Someone has hidden a directory to fool policies on a FTP account. The directory name was 0x0d0x0a.
How did the user create a folder with that name?
The directory is nearly invisible with ls but discoverable with find.
- Doesn't ls with the inode option turned on display this directory?munchkin– munchkin2015-04-18 23:58:47 +00:00Commented Apr 18, 2015 at 23:58
Add a comment |
1 Answer
The directory name is not the string '0x0d0x0a' (which are eight plainly visible characters) but a string consisting of exactly two characters, the ASCII "CR" (carriage return) and "LF" (line feed), which are encoded as two bytes of value 13 (0x0D in hexadecimal) and 10 (0x0A), respectively.
From the point of view of the operating system, file and directory names are just bunches of bytes, with only two special byte values: 0x00 (which terminates the string) and 0x2F (the '/' which separates directory names in a path)(I am assuming a Unix-like server here, but the situation would be similar on a Windows system). Bytes of value 0x0D and 0x0A have no special meaning at all for the kernel. However, tools with a text-based output may be fooled (e.g. it might display the name as a newline, which would not be clearly visible as such in the output).
With a Linux shell, you can create such a directory with this command:
mkdir `printf '\x0d\x0a'` To do that from a FTP client, you would have to delve into the way the FTP protocol works so as to know how to encode the corresponding MKD command, but I see no conceptual impossibility.
