1
00:00:02,304 --> 00:00:06,912
Hello everyone and welcome to the file transfer section of our course

2
00:00:07,680 --> 00:00:13,312
So today we're going to cover a few different ways to transfer files to or from a machine

3
00:00:13,824 --> 00:00:17,664
This becomes important in post exploitation

4
00:00:18,176 --> 00:00:24,064
So we may need to do this if we need to upload future exploits and attempt to do privilege escalation

5
00:00:24,576 --> 00:00:29,952
Or if we just need to pull some files off of machine that we found and that might be interesting

6
00:00:30,720 --> 00:00:35,840
So in order to do that we have several different methods in this is not even all of them

7
00:00:36,096 --> 00:00:37,888
But what I'm going to show you today

8
00:00:39,168 --> 00:00:41,472
It's going to be http

9
00:00:43,008 --> 00:00:46,336
W get which is really common with Linux

10
00:00:47,872 --> 00:00:48,896
FTP

11
00:00:50,688 --> 00:00:56,576
Tftp which we might use if we're attacking an XP or 2003 Windows machine

12
00:00:58,112 --> 00:01:02,976
Powershell which is going to be for Windows 7 and up pretty typically

13
00:01:03,232 --> 00:01:05,024
And then Metasploit

14
00:01:06,304 --> 00:01:08,352
Let's go ahead and get started covering these

15
00:01:09,120 --> 00:01:10,912
If we go in dark alley machine

16
00:01:12,704 --> 00:01:16,288
I want to go ahead and pick a file that we want to transfer back and forth

17
00:01:16,800 --> 00:01:21,920
So for me today I'm sitting in the bar www HTML folder

18
00:01:22,432 --> 00:01:25,504
And I'm going to be working with this exploit. PHP

19
00:01:26,272 --> 00:01:30,880
We're just going to keep trying to transfer this back-and-forth between machines and see what happens

20
00:01:32,160 --> 00:01:36,000
So the first thing I want to show you is just http

21
00:01:37,024 --> 00:01:41,632
So if we were trying to get something from HTTP we could be hosting it out

22
00:01:42,656 --> 00:01:45,984
And it could just be sitting on our file server

23
00:01:46,752 --> 00:01:52,384
So as long as he's Apache running and it's sitting in the www folder

24
00:01:52,896 --> 00:01:59,040
We could say exploit. PHP and it might pull it we might have to find another way to grab it but

25
00:01:59,296 --> 00:01:59,808
But it's here

26
00:02:00,576 --> 00:02:04,672
So if we want to grab it we could also use W get

27
00:02:04,928 --> 00:02:05,696
To do that

28
00:02:06,464 --> 00:02:09,536
So let's go ahead and try that

29
00:02:09,792 --> 00:02:12,608
Soww get his to command

30
00:02:12,864 --> 00:02:19,008
We could type in HTTP and the web address we want to get

31
00:02:19,776 --> 00:02:24,384
And then the filename to exploit. PHP

32
00:02:25,664 --> 00:02:31,552
Okay it looks like we got it that worked if we were to try it and say it was exploit 23

33
00:02:31,808 --> 00:02:33,856
So far for not found

34
00:02:34,368 --> 00:02:36,928
You can do this with pretty much anything at all on the web

35
00:02:37,440 --> 00:02:43,584
You can use W get to grab index Pages if you want or if you're trying to clone say like google.com you could just

36
00:02:43,840 --> 00:02:45,632
W get google.com

37
00:02:45,888 --> 00:02:47,168
And it would work for you

38
00:02:47,680 --> 00:02:51,520
The nice thing is this is built into the majority of Linux machines

39
00:02:51,776 --> 00:02:57,920
So when you're trying to do file transfers in terms of Linux you're most likely going to go to use W get and

40
00:02:58,176 --> 00:02:59,200
Not your stopping point

41
00:02:59,456 --> 00:03:00,736
The real trouble

42
00:03:00,992 --> 00:03:05,088
With file transfers in my opinion is using it through windows

43
00:03:05,344 --> 00:03:07,904
Because Windows doesn't have W get included

44
00:03:08,416 --> 00:03:14,048
And more likely than not it's 99% chance they're not going to have W get installed

45
00:03:14,816 --> 00:03:18,400
So you're going to have to get creative with your file transfer methods

46
00:03:19,168 --> 00:03:22,496
So one of the methods that we can use and it's pretty common

47
00:03:22,752 --> 00:03:25,056
Is to just use FTP

48
00:03:25,312 --> 00:03:29,152
Is FTP is built into most Windows machines by default

49
00:03:30,432 --> 00:03:36,576
So there's a couple tools we can use you could download more expansive FTP servers but if you just

50
00:03:36,832 --> 00:03:39,392
Want to use a basic FTP server

51
00:03:39,648 --> 00:03:41,184
You could run it with python

52
00:03:41,696 --> 00:03:45,536
Or you could use Metasploit so I can show you both of those today

53
00:03:46,816 --> 00:03:52,960
And the python one is actually an add-on so if you type in app get

54
00:03:53,216 --> 00:03:53,984
Install

55
00:03:54,240 --> 00:03:57,824
And then you going to want to install python -

56
00:03:58,080 --> 00:04:01,408
Pi ftpd lib

57
00:04:01,664 --> 00:04:03,456
I've already got it

58
00:04:03,968 --> 00:04:06,272
So it doesn't need it here for me

59
00:04:06,528 --> 00:04:08,064
But go ahead and install that

60
00:04:09,344 --> 00:04:12,416
And then similar to the python HTTP server

61
00:04:12,928 --> 00:04:19,071
What you can do here is you can actually come in and transfer over to your

62
00:04:19,327 --> 00:04:20,607
Folder you want to be in

63
00:04:20,863 --> 00:04:25,215
So this is where ever you want to host it's really fast

64
00:04:25,471 --> 00:04:31,615
And then all you have to say is python Dash M and then it's pie ft

65
00:04:31,871 --> 00:04:38,015
Apdweb when you pick your part support 21 pretty standard default FTP port

66
00:04:40,319 --> 00:04:42,623
And that's it now you're hosting

67
00:04:43,135 --> 00:04:45,183
So with your Windows machine

68
00:04:45,439 --> 00:04:47,743
What we need to do is get into command line

69
00:04:49,791 --> 00:04:51,839
Let me go ahead and bring that up now

70
00:04:54,655 --> 00:04:57,983
Let's full-screen it here for a minute

71
00:04:58,751 --> 00:04:59,519
So

72
00:05:00,031 --> 00:05:03,871
What do we need to do here while we can do this a couple different ways

73
00:05:04,639 --> 00:05:10,783
We can go long Rock here let's just go ahead and do that so if we say FTP

74
00:05:11,807 --> 00:05:15,391
I will pick up our address here

75
00:05:16,415 --> 00:05:20,511
Tech21 is a port maybe not was just try like that

76
00:05:20,767 --> 00:05:21,279
Okay

77
00:05:21,535 --> 00:05:25,631
So if we FTP here we could say users anonymous

78
00:05:26,143 --> 00:05:28,959
Patrick V anything real estate password

79
00:05:29,471 --> 00:05:31,007
Kaiser login successful

80
00:05:31,519 --> 00:05:32,799
So dep dep

81
00:05:33,055 --> 00:05:35,103
We always want to be in binary

82
00:05:35,359 --> 00:05:37,151
It's just a typeset here

83
00:05:37,407 --> 00:05:42,527
I prefer it I've had issues with bringing files over the other way and it doesn't work for me

84
00:05:42,783 --> 00:05:46,111
I'm still always use binary as opposed to ASCII

85
00:05:47,391 --> 00:05:52,255
And then we're going to say get exploit. PHP

86
00:05:54,815 --> 00:05:57,887
Transfer complete and that's it so

87
00:05:58,911 --> 00:06:00,959
Now we can just say bye

88
00:06:01,215 --> 00:06:07,359
We can confirm that we have transferred out PHP in the directory or the exploit. PHP I apologize

89
00:06:07,615 --> 00:06:08,383
There it is

90
00:06:09,407 --> 00:06:11,455
So now what can we do

91
00:06:11,711 --> 00:06:12,479
Well

92
00:06:12,735 --> 00:06:15,039
In a perfect world we're not going to

93
00:06:15,295 --> 00:06:17,343
We're going to be able to use this but I work

94
00:06:17,599 --> 00:06:20,927
Most likely not going to be able to use this to both situations

95
00:06:21,439 --> 00:06:24,255
We are actually going to most likely have to do is script us out

96
00:06:25,535 --> 00:06:30,911
So how can we script it out we can basically do the same thing we just did here

97
00:06:31,935 --> 00:06:33,471
So what that might look like

98
00:06:33,727 --> 00:06:39,871
Is if we were to just do an FTP file so will say echo in the Saints

99
00:06:40,127 --> 00:06:42,687
FTP or dismiss a open here

100
00:06:43,967 --> 00:06:47,807
But the same IP address in

101
00:06:49,599 --> 00:06:52,159
And then we're going to just call it FTP. Text

102
00:06:54,207 --> 00:07:00,351
Okay so now we need to type in the rest of it so what do we do next we logged in

103
00:07:00,607 --> 00:07:05,983
I remember when you used to of the little arrows here do not overwrite the text

104
00:07:08,543 --> 00:07:13,407
Then we use the password we just called it password

105
00:07:13,663 --> 00:07:19,039
We set everything to binary

106
00:07:20,831 --> 00:07:25,439
And then we retrieved exploit. PHP

107
00:07:30,559 --> 00:07:36,703
And then we told it goodbye so there's by

108
00:07:37,471 --> 00:07:41,823
So what we need to do now and I'm going to go ahead and remove

109
00:07:42,335 --> 00:07:43,615
This folder here

110
00:07:44,639 --> 00:07:50,527
Salmon to remove the the file from the folder if we're going to remove the exploit I just want to confirm that it came back over

111
00:07:53,343 --> 00:07:59,231
To the syntax now that we can use is a hyphen s

112
00:08:00,255 --> 00:08:03,071
And then we're just going to say FTP. Text

113
00:08:12,799 --> 00:08:15,615
Case it's getting us in are here let's look at the fire really quick

114
00:08:16,383 --> 00:08:18,175
And see what's going on

115
00:08:25,087 --> 00:08:28,415
Does not liking password for some reason looks try

116
00:08:28,671 --> 00:08:30,207
Just calling it pass

117
00:08:30,463 --> 00:08:32,255
Say that and try it one more time

118
00:08:41,215 --> 00:08:44,543
Okay take me a little bit of toiling around with this year

119
00:08:44,799 --> 00:08:46,591
But what the issue was

120
00:08:47,359 --> 00:08:52,991
Was there was a space here after Anonymous and I was throwing it off so make sure that you don't have any spaces in here

121
00:08:54,271 --> 00:08:56,831
And then go ahead and save it again and try it

122
00:08:59,903 --> 00:09:04,255
And then your file transfer should work

123
00:09:04,767 --> 00:09:07,839
So when we're doing this and we're sending these commands

124
00:09:08,607 --> 00:09:13,471
Maybe we don't put the space in right here for anonymous maybe we just punch it all together

125
00:09:13,983 --> 00:09:17,823
So that was my mistake I apologize but now we have it working

126
00:09:18,591 --> 00:09:24,735
And we can confirm that really quick we could just do a derp make sure the exploit. PHP is there and it is

127
00:09:24,991 --> 00:09:29,343
So that's really it for this way of doing it

128
00:09:29,599 --> 00:09:35,743
We could also control see in this is nice here too cuz you can see if your FTP is working that's why I like these pythons

129
00:09:35,999 --> 00:09:36,511
Servers

130
00:09:37,279 --> 00:09:42,911
Let's go ahead and close this out we can open up msfconsole

131
00:09:43,167 --> 00:09:44,447
And we can do it

132
00:09:44,703 --> 00:09:48,287
The other way so let's go ahead and hose with msfconsole

133
00:09:49,823 --> 00:09:55,967
And I'm not going to go to the whole file transfer again I'm just going to kind of show you the auxiliary module and then you can kind of player

134
00:09:56,223 --> 00:09:56,991
Grounded if you want

135
00:09:57,247 --> 00:10:01,087
So the auxiliary module is going to be auxiliary

136
00:10:01,343 --> 00:10:02,111
Server

137
00:10:02,367 --> 00:10:06,975
FTV we can show options in here

138
00:10:07,999 --> 00:10:14,143
And then it tells you what folder do you want you can have a password and username you can change your

139
00:10:14,399 --> 00:10:15,423
Or if you want

140
00:10:15,679 --> 00:10:18,495
I'm pretty easy here pretty straightforward

141
00:10:18,751 --> 00:10:23,615
So really we could just set the folder you want to use and then to say use

142
00:10:23,871 --> 00:10:30,015
Would you say use or we can say exploit we want to be cooler and then it's just running

143
00:10:30,271 --> 00:10:31,295
When is a background on the job

144
00:10:31,807 --> 00:10:32,575
So

145
00:10:33,343 --> 00:10:35,391
That's pretty much it for FTP

146
00:10:35,903 --> 00:10:38,719
Now let's go ahead and exit out of

147
00:10:38,975 --> 00:10:40,511
Metasploit

148
00:10:41,279 --> 00:10:47,423
And let's look at FTP so if we wanted to run FTP or TF

149
00:10:47,679 --> 00:10:48,447
ICP I'm sorry

150
00:10:48,703 --> 00:10:54,079
Do you want to run tftp there's actually tool that comes built-in where we can run our own tftp server

151
00:10:54,847 --> 00:10:57,919
And that is a tftp d

152
00:10:58,687 --> 00:11:03,039
And then the syntax is just Damon and then you're poor

153
00:11:03,295 --> 00:11:09,439
Which is always 69 unless you want it to be something different and then you pick the folder you want to run it in

154
00:11:09,695 --> 00:11:15,327
And I just do var www HTML

155
00:11:15,583 --> 00:11:18,143
Okay so now it's at and it's running

156
00:11:18,911 --> 00:11:24,287
If you wanted to pull a file using tftp you would go through a command line on Windows

157
00:11:26,079 --> 00:11:30,431
So similar here except it's not going to work for us there is no tftp

158
00:11:30,687 --> 00:11:34,015
On my version of Windows Windows 10

159
00:11:34,527 --> 00:11:37,087
Does not recognize them to show you the syntax

160
00:11:37,343 --> 00:11:39,903
So this will work on XP and it will work on 2003

161
00:11:40,671 --> 00:11:43,999
In the syntax is just this tftp

162
00:11:44,255 --> 00:11:47,839
- I than the IP address

163
00:11:49,887 --> 00:11:56,031
The get command and then what you want to get exploit. PHP so that's

164
00:11:56,287 --> 00:11:57,055
Syntax there

165
00:11:58,335 --> 00:12:02,687
It's a pretty straightforward and Fortune I can show you the example I don't have an XP machine

166
00:12:02,943 --> 00:12:06,015
Or a2003 machine on any sort of VM

167
00:12:07,551 --> 00:12:09,343
So what we're going to do next then

168
00:12:10,111 --> 00:12:13,439
Is there going to come in here and we're going to practice with Powershell

169
00:12:14,975 --> 00:12:17,279
So this one is probably

170
00:12:18,303 --> 00:12:23,935
A good example of real world you might not see it too much in the labs but you should encounter it a few times

171
00:12:24,703 --> 00:12:29,823
So what we're going to do is we're going to write a script here for the Powershell

172
00:12:30,847 --> 00:12:34,175
And it's going to look something along the lines of this

173
00:12:34,431 --> 00:12:35,199
So

174
00:12:35,711 --> 00:12:38,271
Somewhere to FTP we're going to make

175
00:12:39,807 --> 00:12:42,623
These following commands to make a file here

176
00:12:43,135 --> 00:12:48,511
Is there an echo storage with a present working directory here

177
00:12:49,535 --> 00:12:55,167
And working just call this we call it get and we'll call it PS1 that's a Powershell file

178
00:12:58,239 --> 00:13:02,079
So we're going to Dan Echo webclient here

179
00:13:02,335 --> 00:13:05,919
We're going to call this new object

180
00:13:06,687 --> 00:13:12,831
System.net. Web client

181
00:13:13,087 --> 00:13:15,391
And then this is also going to be

182
00:13:15,903 --> 00:13:17,439
Yet. PS1

183
00:13:22,815 --> 00:13:27,935
Okay now we're going to Echo URL

184
00:13:28,447 --> 00:13:34,591
In our URL is going to be our web server

185
00:13:36,895 --> 00:13:41,503
And we want to grab from its we're going to grab exploit. PHP

186
00:13:42,527 --> 00:13:45,087
Also put this and get that PS1

187
00:13:46,111 --> 00:13:52,255
Now we're going to set a variable of file we can just also called

188
00:13:52,511 --> 00:13:58,655
Call the exploit. PHP if they want to rename and something else we could get that PS1

189
00:14:00,959 --> 00:14:04,287
And then finally we're going to

190
00:14:04,543 --> 00:14:08,639
Set a variable of webclient downloadfile

191
00:14:09,151 --> 00:14:15,039
The URL and the file

192
00:14:19,903 --> 00:14:22,463
Get a PS1 here again

193
00:14:23,231 --> 00:14:27,327
So now you come back in here and just delete one more time

194
00:14:27,839 --> 00:14:29,887
Or exploit. PHP

195
00:14:31,167 --> 00:14:37,055
And let's go ahead and try this to the syntax of E powershell.exe

196
00:14:37,567 --> 00:14:40,895
Execution policy

197
00:14:41,151 --> 00:14:44,735
Bypass

198
00:14:44,991 --> 00:14:49,855
No logo non-interactive

199
00:14:50,111 --> 00:14:56,255
No profile file yet. PS

200
00:15:03,423 --> 00:15:06,239
And there it is so exploit. PHP came over again

201
00:15:07,007 --> 00:15:11,615
So just another way to transfer this might be really useful like I said in the real world

202
00:15:13,151 --> 00:15:19,295
So keep this one in mind and I do recommend making a script where you can just kind of copy and paste these in

203
00:15:19,551 --> 00:15:21,855
So you have to type this out every time it gets annoying

204
00:15:22,111 --> 00:15:25,695
I'm so if you just copy these and you could also one line knees

205
00:15:26,207 --> 00:15:28,511
So for example if you were to

206
00:15:28,767 --> 00:15:34,911
Copy this here and you paste it in you can do an ampersand you can copy

207
00:15:35,167 --> 00:15:35,935
The next one

208
00:15:37,215 --> 00:15:43,359
And then paste it in and do the same thing with another Ampersand and keep going all the way until it's done so if you

209
00:15:43,615 --> 00:15:45,919
You want to make a one liner like that that would also work

210
00:15:46,431 --> 00:15:47,711
It's up to you

211
00:15:48,479 --> 00:15:54,623
But just food for thought things to think about so at all the script in there we can do the more scripting the better it is for us

212
00:15:54,879 --> 00:15:57,951
Seizure design Us in the more time we safe just my opinion there

213
00:15:58,719 --> 00:16:01,791
It's the last time we're going to do is going to be Metasploit

214
00:16:02,559 --> 00:16:08,703
And what we're going to do here is we're actually going to get back into medical light

215
00:16:08,959 --> 00:16:13,823
And make sure that you still have your key optrix Machine level 1 running

216
00:16:15,103 --> 00:16:20,223
So I have it running we're going to explode it again and the exploit was trans to open

217
00:16:22,271 --> 00:16:27,391
Football had just search that again

218
00:16:29,695 --> 00:16:33,023
Day and remember that we're going to use the Linux version

219
00:16:33,535 --> 00:16:36,095
Soyuz exploit Linux

220
00:16:36,351 --> 00:16:37,375
Samba

221
00:16:38,143 --> 00:16:39,935
Trans to open

222
00:16:41,215 --> 00:16:43,263
Show options real quick

223
00:16:43,519 --> 00:16:49,663
Okay we're going to set our our host to the IP

224
00:16:49,919 --> 00:16:52,223
The address of the objects machine

225
00:16:54,527 --> 00:17:00,671
And remember we also want to change the payload here because of the payload that were used in the

226
00:17:00,927 --> 00:17:06,815
Original video wasn't working so we're going to do now onstage just so generic

227
00:17:07,071 --> 00:17:08,351
Shell reverse here

228
00:17:10,911 --> 00:17:12,703
Cash options again

229
00:17:13,471 --> 00:17:19,103
So now it needs an alehouse what's that are all hosts

230
00:17:25,247 --> 00:17:29,599
Okay so now we have the aisle Houston there one more time but show options

231
00:17:31,135 --> 00:17:32,415
Hi unless exploit

232
00:17:45,727 --> 00:17:48,287
Queso have a shell here

233
00:17:58,783 --> 00:18:00,831
Okay but it brought us right to bash

234
00:18:01,087 --> 00:18:01,855
So

235
00:18:02,367 --> 00:18:04,415
When you're exploiting a

236
00:18:05,183 --> 00:18:09,791
Linux machine like this you're really not going to be able to do many file transfers

237
00:18:10,047 --> 00:18:11,327
We can still do

238
00:18:11,583 --> 00:18:17,727
CW get here and we wanted to grab our file we could still do that

239
00:18:29,759 --> 00:18:33,087
Okay so we'll say LS it's sitting in here

240
00:18:33,343 --> 00:18:34,879
And we're sitting in temp right now

241
00:18:35,391 --> 00:18:39,999
So this is how if we were using Metasploit we would do a file transfer on Linux

242
00:18:40,511 --> 00:18:45,631
You're not really given the meterpreter shell unless you set up a meterpreter shell

243
00:18:46,399 --> 00:18:52,543
I do want to show you one other way of doing this let's look at a Windows example because that's a really we're going to use it so

244
00:18:52,799 --> 00:18:57,663
So with Linux like I said you have the W get probably 95% of a Time

245
00:18:58,175 --> 00:19:01,247
So let's go ahead and do another exploit

246
00:19:02,015 --> 00:19:07,903
But we're going to do what we did in our original lesson with doing Java applet attacks

247
00:19:08,415 --> 00:19:11,743
Let's go ahead and just close out of everything here I'm going to exit

248
00:19:12,511 --> 00:19:16,607
And make sure that you know that your windows machines running over here

249
00:19:17,119 --> 00:19:20,191
And that we can still access it

250
00:19:20,447 --> 00:19:21,471
I'm so

251
00:19:21,983 --> 00:19:23,775
Make sure you know the IP address as well

252
00:19:24,799 --> 00:19:27,359
And we're going to use the SE toolkit

253
00:19:28,383 --> 00:19:30,687
Let's go ahead and do that again

254
00:19:35,551 --> 00:19:38,623
Case of social engineering attacks

255
00:19:39,903 --> 00:19:41,951
And website attack vectors

256
00:19:42,975 --> 00:19:45,023
Java applet attack

257
00:19:46,815 --> 00:19:49,631
We're going to use the site cloner here

258
00:19:50,655 --> 00:19:53,471
We are using that

259
00:19:53,983 --> 00:19:59,871
The IP address is going to be alright the address here

260
00:20:00,639 --> 00:20:03,711
And no our payload is not different machine

261
00:20:06,527 --> 00:20:09,343
So we're going to have it do its own built-in

262
00:20:10,623 --> 00:20:13,951
And we're going to clone google.com

263
00:20:17,279 --> 00:20:19,071
They're going to use the meterpreter

264
00:20:19,327 --> 00:20:20,863
Payload

265
00:20:22,655 --> 00:20:24,959
443 is fine

266
00:20:26,239 --> 00:20:29,311
What type of reverse https is fine

267
00:20:40,063 --> 00:20:44,159
Okay and it's going to take just a minute here it's going to run through it's going to open up Metasploit

268
00:20:44,671 --> 00:20:48,255
So are we have Apache running so let's go ahead and stop it

269
00:20:49,791 --> 00:20:54,143
Now it's going to launch its own web service and it's going to launch Metasploit

270
00:20:55,679 --> 00:20:59,519
In shortly here we're going to go back to our weather dress like we did in the

271
00:20:59,775 --> 00:21:03,103
Java app video and we should be able to get some sort of shell here

272
00:21:05,919 --> 00:21:12,063
Case of a running on job zero in the background let's go ahead and try going to our web page

273
00:21:15,903 --> 00:21:18,720
See if we get that malicious pop-up there it is

274
00:21:19,744 --> 00:21:23,328
Coyote run will see what's happening on the other side of things

275
00:21:31,008 --> 00:21:34,848
Do we have a meterpreter session we can just say sessions

276
00:21:36,640 --> 00:21:38,432
Tose sessions one

277
00:21:39,456 --> 00:21:41,248
Now if meterpreter shell here

278
00:21:42,016 --> 00:21:43,296
And if we say help

279
00:21:44,320 --> 00:21:45,856
We can kind of look through here

280
00:21:46,368 --> 00:21:49,696
And we can actually start downloading or

281
00:21:50,208 --> 00:21:52,256
Giving files to a machine

282
00:21:52,768 --> 00:21:55,072
So here's a download option right there

283
00:21:56,352 --> 00:21:58,144
And we're going to go ahead and do that

284
00:21:58,656 --> 00:22:00,960
So we have download and we have upload

285
00:22:01,472 --> 00:22:03,264
So let's try this

286
00:22:07,360 --> 00:22:13,504
Superstar with upload first upload let's just do our

287
00:22:13,760 --> 00:22:19,904
R-bar www HTML and we're going to give it to

288
00:22:20,672 --> 00:22:23,232
Exploit PHP

289
00:22:23,744 --> 00:22:25,280
Now we need a folder

290
00:22:26,048 --> 00:22:29,120
So when you enter a folder in here

291
00:22:29,632 --> 00:22:32,960
You going to want to make sure to use two slashes for syntax

292
00:22:33,472 --> 00:22:35,264
Or else it's not going to take

293
00:22:35,520 --> 00:22:39,616
So we could just try to jump in the sea folder let's see if that works

294
00:22:47,296 --> 00:22:51,136
So access denied we might need to put it into the user folder

295
00:22:51,392 --> 00:22:53,440
Let's go ahead and verify what that user is

296
00:22:54,464 --> 00:22:58,560
So because we don't have root privileges we can't actually put into the sea folder here

297
00:23:01,376 --> 00:23:04,704
So we're just call the IE user so let's try that

298
00:23:15,712 --> 00:23:19,552
Okay and now he uploaded it let's go double-check that that actually happened

299
00:23:21,344 --> 00:23:23,392
And there it is exploit. PHP

300
00:23:25,184 --> 00:23:25,952
So

301
00:23:26,208 --> 00:23:31,840
In Reverse say we wanted to grab this file exploit. PHP and bring it to us

302
00:23:32,096 --> 00:23:38,240
We could say download seed colon slash slash

303
00:23:38,496 --> 00:23:40,288
Remember to do to

304
00:23:41,056 --> 00:23:44,896
And we're going to grab it from users IE users

305
00:23:45,664 --> 00:23:51,808
By user I'm sorry exploit. PHP and then we can chew

306
00:23:52,064 --> 00:23:53,088
We're going to put it

307
00:23:53,600 --> 00:23:58,720
We'll just put it in the VAR www folder so don't overwrite let's try it

308
00:23:59,488 --> 00:24:02,816
Well actually caught exploit. PHP there as well

309
00:24:06,144 --> 00:24:12,288
And I messed up did you catch that so this won't work unless you have both of these just

310
00:24:12,544 --> 00:24:13,312
Just like that

311
00:24:14,080 --> 00:24:15,104
There you go

312
00:24:15,360 --> 00:24:19,456
So now it should have moved it for us let's go ahead and open this folder

313
00:24:19,712 --> 00:24:25,856
Go back one and there is exploit. PHP so we are successfully able to transfer those back

314
00:24:26,880 --> 00:24:28,672
So if we recap here

315
00:24:30,720 --> 00:24:36,864
We covered a CTP which we could use if we have some sort of web interface

316
00:24:37,120 --> 00:24:43,264
So we actually have like a RDP or VNC into a machine and we want to just make it easy on RC

317
00:24:43,520 --> 00:24:45,824
So we can use http

318
00:24:46,080 --> 00:24:50,944
Winnetka have a lot of opportunities like that but it's nice if we're hosting a file and we just need to grab it

319
00:24:51,968 --> 00:24:54,016
Another method is WG

320
00:24:54,272 --> 00:24:59,136
I remember that that's common to Linux machines but not common to Windows machines

321
00:24:59,904 --> 00:25:06,048
So for Windows machines are really going to need to use some sort of crafting material either FTP

322
00:25:06,816 --> 00:25:10,144
I would just comment on most machines Windows 7 and up

323
00:25:10,400 --> 00:25:14,240
Or tftp is XP in 2003 windows

324
00:25:15,008 --> 00:25:17,056
Or else we could try Powershell

325
00:25:17,312 --> 00:25:18,080
With

326
00:25:18,592 --> 00:25:20,128
Either Windows 7 and up

327
00:25:20,384 --> 00:25:21,920
Or we can try Metasploit

328
00:25:22,176 --> 00:25:22,944
And

329
00:25:23,200 --> 00:25:29,344
Attempt to use that to transfer files mainly with Windows machines we could also use it if we're using a meterpreter shell with Lynn

330
00:25:29,600 --> 00:25:30,880
Next which I didn't show you

331
00:25:31,392 --> 00:25:32,160
But

332
00:25:32,416 --> 00:25:36,000
Humanely going to be concerned with transferring files on Linux machines

333
00:25:36,256 --> 00:25:41,120
So unless you're trying to pull something off of it w gets going to be perfect on Linux

334
00:25:41,632 --> 00:25:47,776
And that's really yet so there's a bunch of other methods here but we don't need to get into them because this is really the

335
00:25:48,032 --> 00:25:49,824
The most common ones you're going to use

336
00:25:50,080 --> 00:25:53,920
You'll see a couple more in the pwk oscp course

337
00:25:54,176 --> 00:25:59,296
And all kind of teach you some more obscure ones that involve you know with XP

338
00:25:59,552 --> 00:26:01,856
Or older versions of Linux

339
00:26:02,368 --> 00:26:05,952
So really you're not going to need those for real world examples here

340
00:26:06,208 --> 00:26:10,560
But do pay attention to those in the pwk course

341
00:26:10,816 --> 00:26:12,352
Slatted for this lesson