Quick Hit: Base64 PowerShell Exfiltration

Okay, so you’ve landed in a constrained language PowerShell on a remote box, and the local application security policy is stopping you from using all the regular stuff (e.g. netcat, opening network connections, etc)… but you need to exfil a medium amount of binary data.  How would you do that?

The following isn’t perfect, but it’s the solution I used recently… feel free to share better solutions! 🙂

On the victim machine

First create a ZIP file to contain all of the content.  For this I’m assuming that you’re in a location where you can write to.

PS> Compress-Archive -Path .\* -DestinationPath .\FILENAME.ZIP

Now convert it to base64 and spit it into a file.  Note: I’m just doing this because sometimes data is lost, and I don’t want to redo things over and over again.  If you’d prefer you can just spit the content out directly.

PS> powershell -version 2 -command '$Content = Get-Content -Path .\FILENAME.ZIP -Encoding Byte; $Base64 = [System.Convert]::ToBase64String($Content); $Base64 | Out-File .\B64FILENAME'

Now type it out and copy it.

PS> type .\B64FILENAME

On your machine

First up, create a new file (B64FILENAME) and paste all of that base64 into it.

PS> $SOURCEFILE = "B64FILENAME"; [System.Convert]::FromBase64String((Get-Content $SOURCEFILE)) | Set-Content FILENAME.ZIP -Encoding Byte

Optionally, expand it in PowerShell as well

PS> Expand-Archive -Path .\FILENAME.ZIP


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Website Powered by WordPress.com.

Up ↑

%d bloggers like this: