Tips, tricks, & pitfalls

Mind the gap!

Finally, we collect some tips, tricks, and common pitfalls to watch out for.

TIP: Including files

It's easy to include text-based files in your payload, so that the user does not have to edit or upload a second file. This trick is used in the OpenVPN configuration example:

cat <<EOF > /some/file/path
file contents
go here
multiple lines are fine

blank lines are fine too

when we're done

This trick will dump everything between the cat line and the EOF line to the specified file.

TIP: Directing output to stdout

Not all tools support this, but many tools will accept - as a special filename indicating data should be written to the stdout (or console) stream instead of a file.

One of the most useful tools that supports this trick is wget. Instead of saving a download to a file, it can be echoed to stdout:

wget -O - 2>/dev/null

The -O argument specifies the output file to wget, and the - argument sends it to the output stream. We also use the stderr redirect to hide the status output of wget.

TIP: Always set a network mode!

We've said it in other sections, but always remember to set a network mode in your payloads! If there is no NETMODE command in the payload, the Packet Squirrel will remain offline and not pass any traffic from the Target port!

PITFALL: Ligatures and fancy quotes

A ligature is the combination of multiple characters for presentation. Common ligatures combine characters like >= into and -- into (notice how it is a subtly longer dash!)

Similarly, "fancy" quotes replace the standard straight double quote (") and straight single quote (') with more legible versions: “ ” and ‘ ’.

Why are these a problem? Because as far as Bash is concerned, these are not the same characters. Fancy and curly quotes are not quotes and will not parse! Similarly, when running a command with a long option like ./script --option-one, a typographically long dash is not the same as a double dash!

These fancy characters can happen when copying examples from online, or from editing code in a more traditional text editor instead of one designed specifically for code editing.

Last updated