TFTP

How to use goshs as a TFTP server

goshs can serve files over TFTP using the -tftp flag. By default -tftp (alias -tftp-server) starts a UDP TFTP server on port 69 — the standard TFTP port, so built-in clients such as Windows’ tftp.exe work without extra arguments.

TFTP is handy in CTF and pentest scenarios because it gives you a reliable file ingress/egress path next to HTTP/WebDAV/FTP/SFTP/SMB — for example when HTTP is filtered, or to pull a tool onto a Windows target with its built-in client.

Info

Port 69 is privileged, so binding the default port requires running goshs with the necessary privileges (e.g. sudo). Use -tftp-port to listen on an unprivileged port instead.

# Start TFTP server on the default port 69 (needs privileges)
sudo goshs -tftp

# Start on a custom, unprivileged port
goshs -tftp -tftp-port 6900

Reads (download from goshs) and writes (upload to goshs) are both supported. Writes land in the upload folder when one is configured, otherwise in the web root. Transfers are binary (octet) and the blksize/tsize options are negotiated for efficient larger transfers.

The TFTP server respects the same restrictions as the other servers: -ro (read-only) disables uploads, -uo (upload-only) disables downloads, the served directory is set with -d, and the IP whitelist (-ipw) is enforced. Path traversal outside the web root is rejected.

Download a file (RRQ)

# Linux client
tftp <your-ip> 6900 -c get loot.bin

# Windows built-in client (default port 69)
tftp -i <your-ip> GET loot.bin

# curl also speaks TFTP
curl tftp://<your-ip>:6900/loot.bin -o loot.bin

Upload a file (WRQ)

# Linux client
tftp <your-ip> 6900 -c put implant.bin

# Windows built-in client
tftp -i <your-ip> PUT implant.bin

# curl
curl -T implant.bin tftp://<your-ip>:6900/implant.bin