Preface to the article
Sometimes when we penetrate the intranet environment, we find a penetrable cloud desktop and enter the cloud desktop operation interface. At this time, we want to conduct further penetration testing on the intranet but find that when we upload some tools When you go to the cloud desktop, you cannot upload exe files, but you can upload text files such as txt, and the cloud desktop is not connected to the Internet. In this case, we can consider using some of the tools that come with the window system to bypass file upload restrictions. Pass
Implementation
CertUtil
Windows systems after Windows 7 come with the CertUtil command, which can be used for encryption and decryption of algorithms such as MD5 and SHA1. We can use CertUtil to base64 encrypt the exe file we want to upload and output the untext after passing it through the target host. Use certUtil to restore it to achieve the purpose of uploading files. Try it below.
Step 1: Normal fscan execution is as follows
fscan64.exe -h
Step 2: Encoding using CertUtil
CertUtil -encode fscan64.exe fscan_base64.txt
Step 2: Encoding using CertUtil
CertUtil -encode fscan64.exe fscan_base64.txt
Step 3: Then use CertUtil to decode and restore fscan64.exe
CertUtil -decode fscan_base64.txt fscan_base64.exe
Step 4: Execute the decrypted fscan to confirm that it can be used normally.
Powershell
Powershell can also be used for encryption and decryption operations. The idea here is the same as above. We can use Powershell to perform base64 encryption on the exe program that we want to upload to the target cloud desktop and convert it to txt format. Then upload the txt to the cloud desktop, and finally in Cloud Desktop can just call the Powershell that comes with the system to decrypt and restore the exe program. The following is the specific implementation:
Step 1: Fscan execution results are as follows
Step 2: Use PowerShell to perform base64 encoding, and encode fscan64.exe to output the txt text program
$PEBytes = [System.IO.File]::ReadAllBytes("fscan64.exe")
$Base64Payload = [System.Convert]::ToBase64String($PEBytes)
Set-Content fscan_base64.txt -Value $Base64Payload
Step 3: Then use PowerShell to base decode fscan_base64.txt and restore fscan64.exe from it
$Base64Bytes = Get-Content ("fscan_base64.txt")
$PEBytes= [System.Convert]::FromBase64String($Base64Bytes)
[System.IO.File]::WriteAllBytes("fscan_base64.exe",$PEBytes)
Step 4: Then execute the restored program to ensure that it can be used normally.