Learning file redirection is part of Module 3.2 in the OSCP Syllabus and should not be overlooked. This article will explain how file redirection can be used to circumvent basic file creation rules on a target machine and how to bypass these rules when it is not secured properly. This is important as it also ties into creating scripts, Netcat, Powercat, and reverse shells 
.
Check for Installed Text Editors
First, check if any text editors are installed or enabled on the target machine. If lucky, one of these have been installed and have not been disabled. If so, it just saved a lot of time having to try other methods!
The Following Commands Will Attempt To:
Create a file called test.txt and open it with mousepad:
┌──(kali㉿kali)-[~/Desktop]
└─$ mousepad test.txt Create a file called test.txt and open with nano:
┌──(kali㉿kali)-[~/Desktop]
└─$ nano test.txt(to save the file) Y > Enter > crtl + x
(End file, do not save and escape) N > Enter > crtl + x
Create a file called test.txt and open with vi editor:
┌──(kali㉿kali)-[~/Desktop]
└─$ vi test.txt escape > :wq > Enter (to save changes to a file)
escape > :q > Enter (to exit the unmodified file)
escape > :q! > Enter (to exit the file without saving any changes)
Quickly read the created file (replace test.txt with your file name):
┌──(kali㉿kali)-[~/Desktop]
└─$ less test.txt
press q to exit If none of the attempts above worked, let us give kudos 
to the admin for doing a decent job and disabling the default text editors.
Redirection
To check the depth of the security protocols in place by testing redirect commands.
Redirect to a New File
┌──(kali㉿kali)-[~/Desktop]
└─$ echo “text_or_command_you_want_to_save” > Filename_Here Above shows the line text_or_command_you_want_to_save redirected into a new file called Filename_Here.
Redirect to an Existing File and Delete Everything Inside
Important: This will delete what was inside the file!
┌──(kali㉿kali)-[~/Desktop]
└─$ echo "deleting everything then Adding this line new line inside the file" > Existing_Filename_Here The example above shows an existing file being erased and replaced with the line deleting everything then Adding this line new line inside the file from the file named Existing_Filename_Here.
Append to an Existing File Using >>
┌──(kali㉿kali)-[~/Desktop]
└─$ echo "Adding this to the end of the example document" >> test.sh The above shows the line Adding this to the end of the example document being added to the end of the file called test.sh.
Important: This can be used to append files and build scripts one line at a time and should be thoroughly understood for creating files on a target machine.
Give the file (a script for example) execution rights:
┌──(kali㉿kali)-[~/Desktop]
└─$ chmod +x test.sh Important: Only give execution rights after the script is finalized, it can be troublesome to edit the file afterward.
Stderr
Stderr is the stream used to output an error message when a program encounters them. This is useful when creating a custom log file that redirects the errors to the log file or used to hide the error messages entirely.
The following example will attempt to copy a file that does not exist.
┌── (kali㉿kali)-[~/Desktop]
└─$ pwd
/home/kali/Desktop
┌──(kali㉿kali)-[~/Desktop]
└─$ ls
Caldera Hashcat 'IDA Freeware.desktop' java 'NCL Gym files' Ophcrack Steg-1.1.0.0-Linux-x64 'wireshark dump' elf HTTP2.cap ipscan.desktop MD5test.txt 'NCL Solo Comp' sherlock Tutorials Zenmap
┌──(kali㉿kali)-[~/Desktop]
└─$ cp Fake_File ~/kali
cp: cannot stat 'Fake_File': No such file or directory The example above, shows the stderr output cp: cannot stat 'Fake_File': No such file or directory because the file does not exist.
Stderr is commonly shown inside the terminal but stderr can also be redirected to a log file. Redirecting Stderr is useful when creating custom log files that contain only the errors encountered.
In the next example, I will attempt to copy a file that does not exist and send the stderr output to the log file Log_For_Fake_File.txt.
┌──(kali㉿kali)-[~/Desktop]
└─$ ls
Caldera Hashcat 'IDA Freeware.desktop' java 'NCL Gym files' Ophcrack Steg-1.1.0.0-Linux-x64 'wireshark dump'
elf HTTP2.cap ipscan.desktop MD5test.txt 'NCL Solo Comp' sherlock Tutorials Zenmap
┌──(kali㉿kali)-[~/Desktop]
└─$ cp fake_file ~/kali 2>Log_For_Fake_File.txt
┌──(kali㉿kali)-[~/Desktop]
└─$ ls
Caldera HTTP2.cap java 'NCL Gym files' sherlock 'wireshark dump'
elf 'IDA Freeware.desktop' Log_For_Fake_File.txt 'NCL Solo Comp' Steg-1.1.0.0-Linux-x64 Zenmap
Hashcat ipscan.desktop MD5test.txt Ophcrack TutorialsThe example above, shows no error message displayed in terminal and shows the log file was created.
The following will look inside the log file to see if the stderr was successfully redirected:
┌──(kali㉿kali)-[~/Desktop]
└─$ less Log_For_Fake_File.txt This opens the following in a new window.
cp: cannot stat 'fake_file': No such file or directory
Log_For_Fake_File.txt (END)The example above, shows that stderr was successfully redirected to the log. This also silenced the error from being displayed in the terminal window.
If you wanted to silence the stderr output from being displayed in the console but do not want to create a log file. This is done by sending the stderr output to /dev/null folder in linux. This sends the output into a void that will be discarded. This is done by using 2>/dev/null to redirect the stderr to the void. This is used to silence errors from displaying on the console when running scripts, files, or anything that can generate a stderr output.
Why This is Useful
Understanding these commands and learning to redirect and create a file manually is a crucial step for ethical hacking and cyber security. Learning to pivot is vital, as the usual file creation methods may be disabled due to security measures and leave only redirection to work with.
I stress its importance because it will allow the creation and exploitation of scripts on a target machine for pentesting, OSCP exam, and CTF competitions. Also for administrators this can be insightful on understanding the importance of file creation rules and how advisories can circumvent them with these simple techniques.