Playing with the cat (in the command line)

The name of cat utility is derived from its function to concatenate files, so nothing about kittens, i’m sorry!

Cover image courtesy of Ivo The Cat

cat is a tool which reads data from one locations and writes it to another.
Usually it is used to read text from a file and write it to STDOUT, and it also supports some control characters, such as line-feeds \f, newlines \n and carriage returns \r.

Let’s try to focus on of rendering carriage return \r characters: \r will move the cursor back to the beginning of the line, and characters printed thereafter will be written over anything that was printed previously.

So, if we create a textfile containing a string, plus a \r character and another string, a cat of this file will display only the second string, because the first will be overwritten.

For example, with this simple python script:

#!/usr/bin/env python
hidden_string = "echo 'This is an hidden string!'"
visible_string = "echo 'This is a visible string!'"
with open("", "w") as f:
    output = "#!/bin/sh\n"
    output += hidden_string + ";" + visible_string + " #\r" + visible_string + " " * (len(hidden_string) + 3) + "\n" #add spaces in order to overwrite the entire hidden string
print ("Done!")

We are able to write a bash script that displays a result if processed with cat but performs more operations if executed:

[email protected]:~/Projects/CatJoke$ ./
[email protected]:~/Projects/CatJoke$ ls
[email protected]:~/Projects/CatJoke$ cat
echo 'This is a visible string!'
[email protected]:~/Projects/CatJoke$ bash
This is an hidden string!
This is a visible string!

This is a simple joke, however it may also have some security impacts: when downloading a script from the Internet, most users checks the content of the script using the cat command.
So, a bad actor can use this trick to embed malicious code into a script seemingly safe.

Luckily, the same file opened with an editor reveals the real content, and also cat is able (-A) to display file content ignoring the control characters:

[email protected]:~/Projects/CatJoke$ cat -A
echo 'This is an hidden string!';echo 'This is a visible string!' #^Mecho 'This is a visible string!'


Related posts

  1. pySchö: algorithmic music composition
  2. i3: how to make a pretty lock screen with a small bash script
  3. Social Engineering in penetration tests: my point of view and my own custom tool
  4. SpiderFoot 3.0: OSINT reconnaissance tool
  5. PEpper: a python script to perform malware static analysis on Portable Executable format