141'''""''''""''$'\164' really

Explanation:
'' -> empty string
""-> empty string
'a''b' -> 'ab' (concatenation)

(deleted the previous one, as the picture had a problem)