in security, especially red team, this is called “living off the land,” where an attacker or red team member uses only tools installed on the target machine to do whatever nefarious business. There are also the requisite handwringing over it as well.
I’ve gone so far as to write little shells whenever I see remote code executions, so that I can just use the RCE and not have a real footprint outside of the logs; for example this tiny shell installs just a small beacon on a host that has a file upload vulnerability, but I’ve repurposed tramp and shell to provide the same functionality when only an RCE is present.
I honestly prefer it; it’s way easier to clean up, as you must simply tell the client where the RCE was and how to fix it, rather than hoping that they also find all your files. There have definitely been hosts that when I went back to do another assessment, my old beacon was still running, and thus I had an instant Critical even tho the development team had fixed the original issue (as a side note, I approach that topic gingerly; if the original vuln is fixed and someone just missed one of my beacons, I try to get that removed prior to adding it to the report, assuming local infosec resources are on board with that. It means that the devs don’t feel like I’m scoring points and everyone is more secure because the issue was fixed anyway).
edit homophones, how do they work? (right => write)
Some folks would’ve just requested a Forth or a Lisp. Then, they add whatever they want. Full environment. :)
I wrote a Forth for CTFs once; it was meant to be able to easily compile statically, base64, and then upload to the host. Was a lot of fun.