Catching Files over HTTP/S

HTTP/S

Web transfer is the most common way most people transfer files because HTTP/HTTPS are the most common protocols allowed through firewalls. Another immense benefit is that, in many cases, the file will be encrypted in transit.

---

Nginx - Enabling PUT

Create a Directory to Handle Uploaded Files

neutron@kali[/kali]$ sudo mkdir -p /var/www/uploads/SecretUploadDirectory

Change the Owner to www-data

neutron@kali[/kali]$ sudo chown -R www-data:www-data /var/www/uploads/SecretUploadDirectory

Create Nginx Configuration File Create the Nginx configuration file by creating the file /etc/nginx/sites-available/upload.conf with the contents:

server {
    listen 9001;

    location /SecretUploadDirectory/ {
        root    /var/www/uploads;
        dav_methods PUT;
    }
}

Symlink our Site to the sites-enabled Directory

neutron@kali[/kali]$ sudo ln -s /etc/nginx/sites-available/upload.conf /etc/nginx/sites-enabled/

Start Nginx

neutron@kali[/kali]$ sudo systemctl restart nginx.service

If we get any error messages, check /var/log/nginx/error.log. We might see port 80 is already in use.

Verifying Errors

neutron@kali[/kali]$ tail -2 `/var/log/nginx/error.log`

2020/11/17 16:11:56 [emerg] 5679#5679: bind() to 0.0.0.0:`80` failed (98: A`ddress already in use`)
2020/11/17 16:11:56 [emerg] 5679#5679: still could not bind()

neutron@kali[/kali]$ ss -lnpt | grep `80`

LISTEN 0      100          0.0.0.0:80        0.0.0.0:*    users:(("python",pid=`2811`,fd=3),("python",pid=2070,fd=3),("python",pid=1968,fd=3),("python",pid=1856,fd=3))

neutron@kali[/kali]$ ps -ef | grep `2811`

user65      2811    1856  0 16:05 ?        00:00:04 `python -m websockify 80 localhost:5901 -D`
root        6720    2226  0 16:14 pts/0    00:00:00 grep --color=auto 2811

There is already a module listening on port 80. To get around this, we can remove the default Nginx configuration, which binds on port 80.

neutron@kali[/kali]$ sudo rm /etc/nginx/sites-enabled/default

Now we can test uploading by using cURL to send a PUT request. In the below example, we will upload the /etc/passwd file to the server and call it users.txt

neutron@kali[/kali]$ curl -T /etc/passwd 
http://localhost:9001/SecretUploadDirectory/users.txt

neutron@kali[/kali]root@localhost# tail -1 /var/www/upload/SecretUploadDirectory/users.txt 

user65:x:1000:1000:,,,:/home/user65:/bin/bash