ch3hg+ (Methylmercury)

Methylmercury is a destructive red team tool that performs an exhaustive Dijkstra’s algorithm search of the exploits capable of being performed.

Instead of only attempting predefined search paths for exploits, it attempts to privilege exploit into any user, and use those users to privilege exploit even higher, leaving malicious barbs and fuses in its wake.

The opposite detective tool is called Chelation, and similarly will exhaustively search and try to prevent and detect Methylmercury before the damage is too strong.

If you condone this scanning tool, you’ll have to unlist it from your AV signatures. Anything running this signature should probably be killed on sight (just like colbalt strike)… but then again I’ll try to evade chelation at each stage.

Establishing outside communication

  • inbuilt connection
  • passing to a builtin command
  • Tor (cretz/bine)
  • reverse shells
  • bind shells

Search Methods

  • inbuilt syscalls
  • using a builtin command
  • referencing the files you can read

Exploit Methods

  • metasploit database


to attempt to privilege escalate

  • replace .bashrc
  • false exit to previous user (by detecting it and forwarding sudo commands)


to prevent or destroy analysis

  • prevent viewing bash_history
  • prevent analysis of a directory
  • bash_history replacement