![]() ![]() Create a small shell function to do the barrier condition thing above and add a way to include the filename, we'll call it sz.Instead of redirecting to a file, use a fifo pipe.Using the last one you can do something really fun, which I'll leave as an exercise to the reader. We're almost done, just need to get rid of the newlines $ cat /tmp/session |\ This should now just have our base64 of the file. Now we'll use our barrier conditions and a newline to extract our payload $ cat /tmp/session |\ Wait for it to flash past your session and logout. Now we're going to log in and tee the entire session to a file $ ssh | tee /tmp/session Here we go!įirst we establish what's called a "barrier condition". Nonsense! base64 to the rescue! This is included in busybox, you'll find it on just about everything. $ ssh -R 0:5000:0:5445 'bash -c "cat path-of-file > /dev/tcp/0/5000"'Īlright, say you don't have scp, you don't have bash, no python, the pipe solution isn't working, GatewayPorts are disabled, jeez, you're really stuck now right? ![]() Also we'll just save ourselves some typing and use 0 as a collapse of 0.0.0.0. We're going to ssh using reverse port forwarding. So Terminal 1 $ nc -lp 5445 > where-to-put-it Do you have bash? You probably have bash. You balk back at me, "I don't even have python!". scp is syntactic sugar for this call of ssh. This will copy the remote file into the local file 'out'. So, instead of executing a remote shell, you can replace the default 'bash' by a command, and you can copy so: ssh userip cat file >out. $ curl -preproxy SOCKS://localhost:4321 And Yet a 3rd If you look at the command 'ssh', you see that its last optional parameters are userhostname command. From there, we'll access "localhost" which will be the remote machines localhost. We're going to use our port 4321 as a SOCKS proxy, which will get us to the remote machine. Pick a higher order port, say 4321 ssh> -D 0.0.0.0:4321Īlright, leave this running. Next we're going to do SOCKS forwarding to the remote machine. So we're going to break out into the SSH command shell with the escape sequence ~C Now normally we can't access that because it's bound to localhost. Let's assume you are trying to get say, a file test.txt in the directory /tmp/test $ ssh cd /tmp/test You'll probably have python which has a built in webserver. Or something like: $ ssh "lzma -c path-of-file" | lzma -d - > where-to-copyįor the 2nd way, let's assume you do not have root access, for some reason the first thing doesn't work, and you can't really install things on the remote host. You can control flow here with bs and even compress in more than 1 way: $ ssh -C "dd if=path-of-file" | dd of=where-to-copy The simplest way to copy a file to or from a cluster is to use the scp command. ![]() You do standard I/O redirection using ssh like so $ ssh "dd if=path-of-file" | dd of=where-to-copy All these "scp" answers don't answer the question IMHO. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |