PowerShell has this feature where it allows you to execute base64 encoded scripts or commands. Whether this is a good idea or not, I’ll leave that up to for you to decide. But it is a neat little party trick in CTF’s when you need to pass a payload crafted on Linux over to your Windows target. Being able to encode payloads as a base64 encoded string makes it easy to deliver over the network like for example HTTP. Let’s craft a base64 encoded payload to execute
$ echo -n "echo Hacked" | base64 -w 0
Executing this payload in Powershell will fail and yield the following error:
C:\>pwsh -EncodedCommand ZWNobyBIYWNrZWQ=
捥潨䠠捡敫�: The term '捥潨䠠捡敫�' is not recognized as a name of a cmdlet, function, script file, or executable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
PowerShell is built with dotnet, which means that strings should be Unicode encoded. Unicode in Windows-lingo means little-endian UTF-16. But when encoding the output of echo in Linux we basically have a UTF-8 encoded string. To fix this we can use iconv to convert to UTF-16LE:
$ echo -n "echo Hacked." | iconv -t UTF-16LE | base64 -w 0
It’s also possible to use python, if that’s what you prefer:
from base64 import b64encode
You should now be able to correctly get your payload executed in PowerShell
C:\>pwsh -EncodedCommand ZQBjAGgAbwAgAEgAYQBjAGsAZQBkAC4A