That was a let down. Is it really "exfiltration" when you use a protocol designed for mass data transfer and you use it in the exact manner it was intended to be used? The less linkbaity title is "Transferring files with BusyBox's ftp"
The point of the post was to show how easy it is, as people seem to miss these commands or may not be aware of how easy it is to set up a listening service. It's exfiltration by definition, but you are of course free to mangle the data any way you want or use DNS techniques if you really care about hiding what you're doing, but that's a different post.
There are a lot of embedded devices with fairly trivial vulnerabilities that let you run arbitrary shell commands, but a limited enough set of available commands that getting data out, or doing anything else useful, is nontrivial. (Note that you may not even be able to see the stdout/stderr of the command.) This is showing one way to do that.
Yeah, this is showing one way to copy data from a computer using busybox's ftp client. Where is the surreptitious smuggling? I like my exfil to atleast have a hint of James Bond, MacGuyver, or Rube Goldberg; otherwise it's just copying files off a computer using the default file transfer tools.
If you have bash, you can even partially get by without netcat as well. Bash has the wonderful "fake" devicenodes, /dev/tcp/host/port and /dev/udp/host/port.
If your system is running busybox you usually won't have full fat bash.
One thing that annoys me is how people will crack a quad core 1.6Ghz smartphone with 64Gb of storage and then install busybox to save those 50Mb over a regular shell environment that won't embarrass itself on every shell script or configure script.
Indeed, the tools listing in that post makes clear that nc should be available. If you have another Unix machine elsewhere, the nc solution avoids having to install any new software on either machine.
Indeed! I meant to mention the nc option, but I've found that ftpput/get are more often available than nc, perhaps something to do with the ubiquity of ftp.
I've used similar things to get a dump of router/modem firmware.
Busybox can be built with as many or as few applets as you want. If the busybox you have access to doesn't have what you need, you could always try putting another busybox in /tmp - https://busybox.net/downloads/binaries/ should have a static binary that works on whatever device you have.
You're absolutely right - one of the nice things about Busybox is that it's reasonably easy to configure which utilities you'd like included in the build.
Your example along with OP's showcase why it's a good idea to audit the utilities you include at build time!
We ($work) have some embedded devices running BusyBox and I typically just use TFTP. It's simple, it works, and we already have an internal TFTP server.
I had to get some files off/on a hacked device over a serial port (networking was broken). Luckily the BusyBox included uuencode/decode so I didn't have to get too extreme.
"Exfiltrating" implies a covert action... Using ftp is kinda obvious!