Falcon-Toolkit icon indicating copy to clipboard operation
Falcon-Toolkit copied to clipboard

Published 20 hours ago verified publisher icon CrowdStrike

cat -b --ShowHex doesn't seem to work on linux

Open 59e5aaf4 opened this issue 1 year ago • 1 comments

Not sure what's going on. I suspect it's a linux vs windows rtr scripts issue. Confirmed by unaliasing the commands using auditd & script block logging. ( haha )

/ # cat /home/user/.bash_history -h
Usage: cat [-h] [-b] file

Read a file from disk and display as ASCII or hex.

positional arguments:
  file           File to read the contents of

optional arguments:
  -h, --help     show this help message and exit
  -b, --ShowHex  Show the results in hexadecimal byte format instead of ASCII

/ # cat -b /home/user/.bash_history
Executing command: cat /home/user/.bash_history -ShowHex
hostname:
At least one error was detected. Check the log file for full details.
List of errors detected:

On windows it works

C:\> cat C:\windows\system32\drivers\etc\hosts -
[-b, --ShowHex]    [-h, --help]       
C:\> cat C:\windows\system32\drivers\etc\hosts -b
Executing command: cat C:\windows\system32\drivers\etc\hosts -ShowHex
hostname: 23-20-43-6F-70-79-72-69-67-68-74-20-28-63-29-20-31-39-39-33-2D-32-30-30-39-20-4D-69-63-72-6F-73-6F-66-74-20-43-6F-72-70-2E-0D-0A-23-0D-0A-23-20-54-68-69-73-20-69-73-20-61-20-73-61-6D-70-6C-65-20-48-4F-53-54-53-20-66-69-6C-65-20-75-73-65-64-20-62-79-20-4D-69-63-72-6F-73-6F-66-74-20-54-43-50-2F-49-50-20-66-6F-72-20-57-69-6E-64-6F-77-73-2E-0D-0A-23-0D-0A-23-20-54-68-69-73-20-66-69-6C-65-20-63-6F-6E-74-61-69-6E-73-20-74-68-65-20-6D-61-70-

Not sure how the translation to actual parameters from RTR options is made under the hood.

PARAMETER WD
   Current working directory
PARAMETER Param1
   File to concatenate
PARAMETER Param2
   Number of bytes to read (max=32768)
PARAMETER Param3
   Offset (in byte value) to start reading from
PARAMETER Param4
   Show the results in hexadecimal format

The bash script doesn't seem to have the same options, and the associated code doesn't seem to implement any of these (???)

# PARAMETER WD
#    Current working directory
# PARAMETER Param1
#   File to concatenate
# PARAMETER Param2
#    Number the output lines starting from 1
# PARAMETER Param3
#    Display non-printing characters, and display tab characters as `^I'.

Not sure if the problem lies in falcon-toolkit offering options that don't exist on linux, or in RTR scripts that don't support doing advanced hacking techniques known as "a hex dump" :D

Cheers

59e5aaf4 avatar Dec 14 '23 13:12 59e5aaf4