A penetration tester often needs to share files with machines that they are enumerating. If you have managed to obtain a web shell, or a reverse shell, your next step is to do a little dance to praise the shell gods. After that you want to sit back down and check for information to enable further attacks.
At this point you will need to answer the question; “how am I going to get tools onto a server which can do some heavy lifting?”
What tools would you want to upload to a Linux server? Well things that are good at checking for privilege escalations of-course! Like the ones discussed at the Link below:
Overtime you will be able to add to your tool kits and make your own. Try to bundle things up so that you can get your regular tools up to the target ASAP.
Now that you know what you want to upload, lets go about making sure you CAN upload them.
Simple HTTP Server
For most situations using a simple python HTTP service will achieve this. For example, using the following is first step:
python -m SimpleHTTPServer <port> # Syntax
python -m SimpleHTTPServer 8080 # Example
This will start an HTTP server capable of sharing files via HTTP Get on TCP port 8080. This will share the full contents of your present working directory. Before you run this make sure you only have files you do not care about sharing publicly in that folder.
I usually create a folder in /tmp/ for an engagement since this will not persist for very long.
The following screenshot shows how that looks when it is running:
You can browse to http://localhost:8080/ and you will start to see log entries being spat out to the terminal such as the 200 “ok” and 404 “not found” codes.
On your victim’s machine you simply use “wget” to download from your simple HTTP server and then you have what you need to get going.
For most use cases this is all you will need.
Simple HTTPS Server
What if your target has some sort of traffic inspection and only allows out HTTPS communications? Or what if you just want a *little* bit of privacy while you download your tools to your victim? You need a simple HTTPS server.
Install twisted using python’s pip package manager:
pip install twisted
In the directory you want to start your HTTPS listener in you will need to generate some certificates to use. The following shows the openssl command used to do that:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365
Note; that twisted will look for “key.pem” and “cert.pem” by default so those are the names to use for this for ease.
This will ask you to create a password which you may need later on. I suggest you use the one for your online banking, and for safe keeping you should write that on a postit note and leave it out for me.
Start a web service using SSL on a specific port:
twistd web --https=<port> --path=<path> # Syntax
twistd web --https=8443 --path=. # Example
If you want to never generate your “*.pem” files ever again you can store them in a directory of your choosing and then specify the paths manually as shown below:
twistd web --https=8443 --path=. -c /path/to/cert.pem -k /path/to/key.pem
For bonus points modify your shell’s profile to create an alias to the command with these pem files so that all you have to do is provide a port, and a path! That sounds convenient doesn’t it?
If you use bash then here is how to do it on kali by editing your “~/.bash_profile”. Add this line:
alias twistd-https="twistd web -c /path/to/cert.pem -k /path/to/key.pem"
Then source your profile again to make it apply now:
This will automatically apply next time you login so you won’t have to source that ever again.
You can now start a listener using HTTPS for any port of your choice sharing whatever path you want using this command:
twistd-https --https=8443 --path=.
Or to show how it will look in your terminal here you go:
It asks for a password. Remember. Your banking password, postit note, somewhere near the window. Or your HTTPS listener won’t start right.
Hope that helps.