Protected File Transfer

When transferring sensitive files of PII, financial data, trade secrets, etc, better encrypt then transfer to prevent intercept of data in transit

Table of Contents

• Windows
• Linux
• Creating a secure web server for file upload operations

Windows

PS C:\htb> Import-Module .\Invoke-AESEncryption.ps1

PS C:\htb> Invoke-AESEncryption -Mode Encrypt -Key "p4ssw0rd" -Path .\scan-results.txt

File encrypted to C:\htb\scan-results.txt.aes
PS C:\htb> ls

    Directory: C:\htb

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        11/18/2020  12:17 AM           9734 Invoke-AESEncryption.ps1
-a----        11/18/2020  12:19 PM           1724 scan-results.txt
-a----        11/18/2020  12:20 PM           3448 scan-results.txt.aes

Linux

> openssl enc -aes256 -iter 100000 -pbkdf2 -in /etc/passwd -out passwd.enc

enter aes-256-cbc encryption password:                                                         
Verifying - enter aes-256-cbc encryption password:     

decrypt:

> openssl enc -d -aes256 -iter 100000 -pbkdf2 -in passwd.enc -out passwd                    

enter aes-256-cbc decryption password:

Creating a secure web server for file upload operations

make upload directory

sudo mkdir -p /var/www/uploads/SecretUploadDirectory

change owner to www-data

sudo chown -R www-data:www-data /var/www/uploads/SecretUploadDirectory

creat configuration file etc/nginx/sites-available/upload.conf

server {
    listen 9001;
    
    location /SecretUploadDirectory/ {
        root    /var/www/uploads;
        dav_methods PUT;
    }
}

Symlink our Site to the sites-enabled Directory

sudo ln -s /etc/nginx/sites-available/upload.conf /etc/nginx/sites-enabled/

start nginx

sudo systemctl restart nginx.service

If we get any error messages, check /var/log/nginx/error.log. If using Pwnbox, we will see port 80 is already in use.

view log

tail -2 /var/log/nginx/error.log

2020/11/17 16:11:56 [emerg] 5679#5679: bind() to 0.0.0.0:`80` failed (98: A`ddress already in use`)
2020/11/17 16:11:56 [emerg] 5679#5679: still could not bind()

loop at the process's pid

ss -lnpt | grep 80

LISTEN 0      100          0.0.0.0:80        0.0.0.0:*    users:(("python",pid=`2811`,fd=3),("python",pid=2070,fd=3),("python",pid=1968,fd=3),("python",pid=1856,fd=3))

view the ipd

ps -ef | grep 2811

user65      2811    1856  0 16:05 ?        00:00:04 `python -m websockify 80 localhost:5901 -D`
root        6720    2226  0 16:14 pts/0    00:00:00 grep --color=auto 2811

We see there is already a module listening on port 80. To get around this, we can remove the default Nginx configuration, which binds on port 80.

remove default config

sudo rm /etc/nginx/sites-enabled/default

Upload the file from target machine

curl -T /etc/passwd http://localhost:9001/SecretUploadDirectory/users.txt